Analysis
-
max time kernel
1985s -
max time network
2703s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
23-04-2022 14:19
General
-
Target
http://amigo-light.mail.ru/
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 1 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Modifies system executable filetype association 2 TTPs 21 IoCs
-
Registers COM server for autorun 1 TTPs
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Enumerates VirtualBox registry keys 2 TTPs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Blocklisted process makes network request 5 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 14 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Sets service image path in registry 2 TTPs
-
UPX packed file 17 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 20 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 25 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks for any installed AV software in registry 1 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 6 IoCs
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Writes to the Master Boot Record (MBR) 1 TTPs 30 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 44 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 47 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 27 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 9 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 47 IoCs
-
Modifies Internet Explorer start page 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 27 IoCs
-
NTFS ADS 14 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: LoadsDriver 64 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" http://amigo-light.mail.ru/1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" http://amigo-light.mail.ru/2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2444.0.1014873165\1722729221" -parentBuildID 20200403170909 -prefsHandle 1528 -prefMapHandle 1312 -prefsLen 1 -prefMapSize 219987 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2444 "\\.\pipe\gecko-crash-server-pipe.2444" 1612 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2444.3.1919806371\1701184956" -childID 1 -isForBrowser -prefsHandle 2224 -prefMapHandle 2220 -prefsLen 122 -prefMapSize 219987 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2444 "\\.\pipe\gecko-crash-server-pipe.2444" 2196 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2444.13.1338797060\1391366994" -childID 2 -isForBrowser -prefsHandle 3332 -prefMapHandle 3328 -prefsLen 6904 -prefMapSize 219987 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2444 "\\.\pipe\gecko-crash-server-pipe.2444" 3308 tab3⤵
-
C:\Users\Admin\Downloads\amigo_setup.exe"C:\Users\Admin\Downloads\amigo_setup.exe"1⤵
- Executes dropped EXE
- NTFS ADS
-
C:\Users\Admin\AppData\Local\Temp\amigo_ldir_5008_13786\amigo_setup.exeC:\Users\Admin\AppData\Local\Temp\amigo_ldir_5008_13786\amigo_setup.exe --wi=1 --make-default=1 --attr=obpnff --rfr=900005 --ext_params="old_mr1lad%3D62640b036929c540-0-0-" --cp2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3996.0.458000687\725150672" -parentBuildID 20200403170909 -prefsHandle 1472 -prefMapHandle 1464 -prefsLen 1 -prefMapSize 220401 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3996 "\\.\pipe\gecko-crash-server-pipe.3996" 1536 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3996.3.1342484521\8819339" -childID 1 -isForBrowser -prefsHandle 2360 -prefMapHandle 2160 -prefsLen 448 -prefMapSize 220401 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3996 "\\.\pipe\gecko-crash-server-pipe.3996" 2124 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3996.13.1517388628\539305239" -childID 2 -isForBrowser -prefsHandle 3376 -prefMapHandle 3372 -prefsLen 6604 -prefMapSize 220401 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3996 "\\.\pipe\gecko-crash-server-pipe.3996" 3388 tab3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450\" -spe -an -ai#7zMap3858:190:7zEvent160051⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450\dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450.exe"C:\Users\Admin\Downloads\dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450\dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Downloads\dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450\dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450.exe"C:\Users\Admin\Downloads\dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450\dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450\dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450\" -spe -an -ai#7zMap23380:320:7zEvent99541⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450\dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450.exe"C:\Users\Admin\Downloads\dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450\dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Downloads\dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450\dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450.exe"C:\Users\Admin\Downloads\dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450\dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\576c0f0c427bc26f4f32211bb46a7430085cc5dda994f3c1829921d41236cb09\" -spe -an -ai#7zMap686:190:7zEvent156171⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\576c0f0c427bc26f4f32211bb46a7430085cc5dda994f3c1829921d41236cb09\576c0f0c427bc26f4f32211bb46a7430085cc5dda994f3c1829921d41236cb09.exe"C:\Users\Admin\Downloads\576c0f0c427bc26f4f32211bb46a7430085cc5dda994f3c1829921d41236cb09\576c0f0c427bc26f4f32211bb46a7430085cc5dda994f3c1829921d41236cb09.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\576c0f0c427bc26f4f32211bb46a7430085cc5dda994f3c1829921d41236cb09\576c0f0c427bc26f4f32211bb46a7430085cc5dda994f3c1829921d41236cb09\" -spe -an -ai#7zMap54:320:7zEvent256021⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\576c0f0c427bc26f4f32211bb46a7430085cc5dda994f3c1829921d41236cb09\576c0f0c427bc26f4f32211bb46a7430085cc5dda994f3c1829921d41236cb09\.rsrc\version.txt1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\10b0165335963104a7e15d665718a2352b52001083d9e9e1bdce140608a0ed5a\" -spe -an -ai#7zMap31853:190:7zEvent178911⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\10b0165335963104a7e15d665718a2352b52001083d9e9e1bdce140608a0ed5a\10b0165335963104a7e15d665718a2352b52001083d9e9e1bdce140608a0ed5a.exe"C:\Users\Admin\Downloads\10b0165335963104a7e15d665718a2352b52001083d9e9e1bdce140608a0ed5a\10b0165335963104a7e15d665718a2352b52001083d9e9e1bdce140608a0ed5a.exe"1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\10b0165335963104a7e15d665718a2352b52001083d9e9e1bdce140608a0ed5a\10b0165335963104a7e15d665718a2352b52001083d9e9e1bdce140608a0ed5a.exe"C:\Users\Admin\Downloads\10b0165335963104a7e15d665718a2352b52001083d9e9e1bdce140608a0ed5a\10b0165335963104a7e15d665718a2352b52001083d9e9e1bdce140608a0ed5a.exe" /_ShowProgress /PrTxt:TG9hZGluZy4uLg==2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\10b0165335963104a7e15d665718a2352b52001083d9e9e1bdce140608a0ed5a\10b0165335963104a7e15d665718a2352b52001083d9e9e1bdce140608a0ed5a.exe"C:\Users\Admin\Downloads\10b0165335963104a7e15d665718a2352b52001083d9e9e1bdce140608a0ed5a\10b0165335963104a7e15d665718a2352b52001083d9e9e1bdce140608a0ed5a.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\10b0165335963104a7e15d665718a2352b52001083d9e9e1bdce140608a0ed5a\10b0165335963104a7e15d665718a2352b52001083d9e9e1bdce140608a0ed5a.exe"C:\Users\Admin\Downloads\10b0165335963104a7e15d665718a2352b52001083d9e9e1bdce140608a0ed5a\10b0165335963104a7e15d665718a2352b52001083d9e9e1bdce140608a0ed5a.exe"1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\10b0165335963104a7e15d665718a2352b52001083d9e9e1bdce140608a0ed5a\10b0165335963104a7e15d665718a2352b52001083d9e9e1bdce140608a0ed5a.exe"C:\Users\Admin\Downloads\10b0165335963104a7e15d665718a2352b52001083d9e9e1bdce140608a0ed5a\10b0165335963104a7e15d665718a2352b52001083d9e9e1bdce140608a0ed5a.exe" /_ShowProgress /PrTxt:TG9hZGluZy4uLg==2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\633379dbc341f8182833ef8b06c104129b9a8d23a1fc58765f1a8e63f34f545a\" -spe -an -ai#7zMap1757:190:7zEvent156791⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\633379dbc341f8182833ef8b06c104129b9a8d23a1fc58765f1a8e63f34f545a\633379dbc341f8182833ef8b06c104129b9a8d23a1fc58765f1a8e63f34f545a.exe"C:\Users\Admin\Downloads\633379dbc341f8182833ef8b06c104129b9a8d23a1fc58765f1a8e63f34f545a\633379dbc341f8182833ef8b06c104129b9a8d23a1fc58765f1a8e63f34f545a.exe"1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\633379dbc341f8182833ef8b06c104129b9a8d23a1fc58765f1a8e63f34f545a\633379dbc341f8182833ef8b06c104129b9a8d23a1fc58765f1a8e63f34f545a\" -spe -an -ai#7zMap18014:320:7zEvent91261⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\45e6d9c104370e07cff80f9a65ca36750ae99ca5a14c7ed19c7ffb534b0780ea\" -spe -an -ai#7zMap25534:190:7zEvent309111⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\45e6d9c104370e07cff80f9a65ca36750ae99ca5a14c7ed19c7ffb534b0780ea\45e6d9c104370e07cff80f9a65ca36750ae99ca5a14c7ed19c7ffb534b0780ea.exe"C:\Users\Admin\Downloads\45e6d9c104370e07cff80f9a65ca36750ae99ca5a14c7ed19c7ffb534b0780ea\45e6d9c104370e07cff80f9a65ca36750ae99ca5a14c7ed19c7ffb534b0780ea.exe"1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\7012f1343236610a93c4d1e72f8402f544c570e3b8fd3de1ec37de3e72fa3736\" -spe -an -ai#7zMap24003:190:7zEvent94821⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\7012f1343236610a93c4d1e72f8402f544c570e3b8fd3de1ec37de3e72fa3736\7012f1343236610a93c4d1e72f8402f544c570e3b8fd3de1ec37de3e72fa3736.exe"C:\Users\Admin\Downloads\7012f1343236610a93c4d1e72f8402f544c570e3b8fd3de1ec37de3e72fa3736\7012f1343236610a93c4d1e72f8402f544c570e3b8fd3de1ec37de3e72fa3736.exe"1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\45e6d9c104370e07cff80f9a65ca36750ae99ca5a14c7ed19c7ffb534b0780ea\45e6d9c104370e07cff80f9a65ca36750ae99ca5a14c7ed19c7ffb534b0780ea\" -spe -an -ai#7zMap5646:320:7zEvent21811⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\45e6d9c104370e07cff80f9a65ca36750ae99ca5a14c7ed19c7ffb534b0780ea\45e6d9c104370e07cff80f9a65ca36750ae99ca5a14c7ed19c7ffb534b0780ea\.rsrc\version.txt1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\96634c9a8ec6bf53aa05a1521dc67485f2d03434e8747d058046f089fb0cd01d\" -spe -an -ai#7zMap2594:190:7zEvent82441⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\96634c9a8ec6bf53aa05a1521dc67485f2d03434e8747d058046f089fb0cd01d\96634c9a8ec6bf53aa05a1521dc67485f2d03434e8747d058046f089fb0cd01d.exe"C:\Users\Admin\Downloads\96634c9a8ec6bf53aa05a1521dc67485f2d03434e8747d058046f089fb0cd01d\96634c9a8ec6bf53aa05a1521dc67485f2d03434e8747d058046f089fb0cd01d.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ee74894c73c1cb2cb94487e3def1f537946345f3c7150554c6383e0eb641322c\" -spe -an -ai#7zMap4217:190:7zEvent251091⤵
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\1d36ad7531393b119ef8e73253874e7af0f22f20a8072797d6ff243e7bb66bb8\" -spe -an -ai#7zMap31832:190:7zEvent112491⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\1d36ad7531393b119ef8e73253874e7af0f22f20a8072797d6ff243e7bb66bb8\1d36ad7531393b119ef8e73253874e7af0f22f20a8072797d6ff243e7bb66bb8.exe"C:\Users\Admin\Downloads\1d36ad7531393b119ef8e73253874e7af0f22f20a8072797d6ff243e7bb66bb8\1d36ad7531393b119ef8e73253874e7af0f22f20a8072797d6ff243e7bb66bb8.exe"1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Error.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\temp\29608\MJImageConverter_106401.exeC:\Windows\temp\29608\MJImageConverter_106401.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\ProgramData\MJImageConverter\ImgEncodec.dll",ImageCodec23⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\ProgramData\MJImageConverter\ImgEncodec.dll",ImageCodec24⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\eCsksh\vrgikx.exe"C:\Users\Admin\AppData\Local\eCsksh\vrgikx.exe" /install /silent2⤵
- Executes dropped EXE
-
C:\Windows\temp\29608\2345pcsafe_100107_duotes.exeC:\Windows\temp\29608\2345pcsafe_100107_duotes.exe /S2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345ShellPro.exe"C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345ShellPro.exe" --type=install --installtype=new --lockExplorerKB=1 --lockIEState=1 --lock3rdState=1 --lockBrowserState=1 --silent=13⤵
- Executes dropped EXE
- Modifies system certificate store
- System policy modification
-
C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345SafeCenter\2345SafeCenterInstaller.exe"C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345SafeCenter\2345SafeCenterInstaller.exe" --type=install --invoke_product=1 --path="C:\Program Files (x86)\2345Soft\" --lockExplorerKB=1 --lockIEState=1 --lock3rdState=1 --lockBrowserState=1 --safe_override=04⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\SoftMgr_2345\2345SoftMgr.exe"C:\Users\Admin\AppData\Roaming\SoftMgr_2345\2345SoftMgr.exe" --shortcut=notify --from=s --entry=12 --package="C:\Users\Admin\AppData\Roaming\SoftMgr_2345\2345softmgr_v5.4.0.11680.7z" --nwinst=14⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\SoftMgr_2345\Application\5.4.0.11680\2345SoftMgrShell64.exe"C:\Users\Admin\AppData\Roaming\SoftMgr_2345\Application\5.4.0.11680\2345SoftMgrShell64.exe" --install=SoftMgrMenu64.dll5⤵
- Modifies system executable filetype association
- Executes dropped EXE
-
C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345ExtShell64.exe"C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345ExtShell64.exe" --install=AvShellExt64.dll3⤵
- Modifies system executable filetype association
- Executes dropped EXE
-
C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345ShellPro.exe"C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345ShellPro.exe" --type=installstatic --installtype=new --usertype=UNION --silent=1 --preversion=0.0.0.03⤵
- Executes dropped EXE
-
C:\Windows\temp\29608\wEBWekbEJkyzip282561115scuix001.exeC:\Windows\temp\29608\wEBWekbEJkyzip282561115scuix001.exe2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\快压\X64\KuaiZipShell.dll3⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\快压\X64\KuaiZipShellProp.dll3⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\快压\X86\kuaizipUpdateChecker.dll3⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s C:\Users\Admin\AppData\Roaming\快压\X64\KuaiZipShell.dll3⤵
-
C:\Windows\system32\regsvr32.exe/s C:\Users\Admin\AppData\Roaming\快压\X64\KuaiZipShell.dll4⤵
- Modifies system executable filetype association
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s C:\Users\Admin\AppData\Roaming\快压\X64\KuaiZipShellProp.dll3⤵
-
C:\Windows\system32\regsvr32.exe/s C:\Users\Admin\AppData\Roaming\快压\X64\KuaiZipShellProp.dll4⤵
- Modifies system executable filetype association
-
C:\Users\Admin\AppData\Roaming\快压\X86\KuaiZip.exe"C:\Users\Admin\AppData\Roaming\快压\X86\KuaiZip.exe" -instsvr3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6440 -s 6164⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\快压\X86\KuaiZip.exe"C:\Users\Admin\AppData\Roaming\快压\X86\KuaiZip.exe" -AssociateAll3⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8112 -s 6164⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\快压\X86\KZReport.exe"C:\Users\Admin\AppData\Roaming\快压\X86\KZReport.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Windows\temp\29608\2345explorer_100350.exeC:\Windows\temp\29608\2345explorer_100350.exe /S2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
-
C:\Windows\temp\29608\2345explorer_100350.exe"C:\Windows\temp\29608\2345explorer_100350.exe" --release_file3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=utility --lang=zh_cn --no-sandbox --unzip-data="C:\Users\Admin\AppData\Local"3⤵
- Executes dropped EXE
-
C:\Windows\temp\29608\2345explorer_100350.exe"C:\Windows\temp\29608\2345explorer_100350.exe" --install_service --install_sdk=13⤵
- Drops file in Drivers directory
- Executes dropped EXE
-
C:\Program Files (x86)\2345Soft\2345Explorer\Protect\ServiceManager.exe"C:\Program Files (x86)\2345Soft\2345Explorer\Protect\ServiceManager.exe" install "C:\Program Files (x86)\2345Soft\2345Explorer\Protect\Protect_2345Explorer.exe"4⤵
- Executes dropped EXE
-
C:\Program Files (x86)\2345Soft\2345Explorer\Assistant\HelperTool64.exe"C:\Program Files (x86)\2345Soft\2345Explorer\Assistant\HelperTool64.exe" --pin_operation=1 --link_path="C:\Users\Admin\Desktop\2345加速浏览器.lnk"3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Program Files (x86)\2345Soft\2345Explorer\Assistant\HelperTool64.exe"C:\Program Files (x86)\2345Soft\2345Explorer\Assistant\HelperTool64.exe" --pin_operation=3 --link_path="C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\2345加速浏览器.lnk"3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=utility --lang=zh_cn --no-sandbox --send-stat --action=install3⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345SafeCenterInstaller.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345SafeCenterInstaller.exe" --type=install --invoke_product=2 --path="C:\Program Files (x86)\2345Soft" --lockBrowserState=1 --target=23⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\Temp\2345SafeCenterInstaller.exe"C:\Windows\Temp\2345SafeCenterInstaller.exe" --type=uninstall --sub_type=delete_self --invoke_product=6 --path="C:\Program Files (x86)\2345Soft\2345SafeCenter\{AFEACBC6-3B9B-4C01-A4B0-4041FC1647F1}\"4⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --make-default-browser3⤵
- Modifies registry class
-
C:\Program Files (x86)\2345Soft\2345Explorer\crashpad_helper.exe"C:\Program Files (x86)\2345Soft\2345Explorer\crashpad_helper.exe" --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\2345Explorer\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\2345Explorer\User Data" --url=https://dump.2345.com/upload.php --annotation=plat=Win32 --annotation=prod=2345Explorer --annotation=ver=10.17.0.21258 --initial-client-data=0x224,0x228,0x22c,0x230,0x220,0x234,0x64dc14a8,0x64dc14b8,0x64ec14c4,0x64dc14c44⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=gpu-process --field-trial-handle=1272,6323126359355942227,12628383171759467482,131072 --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=807ED6FDD2F83D97E9F7242E2D99754D --mojo-platform-channel-handle=1444 --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Windows\temp\29608\HuyaClientInstall260.exeC:\Windows\temp\29608\HuyaClientInstall260.exe2⤵
- Drops startup file
- Drops file in Program Files directory
-
C:\Program Files (x86)\HuyaLive\HuyaClient\Huya.exe/startservicefromsvc3⤵
-
C:\Program Files (x86)\HuyaLive\HuyaClient\Net45\HuyaService.exe"C:\Program Files (x86)\HuyaLive\HuyaClient\Net45\HuyaService.exe" /From_HuyaService4⤵
-
C:\Windows\temp\29608\peBpAkmaZheinote3549984242345x001.exeC:\Windows\temp\29608\peBpAkmaZheinote3549984242345x001.exe -wjm2⤵
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\Heinote\HNShell64.dll3⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\Heinote\HNPreview64.dll3⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\Heinote\hnchecker.dll3⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s C:\Users\Admin\AppData\Roaming\Heinote\UserChoise.reg3⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\hnote.exe"C:\Users\Admin\AppData\Roaming\Heinote\hnote.exe" -install3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s "C:\Users\Admin\AppData\Roaming\Heinote\UserChoise.reg"4⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s C:\Users\Admin\AppData\Roaming\Heinote\HNShell64.dll3⤵
-
C:\Windows\system32\regsvr32.exe/s C:\Users\Admin\AppData\Roaming\Heinote\HNShell64.dll4⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Heinote\hnote.exe"C:\Users\Admin\AppData\Roaming\Heinote\hnote.exe" -schedule3⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s C:\Users\Admin\AppData\Roaming\Heinote\HNPreview64.dll3⤵
-
C:\Windows\system32\regsvr32.exe/s C:\Users\Admin\AppData\Roaming\Heinote\HNPreview64.dll4⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Heinote\notepaper.exe"C:\Users\Admin\AppData\Roaming\Heinote\notepaper.exe" -install3⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\Report.exe"C:\Users\Admin\AppData\Roaming\Heinote\Report.exe"3⤵
- Writes to the Master Boot Record (MBR)
-
C:\Windows\temp\29608\kuwo_jm882.exeC:\Windows\temp\29608\kuwo_jm882.exe2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\curl.exe"C:\Users\Admin\AppData\Local\Temp\curl.exe" -d MiUwOTxTUkM6TVVTSUNfOS4wLjUuMF9QMlQxfEFDVDpJTlNUQUxMX0lORk98VFlQRTpTdGFydFNldHVwfFRDb3VudDoyNDIxMzcxNDB8e2t1d29fam04ODIuZXhlfXxVOnxNQUM6RDZERDBFQUFFOTRDPg== http://log.kuwo.cn/music.yl -o C:\Users\Admin\AppData\Local\Temp\kuwomsglog.txt3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Program Files (x86)\kuwo\kuwomusic\9.0.5.0_P2T1\bin\KwService.exe" 酷我核心服务 ENABLE3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Program Files (x86)\kuwo\kuwomusic\9.0.5.0_P2T1\bin\KwMusic.exe" 酷我音乐 ENABLE3⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\RegTpData.dll" runDll MUSIC_9.0.5.0_P2T13⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\curl.exe"C:\Users\Admin\AppData\Local\Temp\curl.exe" -d MiUwOTxTUkM6TVVTSUNfOS4wLjUuMF9QMlQxfEFDVDpJTlNUQUxMX1NIRUxMfFRZUEU6UmVnVHBEYXRhfFNVQzoxfFRDb3VudDoyNDIxNTk2NTZ8e2t1d29fam04ODIuZXhlfXxVOnxNQUM6RDZERDBFQUFFOTRDPg== http://log.kuwo.cn/music.yl -o C:\Users\Admin\AppData\Local\Temp\kuwomsglog.txt3⤵
-
C:\Program Files (x86)\kuwo\kuwomusic\9.0.5.0_P2T1\bin\KwMusic.exe"C:\Program Files (x86)\kuwo\kuwomusic\9.0.5.0_P2T1\bin\KwMusic.exe" /autorun /nologauto3⤵
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
-
C:\Program Files (x86)\kuwo\kuwomusic\9.0.5.0_P2T1\bin\KwService.exe"C:\Program Files (x86)\kuwo\kuwomusic\9.0.5.0_P2T1\bin\KwService.exe"4⤵
-
C:\Program Files (x86)\kuwo\kuwomusic\9.0.5.0_P2T1\bin\KwWebKit.exe"C:\Program Files (x86)\kuwo\kuwomusic\9.0.5.0_P2T1\bin\KwWebKit.exe" --type=renderer --disable-gpu-compositing --no-sandbox --enable-begin-frame-scheduling --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --enable-system-flash --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=1 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-gpu-compositing --channel="17244.0.1572461965\1449487497" /prefetch:6731311514⤵
-
C:\Program Files (x86)\kuwo\kuwomusic\9.0.5.0_P2T1\bin\WriteMbox.exe"C:\Program Files (x86)\kuwo\kuwomusic\9.0.5.0_P2T1\bin\WriteMbox.exe"4⤵
-
C:\Program Files (x86)\kuwo\kuwomusic\9.0.5.0_P2T1\bin\KWUpdate.exe"C:\Program Files (x86)\kuwo\kuwomusic\9.0.5.0_P2T1\bin\KWUpdate.exe" /kwsid=63440682 /kwver=MUSIC_9.0.5.0_P2T14⤵
-
C:\Program Files (x86)\kuwo\kuwomusic\9.0.5.0_P2T1\bin\KwConfig.exe"C:\Program Files (x86)\kuwo\kuwomusic\9.0.5.0_P2T1\bin\KwConfig.exe"4⤵
-
C:\Program Files (x86)\kuwo\kuwomusic\9.0.5.0_P2T1\bin\KwUACSet.exe--unzipnetsong4⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\kuwo\kuwomusic\9.0.5.0_P2T1\bin\WriteMbox.exe"C:\Program Files (x86)\kuwo\kuwomusic\9.0.5.0_P2T1\bin\WriteMbox.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\curl.exe"C:\Users\Admin\AppData\Local\Temp\curl.exe" -d MiUwOTxTUkM6TVVTSUNfOS4wLjUuMF9QMlQxfEFDVDpJTlNUQUxMX0lORk98U3VjOjF8RGlzcGxheUNvbXBsZXRlUGFnZTowfEhhc1Nob3dDaGVjazowfEhhc1VuQ2hlY2s6MHxIYXNTdGFydE11c2ljQm94OjB8RXhjcHRpb25BYm9ydDowLjJ8U0tJUFRZUEU6MHxBdXRvUnVuOjF8U3RhZ2U6OTN8SW5zdGFsbFRpY2s6MjQyMTUxNjg3fEV4aXRUeXBlOjF8VVVJRDpFRENBQjMyRkJGQTk0RjRBQjE4RjJGMzlDNzVFMDAwNTMvcUNGbytmZlhLQXR4NE44Mnd4TnVUdFA1UFplajR6fFRDb3VudDoyNDIxNjA3OTZ8e2t1d29fam04ODIuZXhlfXxVOnxNQUM6RDZERDBFQUFFOTRDPg== http://log.kuwo.cn/music.yl -o C:\Users\Admin\AppData\Local\Temp\kuwomsglog.txt3⤵
-
C:\Windows\temp\29608\LDSGameMasterInstRoad_210901.exeC:\Windows\temp\29608\LDSGameMasterInstRoad_210901.exe2⤵
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\AppData\Local\Temp\ldsgamemaster.exe"C:\Users\Admin\AppData\Local\Temp\ldsgamemaster.exe" /PID="210901" /S /FROM=inst3⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies system certificate store
-
C:\MobileEmuMaster\SoftMgr\SoftMgrInst.exe"C:\MobileEmuMaster\SoftMgr\SoftMgrInst.exe" --hwnd=1573168 --from=LDSGameMaster --new=true --log4⤵
-
C:\MobileEmuMaster\Utils\MobileEmuHelper.exeC:\MobileEmuMaster\Utils\MobileEmuHelper.exe4⤵
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\RegSvr32.exe"C:\Windows\System32\RegSvr32.exe" /s /i "C:\MobileEmuMaster\Plugin\ShellExt_x64.dll"4⤵
-
C:\Windows\system32\regsvr32.exe/s /i "C:\MobileEmuMaster\Plugin\ShellExt_x64.dll"5⤵
-
C:\Windows\SysWOW64\RegSvr32.exe"C:\Windows\System32\RegSvr32.exe" /s /i "C:\MobileEmuMaster\GameMemoryOpt_x64.dll"4⤵
-
C:\Windows\system32\regsvr32.exe/s /i "C:\MobileEmuMaster\GameMemoryOpt_x64.dll"5⤵
-
C:\MobileEmuMaster\LDSGameHall\LDSGameHall.exe"C:\MobileEmuMaster\LDSGameHall\LDSGameHall.exe" /DisplayMode="hide" /From="inst" /HideBoot /NewInstall /PID="210901" /Push /SubPID="210901"4⤵
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
-
C:\MobileEmuMaster\update.exe"C:\MobileEmuMaster\update.exe" checkupdate5⤵
- Writes to the Master Boot Record (MBR)
- Modifies system certificate store
-
C:\Windows\SysWOW64\Dism.exe/Online /Get-FeatureInfo:Microsoft-Hyper-V5⤵
-
C:\MobileEmuMaster\LDSGameHall\LDSGameRun.exe"C:\MobileEmuMaster\LDSGameHall\LDSGameRun.exe"5⤵
- Writes to the Master Boot Record (MBR)
-
C:\Program Files (x86)\LuDaShi\Utils\LdsHelper.exe"C:\Program Files (x86)\LuDaShi\Utils\LdsHelper.exe"4⤵
- Writes to the Master Boot Record (MBR)
-
C:\Program Files (x86)\BirdWallpaper\Utils\BirdHelper.exe"C:\Program Files (x86)\BirdWallpaper\Utils\BirdHelper.exe"4⤵
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32.exe" "C:\Program Files (x86)\BirdWallpaper\wallpaperhelper\ComputerZ8_x64.dll" /s4⤵
-
C:\Windows\system32\regsvr32.exe"C:\Program Files (x86)\BirdWallpaper\wallpaperhelper\ComputerZ8_x64.dll" /s5⤵
- Modifies registry class
-
C:\Program Files (x86)\HaloDesktop\Utils\HaloHelper.exe"C:\Program Files (x86)\HaloDesktop\Utils\HaloHelper.exe"4⤵
- Writes to the Master Boot Record (MBR)
-
C:\Program Files (x86)\MasterPDF\PDFRunningHelper.exe"C:\Program Files (x86)\MasterPDF\PDFRunningHelper.exe" /enableServer4⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Program Files (x86)\MasterPDF\XDShellExtHelper64.dll"5⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4381⤵
-
C:\Users\Admin\AppData\Local\eCsksh\vrgikx.exeC:\Users\Admin\AppData\Local\eCsksh\vrgikx.exe1⤵
- Executes dropped EXE
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\70f90541f85877063ddc79f0115e2b44f862cebcbb41be36c7d87bc7a6471043\" -spe -an -ai#7zMap25108:190:7zEvent228171⤵
-
C:\Users\Admin\Downloads\70f90541f85877063ddc79f0115e2b44f862cebcbb41be36c7d87bc7a6471043\70f90541f85877063ddc79f0115e2b44f862cebcbb41be36c7d87bc7a6471043.exe"C:\Users\Admin\Downloads\70f90541f85877063ddc79f0115e2b44f862cebcbb41be36c7d87bc7a6471043\70f90541f85877063ddc79f0115e2b44f862cebcbb41be36c7d87bc7a6471043.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\2345Soft\2345SafeCenter\6.12.1.10076\2345SafeCenterSvc.exe"C:\Program Files (x86)\2345Soft\2345SafeCenter\6.12.1.10076\2345SafeCenterSvc.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\2345Soft\2345SafeCenter\6.12.1.10076\2345RTProtect.exe"C:\Program Files (x86)\2345Soft\2345SafeCenter\6.12.1.10076\2345RTProtect.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Program Files (x86)\2345Soft\2345SafeCenter\6.12.1.10076\2345SafeCenterCrashReport.exe"C:\Program Files (x86)\2345Soft\2345SafeCenter\6.12.1.10076\2345SafeCenterCrashReport.exe" --crashtype=Driver3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\2345Soft\2345SafeCenter\6.12.1.10076\2345SafeCenterInstaller.exe"C:\Program Files (x86)\2345Soft\2345SafeCenter\6.12.1.10076\2345SafeCenterInstaller.exe" --type=after_upgrade --invoke_product=63⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\System32\ipconfig.exe" /flushdns3⤵
- Gathers network information
-
C:\Users\Admin\AppData\Roaming\SoftMgr_2345\2345SoftMgr.exe"C:\Users\Admin\AppData\Roaming\SoftMgr_2345\2345SoftMgr.exe" --shortcut=notify --from=s --entry=1 --intval=3603⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\SoftMgr_2345\Application\5.4.0.11680\2345SoftMgrShell64.exe"C:\Users\Admin\AppData\Roaming\SoftMgr_2345\Application\5.4.0.11680\2345SoftMgrShell64.exe" --install=SoftMgrMenu64.dll4⤵
- Modifies system executable filetype association
- Executes dropped EXE
-
C:\Program Files (x86)\2345Soft\2345SafeCenter\6.12.1.10076\2345SafeCenterUpdate.exe"C:\Program Files (x86)\2345Soft\2345SafeCenter\6.12.1.10076\2345SafeCenterUpdate.exe" --type=default3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\2345Soft\2345SafeCenter\6.12.1.10076\2345SafeCenterInstaller.exe"C:\Program Files (x86)\2345Soft\2345SafeCenter\6.12.1.10076\2345SafeCenterInstaller.exe" --type=repairfiles --target=normally2⤵
-
C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345SafeSvc.exe"C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345SafeSvc.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\2345Soft\2345SafeCenter\6.12.1.10076\2345RTProtect.exe"C:\Program Files (x86)\2345Soft\2345SafeCenter\6.12.1.10076\2345RTProtect.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345SafeTray.exe"C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345SafeTray.exe" --type=logonauto --sf=12⤵
- Executes dropped EXE
-
C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345ShellPro.exe"C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345ShellPro.exe" --type=repair3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345SafeUpdate.exe"C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345SafeUpdate.exe" --type=repairfiles --target=normally4⤵
-
C:\Program Files (x86)\2345Soft\2345SafeCenter\6.12.1.10076\2345RTProtect.exe"C:\Program Files (x86)\2345Soft\2345SafeCenter\6.12.1.10076\2345RTProtect.exe"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345NightMode.exe"C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345NightMode.exe" --type=silent --switch=enable3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345ManuUpdate.exe"C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345ManuUpdate.exe" --type=manusaferepair3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345SafeUpdate.exe"C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345SafeUpdate.exe" --type=default3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345Setting.exe"C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345Setting.exe" --type=active --activeid=default3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- System policy modification
-
C:\Program Files (x86)\2345Soft\2345SafeCenter\6.12.1.10076\2345ProtectManager.exe"C:\Program Files (x86)\2345Soft\2345SafeCenter\6.12.1.10076\2345ProtectManager.exe" --type=active --tbid=2 --lf=3 --activeid=14⤵
- Executes dropped EXE
-
C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345MPCSafe.exe"C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345MPCSafe.exe" --type=active --activeid=exam --start=03⤵
- Modifies firewall policy service
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345ManuUpdate.exe"C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345ManuUpdate.exe" --type=manusaferepair4⤵
-
C:\Program Files (x86)\2345Soft\2345SafeCenter\6.12.1.10076\2345VirusScan.exe"C:\Program Files (x86)\2345Soft\2345SafeCenter\6.12.1.10076\2345VirusScan.exe"4⤵
-
C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345SafeUpdate.exe"C:\Program Files (x86)\2345Soft\2345PCSafe\6.12.1.13307\2345SafeUpdate.exe" --type=repairfiles --target=normally2⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\09d2a852e68ae253edf08115b438c11ea8dc168bff12a392fa1c9928c7889a31\" -spe -an -ai#7zMap29599:190:7zEvent28781⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k kuaizipupdatesvc1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k kuaizipupdatesvc1⤵
-
C:\Users\Admin\Downloads\09d2a852e68ae253edf08115b438c11ea8dc168bff12a392fa1c9928c7889a31\09d2a852e68ae253edf08115b438c11ea8dc168bff12a392fa1c9928c7889a31.exe"C:\Users\Admin\Downloads\09d2a852e68ae253edf08115b438c11ea8dc168bff12a392fa1c9928c7889a31\09d2a852e68ae253edf08115b438c11ea8dc168bff12a392fa1c9928c7889a31.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" -- "http://laserveradedomaina.com/redirect/57a764d042bf8"2⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\crashpad_helper.exe"C:\Program Files (x86)\2345Soft\2345Explorer\crashpad_helper.exe" --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\2345Explorer\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\2345Explorer\User Data" --url=https://dump.2345.com/upload.php --annotation=plat=Win32 --annotation=prod=2345Explorer --annotation=ver=10.17.0.21258 --initial-client-data=0x20c,0x210,0x214,0x218,0x208,0x21c,0x610814a8,0x610814b8,0x611814c4,0x610814c43⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=gpu-process --field-trial-handle=1236,7771441629066351894,2407714111372293324,131072 --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=943CA31AE40BFB317A23A395C8D062D5 --mojo-platform-channel-handle=1264 --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=renderer --field-trial-handle=1236,7771441629066351894,2407714111372293324,131072 --service-pipe-token=8C9AAB0B895676228FFADAF7B7329E48 --lang=zh-CN --disable-client-side-phishing-detection --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=8C9AAB0B895676228FFADAF7B7329E48 --renderer-client-id=4 --mojo-platform-channel-handle=2500 /prefetch:13⤵
- Checks computer location settings
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=renderer --field-trial-handle=1236,7771441629066351894,2407714111372293324,131072 --service-pipe-token=62C865A420C8A22E932ED247EA0F9FF4 --lang=zh-CN --disable-client-side-phishing-detection --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=62C865A420C8A22E932ED247EA0F9FF4 --renderer-client-id=6 --mojo-platform-channel-handle=3060 /prefetch:13⤵
- Checks computer location settings
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=renderer --field-trial-handle=1236,7771441629066351894,2407714111372293324,131072 --service-pipe-token=6FBE3186F4E7EDE7C238E46898CD2152 --lang=zh-CN --extension-process --disable-client-side-phishing-detection --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=6FBE3186F4E7EDE7C238E46898CD2152 --renderer-client-id=3 --mojo-platform-channel-handle=3364 /prefetch:13⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\GameHall_2345\2345GameHall.exe"C:\Users\Admin\AppData\Roaming\GameHall_2345\2345GameHall.exe" --type=utility --action=upgrade3⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --not_main --force-visible-status-icon-on-win10-2345 --status-icon-id=43⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\crashpad_helper.exe"C:\Program Files (x86)\2345Soft\2345Explorer\crashpad_helper.exe" --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\2345Explorer\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\2345Explorer\User Data" --url=https://dump.2345.com/upload.php --annotation=plat=Win32 --annotation=prod=2345Explorer --annotation=ver=10.17.0.21258 --initial-client-data=0x20c,0x210,0x214,0x218,0x208,0x21c,0x610814a8,0x610814b8,0x611814c4,0x610814c44⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=gpu-process --field-trial-handle=1256,3393724588493138875,10252467347597635856,131072 --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=78669AE8F7E0ADE42E24000763020459 --mojo-platform-channel-handle=1276 --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7708 -s 12444⤵
- Program crash
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=renderer --field-trial-handle=1236,7771441629066351894,2407714111372293324,131072 --disable-gpu-compositing --service-pipe-token=261B37B8B15375D136511E09D278F67A --lang=zh-CN --disable-client-side-phishing-detection --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=261B37B8B15375D136511E09D278F67A --renderer-client-id=7 --mojo-platform-channel-handle=6632 /prefetch:13⤵
- Checks computer location settings
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=gpu-process --field-trial-handle=1236,7771441629066351894,2407714111372293324,131072 --disable-gpu-sandbox --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=0AD42A0CBFEB977021D8A8ED9808C7F6 --mojo-platform-channel-handle=3536 /prefetch:23⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=utility --no-sandbox --lang --upgrade /prefetch:83⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Users\Admin\AppData\Roaming\快压\X86\KuaiZip.exe"C:\Users\Admin\AppData\Roaming\快压\X86\KuaiZip.exe" "C:\Users\Admin\Downloads\83b5a1c76aac0d4e299208dbc4af02f8427f5e3a2d1c3ebdb74f6baa6538bc86.zip"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8340 -s 5882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8340 -s 15322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8340 -s 15242⤵
- Program crash
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\83b5a1c76aac0d4e299208dbc4af02f8427f5e3a2d1c3ebdb74f6baa6538bc86\" -spe -an -ai#7zMap20987:190:7zEvent277871⤵
-
C:\Users\Admin\Downloads\83b5a1c76aac0d4e299208dbc4af02f8427f5e3a2d1c3ebdb74f6baa6538bc86\83b5a1c76aac0d4e299208dbc4af02f8427f5e3a2d1c3ebdb74f6baa6538bc86.exe"C:\Users\Admin\Downloads\83b5a1c76aac0d4e299208dbc4af02f8427f5e3a2d1c3ebdb74f6baa6538bc86\83b5a1c76aac0d4e299208dbc4af02f8427f5e3a2d1c3ebdb74f6baa6538bc86.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9F8F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\9F8F.tmp.exe" --stid="" --onl2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6960 -s 12683⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /f /pid 6960 & for /l %x in (1,1,60) do ( ping 127.0.0.1 -n 2 -w 500 & del /q /f "C:\Users\Admin\AppData\Local\Temp\9F8F.tmp.exe" & if not exist "C:\Users\Admin\AppData\Local\Temp\9F8F.tmp.exe" ( exit ) )3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 69604⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 2 -w 5004⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SoftMgr_2345\2345SoftMgr.exe"C:\Users\Admin\AppData\Roaming\SoftMgr_2345\2345SoftMgr.exe" --shortcut=softmgr --from=cx --entry=51⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Roaming\SoftMgr_2345\2345SoftMgr.exe"C:\Users\Admin\AppData\Roaming\SoftMgr_2345\2345SoftMgr.exe" --shortcut=update --from=f --entry=112⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\SoftMgr_2345\Application\5.4.0.11680\2345SoftMgrShell64.exe"C:\Users\Admin\AppData\Roaming\SoftMgr_2345\Application\5.4.0.11680\2345SoftMgrShell64.exe" --install=SoftMgrMenu64.dll2⤵
- Modifies system executable filetype association
- Executes dropped EXE
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Modifies registry class
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\Protect\Protect_2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\Protect\Protect_2345Explorer.exe"1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\2345Soft\2345Explorer\Protect\2345MiniPage.exe"C:\Program Files (x86)\2345Soft\2345Explorer\Protect\2345MiniPage.exe" --from=B --entry=12⤵
- Modifies Internet Explorer settings
-
C:\Users\Admin\AppData\Roaming\GameHall_2345\2345GameHall.exe"C:\Users\Admin\AppData\Roaming\GameHall_2345\2345GameHall.exe" --type=utility --action=upgrade3⤵
-
C:\Users\Admin\AppData\Roaming\GameHall_2345\2345GameHall.exe"C:\Users\Admin\AppData\Roaming\GameHall_2345\2345GameHall.exe" --type=utility --action=upgrade3⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x44c1⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --shortcut=desktop1⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\crashpad_helper.exe"C:\Program Files (x86)\2345Soft\2345Explorer\crashpad_helper.exe" --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\2345Explorer\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\2345Explorer\User Data" --url=https://dump.2345.com/upload.php --annotation=plat=Win32 --annotation=prod=2345Explorer --annotation=ver=10.17.0.21258 --initial-client-data=0x20c,0x210,0x214,0x218,0x208,0x21c,0x64dc14a8,0x64dc14b8,0x64ec14c4,0x64dc14c42⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=gpu-process --field-trial-handle=1232,2480874022340948737,17492369275312440179,131072 --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=B485610D3E9D5E12796E25DAEF4D4E46 --mojo-platform-channel-handle=1252 --ignored=" --type=renderer " /prefetch:22⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=utility --field-trial-handle=1232,2480874022340948737,17492369275312440179,131072 --lang=zh-CN --no-sandbox --service-request-channel-token=6B78FF2C6BAC22ED20BE811DE1B2143D --mojo-platform-channel-handle=2360 /prefetch:82⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=renderer --field-trial-handle=1232,2480874022340948737,17492369275312440179,131072 --service-pipe-token=B931659EE29023E9C7BA9A1B58FF4DBD --lang=zh-CN --disable-client-side-phishing-detection --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=B931659EE29023E9C7BA9A1B58FF4DBD --renderer-client-id=4 --mojo-platform-channel-handle=2640 /prefetch:12⤵
- Checks computer location settings
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=renderer --field-trial-handle=1232,2480874022340948737,17492369275312440179,131072 --service-pipe-token=6E26C6230427F5CA10671996C3CE0D3E --lang=zh-CN --disable-client-side-phishing-detection --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=6E26C6230427F5CA10671996C3CE0D3E --renderer-client-id=5 --mojo-platform-channel-handle=3428 /prefetch:12⤵
- Checks computer location settings
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=renderer --field-trial-handle=1232,2480874022340948737,17492369275312440179,131072 --service-pipe-token=3D60181F6189791B406EC66406C99819 --lang=zh-CN --disable-client-side-phishing-detection --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=3D60181F6189791B406EC66406C99819 --renderer-client-id=6 --mojo-platform-channel-handle=3448 /prefetch:12⤵
- Checks computer location settings
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=renderer --field-trial-handle=1232,2480874022340948737,17492369275312440179,131072 --service-pipe-token=F7A44056813D53A1E478402F06CA4465 --lang=zh-CN --disable-client-side-phishing-detection --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=F7A44056813D53A1E478402F06CA4465 --renderer-client-id=7 --mojo-platform-channel-handle=3488 /prefetch:12⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\GameHall_2345\2345GameHall.exe"C:\Users\Admin\AppData\Roaming\GameHall_2345\2345GameHall.exe" --type=utility --action=upgrade2⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=gpu-process --field-trial-handle=1232,2480874022340948737,17492369275312440179,131072 --disable-gpu-sandbox --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=4E0605E789A611F307888F8D98A8587E --mojo-platform-channel-handle=6200 /prefetch:22⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=renderer --field-trial-handle=1232,2480874022340948737,17492369275312440179,131072 --disable-gpu-compositing --service-pipe-token=1CB0EEA9454765B05AE486057F652F42 --lang=zh-CN --disable-client-side-phishing-detection --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=1CB0EEA9454765B05AE486057F652F42 --renderer-client-id=9 --mojo-platform-channel-handle=6176 /prefetch:12⤵
- Checks computer location settings
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=utility --field-trial-handle=1232,2480874022340948737,17492369275312440179,131072 --lang=zh-CN --no-sandbox --service-request-channel-token=7150ACAFFDEAE051189A56383B34673B --mojo-platform-channel-handle=4480 /prefetch:82⤵
- Checks computer location settings
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=renderer --field-trial-handle=1232,2480874022340948737,17492369275312440179,131072 --disable-gpu-compositing --service-pipe-token=B5DD0D0C2D09428BF62F328B32A8AE77 --lang=zh-CN --disable-client-side-phishing-detection --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=B5DD0D0C2D09428BF62F328B32A8AE77 --renderer-client-id=11 --mojo-platform-channel-handle=6196 /prefetch:12⤵
- Checks computer location settings
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=utility --no-sandbox --lang --upgrade /prefetch:82⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=utility --field-trial-handle=1232,2480874022340948737,17492369275312440179,131072 --lang=zh-CN --service-sandbox-type=utility --service-request-channel-token=D21188487F0F4D704CDB6174810ED6C8 --mojo-platform-channel-handle=5860 --ignored=" --type=renderer " /prefetch:82⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=utility --field-trial-handle=1232,2480874022340948737,17492369275312440179,131072 --lang=zh-CN --service-sandbox-type=utility --service-request-channel-token=7033701F48410BB94FF84C20C9166EFA --mojo-platform-channel-handle=4996 --ignored=" --type=renderer " /prefetch:82⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=utility --field-trial-handle=1232,2480874022340948737,17492369275312440179,131072 --lang=zh-CN --service-sandbox-type=utility --service-request-channel-token=C4DE9C47EBE9BDEEB2DA2A08236C01CC --mojo-platform-channel-handle=6872 --ignored=" --type=renderer " /prefetch:82⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=utility --field-trial-handle=1232,2480874022340948737,17492369275312440179,131072 --lang=zh-CN --service-sandbox-type=utility --service-request-channel-token=07D14F88441A2023CB4DAF8F1F0E7AFC --mojo-platform-channel-handle=5936 --ignored=" --type=renderer " /prefetch:82⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=utility --field-trial-handle=1232,2480874022340948737,17492369275312440179,131072 --lang=zh-CN --service-sandbox-type=utility --service-request-channel-token=CB099F18EE8C1B3296BC46252587D4BA --mojo-platform-channel-handle=7008 --ignored=" --type=renderer " /prefetch:82⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=renderer --field-trial-handle=1232,2480874022340948737,17492369275312440179,131072 --disable-gpu-compositing --service-pipe-token=9AA8EBFD11F5BEAFE30F349408CDB9ED --lang=zh-CN --extension-process --disable-client-side-phishing-detection --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=9AA8EBFD11F5BEAFE30F349408CDB9ED --renderer-client-id=17 --mojo-platform-channel-handle=7104 /prefetch:12⤵
- Checks computer location settings
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=utility --field-trial-handle=1232,2480874022340948737,17492369275312440179,131072 --lang=zh-CN --service-sandbox-type=utility --service-request-channel-token=6A89D018D59990FEBF8158510D7BFD4A --mojo-platform-channel-handle=4664 --ignored=" --type=renderer " /prefetch:82⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=renderer --field-trial-handle=1232,2480874022340948737,17492369275312440179,131072 --disable-gpu-compositing --service-pipe-token=6849354C4EC019E522A0E098A4DD7119 --lang=zh-CN --disable-client-side-phishing-detection --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=6849354C4EC019E522A0E098A4DD7119 --renderer-client-id=5 --mojo-platform-channel-handle=4896 /prefetch:12⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --shortcut=desktop1⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\crashpad_helper.exe"C:\Program Files (x86)\2345Soft\2345Explorer\crashpad_helper.exe" --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\2345Explorer\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\2345Explorer\User Data" --url=https://dump.2345.com/upload.php --annotation=plat=Win32 --annotation=prod=2345Explorer --annotation=ver=10.17.0.21258 --initial-client-data=0x20c,0x210,0x214,0x218,0x208,0x21c,0x64dc14a8,0x64dc14b8,0x64ec14c4,0x64dc14c42⤵
-
C:\Users\Admin\AppData\Roaming\快压\X86\Update.exeC:\Users\Admin\AppData\Roaming\快压\X86\Update.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 13488 -s 7682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 13488 -s 7602⤵
- Program crash
-
C:\Program Files (x86)\HuyaLive\HuyaClient\Huya.exe"C:\Program Files (x86)\HuyaLive\HuyaClient\Huya.exe"1⤵
-
C:\Program Files (x86)\HuyaLive\HuyaClient\Net45\HuyaService.exe"C:\Program Files (x86)\HuyaLive\HuyaClient\Net45\HuyaService.exe" /From_huya_client2⤵
-
C:\Program Files (x86)\HuyaLive\HuyaClient\Net45\HuyaClient.exe"Net45/HuyaClient.exe"2⤵
- Writes to the Master Boot Record (MBR)
-
C:\Program Files (x86)\HuyaLive\HuyaClient\Player\huyaplayerModule.exe"C:\Program Files (x86)\HuyaLive\HuyaClient\Player\huyaplayerModule.exe" AgARBB4WHDYzNzg2MzIxOTI1NjAyNDE2NF8yMjYwMjU5OTAgCjABSgJTH4iuEwAAAVTcMkHgIlMfiK4yUx+IrkYJ5ZGo5pif5pifVwAAATRodHRwOi8vaHcuZmx2Lmh1eWEuY29tL3NyYy8xMzk0NTc1NTM0LTEzOTQ1NzU1MzQtNTk4OTY1NjMxMDMzMTczNjA2NC0yNzg5Mjc0NTI0LTEwMDU3LUEtMC0xLWltZ3BsdXMuZmx2P3dzU2VjcmV0PTM3M2FhZWQ5NmU5MTdmY2Y4ZWI0MmExNTlmZjcxMTg5JndzVGltZT02MjY0MTEwNiZmbT1SRmR4T0VKalNqTm9Oa1JLZERaVVdWOGtNRjhrTVY4a01sOGtNdyUzRCUzRCZzcGhkY2RuPWFsXzctdHhfMy1qc18zLXdzXzctYmRfMi1od18yJnNwaGREQz1odXlhJnNwaGQ9MjY0XyotMjY1XyomdHh5cD1vJTNBZDMlM0ImZnM9Z2N0JmNvZGVjPTI2NGAGfIyWA2ZsdqbWd3NTZWNyZXQ9MzczYWFlZDk2ZTkxN2ZjZjhlYjQyYTE1OWZmNzExODkmd3NUaW1lPTYyNjQxMTA2JmZtPVJGZHhPRUpqU2pOb05rUktkRFpVV1Y4a01GOGtNVjhrTWw4a013JTNEJTNEJmN0eXBlPWh1eWFfcGNfZXhlJnR4eXA9byUzQWQzJTNCJmZzPWJnY3QmJnNwaGRjZG49YWxfNy10eF8zLWpzXzMtd3NfNy1iZF8yLWh3XzImc3BoZERDPWh1eWEmc3BoZD0yNjRfKi0yNjVfKrZIMTM5NDU3NTUzNC0xMzk0NTc1NTM0LTU5ODk2NTYzMTAzMzE3MzYwNjQtMjc4OTI3NDUyNC0xMDA1Ny1BLTAtMS1pbWdwbHVzwAHWH2h0dHA6Ly9ody5wMnAuaHV5YS5jb20vaHV5YWxpdmXmBXNsaWNl9g/Wd3NTZWNyZXQ9MzczYWFlZDk2ZTkxN2ZjZjhlYjQyYTE1OWZmNzExODkmd3NUaW1lPTYyNjQxMTA2JmZtPVJGZHhPRUpqU2pOb05rUktkRFpVV1Y4a01GOGtNVjhrTWw4a013JTNEJTNEJmN0eXBlPWh1eWFfcGNfZXhlJnR4eXA9byUzQWQzJTNCJmZzPWJnY3QmJnNwaGRjZG49YWxfNy10eF8zLWpzXzMtd3NfNy1iZF8yLWh3XzImc3BoZERDPWh1eWEmc3BoZD0yNjRfKi0yNjVfKvwQ/BH2EsJ3c1NlY3JldD0zNzNhYWVkOTZlOTE3ZmNmOGViNDJhMTU5ZmY3MTE4OSZ3c1RpbWU9NjI2NDExMDYmZm09UkZkeE9FSmpTak5vTmtSS2REWlVXVjhrTUY4a01WOGtNbDhrTXclM0QlM0Qmc3BoZGNkbj1hbF83LXR4XzMtanNfMy13c183LWJkXzItaHdfMiZzcGhkREM9aHV5YSZzcGhkPTI2NF8qLTI2NV8qJnR4eXA9byUzQWQzJTNCJmZzPWdjdPETD6ALVjRDOlxVc2Vyc1xBZG1pblxBcHBEYXRhXFJvYW1pbmdcSHV5YVBjXGxvZ1wyMDIyXzA0XzIzbHYgMGE3MGM4NDcwMjExNjQ2MjcxMDE5Y2ZjOWRmYzgyZTE=3⤵
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k HEINOTEUPDATE1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k HEINOTEUPDATE1⤵
- Modifies data under HKEY_USERS
-
C:\users\admin\appdata\roaming\heinote\hnote.exe"C:\users\admin\appdata\roaming\heinote\hnote.exe" -fix2⤵
-
C:\users\admin\appdata\roaming\heinote\hnote.exe"C:\users\admin\appdata\roaming\heinote\hnote.exe" -fix3⤵
-
\??\c:\users\admin\appdata\roaming\heinote\skinbox.exec:\users\admin\appdata\roaming\heinote\skinbox.exe -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 15136 -s 4483⤵
- Program crash
-
\??\c:\users\admin\appdata\roaming\heinote\skinbox.exec:\users\admin\appdata\roaming\heinote\skinbox.exe -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 15496 -s 4523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 15496 -s 4443⤵
- Program crash
-
\??\c:\users\admin\appdata\roaming\heinote\skinbox.exec:\users\admin\appdata\roaming\heinote\skinbox.exe -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=2⤵
-
\??\c:\users\admin\appdata\roaming\heinote\skinbox.exec:\users\admin\appdata\roaming\heinote\skinbox.exe -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 15576 -s 4523⤵
- Program crash
-
\??\c:\users\admin\appdata\roaming\heinote\skinbox.exec:\users\admin\appdata\roaming\heinote\skinbox.exe -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 15500 -s 4523⤵
- Program crash
-
\??\c:\users\admin\appdata\roaming\heinote\feedback.exec:\users\admin\appdata\roaming\heinote\feedback.exe -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA2⤵
-
\??\c:\users\admin\appdata\roaming\heinote\feedback.exec:\users\admin\appdata\roaming\heinote\feedback.exe -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=2⤵
-
\??\c:\users\admin\appdata\roaming\heinote\feedback.exec:\users\admin\appdata\roaming\heinote\feedback.exe -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=2⤵
-
\??\c:\users\admin\appdata\roaming\heinote\feedback.exec:\users\admin\appdata\roaming\heinote\feedback.exe -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy2⤵
-
\??\c:\users\admin\appdata\roaming\heinote\readmode.exec:\users\admin\appdata\roaming\heinote\readmode.exe -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA2⤵
-
\??\c:\users\admin\appdata\roaming\heinote\feedback.exec:\users\admin\appdata\roaming\heinote\feedback.exe -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh2⤵
-
\??\c:\users\admin\appdata\roaming\heinote\readmode.exec:\users\admin\appdata\roaming\heinote\readmode.exe -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=2⤵
-
\??\c:\users\admin\appdata\roaming\heinote\readmode.exec:\users\admin\appdata\roaming\heinote\readmode.exe -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh2⤵
-
\??\c:\users\admin\appdata\roaming\heinote\readmode.exec:\users\admin\appdata\roaming\heinote\readmode.exe -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy2⤵
-
\??\c:\users\admin\appdata\roaming\heinote\readmode.exec:\users\admin\appdata\roaming\heinote\readmode.exe -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=2⤵
-
\??\c:\users\admin\appdata\roaming\heinote\Update.exec:\users\admin\appdata\roaming\heinote\Update.exe -param=dfCYNNpbbFHijXbhxQ==2⤵
-
\??\c:\users\admin\appdata\roaming\heinote\Report.exec:\users\admin\appdata\roaming\heinote\Report.exe -param=dfCYNNpba0T2g3DwxQ==2⤵
- Writes to the Master Boot Record (MBR)
-
\??\c:\users\admin\appdata\roaming\heinote\upgrade.exec:\users\admin\appdata\roaming\heinote\upgrade.exe -param=2HQ9sxfXzleBicXpT3jVJdvTT+s=2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\hnote.exe"C:\Users\Admin\AppData\Roaming\Heinote\hnote.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\Report.exe"C:\Users\Admin\AppData\Roaming\Heinote\Report.exe"2⤵
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 12344 -s 4763⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 12344 -s 4683⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 14824 -s 4523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 14824 -s 3843⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 14792 -s 4483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 14792 -s 4403⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 13704 -s 4483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 13704 -s 4403⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\upgrade.exe"C:\Users\Admin\AppData\Roaming\Heinote\upgrade.exe" -param=2HQ9sxfXzleBicXpT3jVJdvTT+s=2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\hnote.exe"C:\Users\Admin\AppData\Roaming\Heinote\hnote.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\Report.exe"C:\Users\Admin\AppData\Roaming\Heinote\Report.exe"2⤵
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 14952 -s 4483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 14952 -s 4203⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 14604 -s 4483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 14604 -s 4403⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 14944 -s 4483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 14944 -s 4403⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\upgrade.exe"C:\Users\Admin\AppData\Roaming\Heinote\upgrade.exe" -param=2HQ9sxfXzleBicXpT3jVJdvTT+s=2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 14308 -s 4483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 14308 -s 4243⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\hnote.exe"C:\Users\Admin\AppData\Roaming\Heinote\hnote.exe" -assoc1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 15752 -s 4522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 15752 -s 4442⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 16120 -s 4522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 16120 -s 4442⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\Update.exe"C:\Users\Admin\AppData\Roaming\Heinote\Update.exe" -param=dfCYNNpbbFHijXbhxQ==1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\upgrade.exe"C:\Users\Admin\AppData\Roaming\Heinote\upgrade.exe" -param=2HQ9sxfXzleBicXpT3jVJdvTT+s=1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\Update.exe"C:\Users\Admin\AppData\Roaming\Heinote\Update.exe" -param=dfCYNNpbbFHijXbhxQ==1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\upgrade.exe"C:\Users\Admin\AppData\Roaming\Heinote\upgrade.exe" -param=2HQ9sxfXzleBicXpT3jVJdvTT+s=1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 15948 -s 4482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 15948 -s 4402⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=1⤵
-
C:\Program Files (x86)\kuwo\kuwomusic\9.0.5.0_P2T1\bin\kwmusic.exe"C:\Program Files (x86)\kuwo\kuwomusic\9.0.5.0_P2T1\bin\kwmusic.exe"1⤵
-
C:\Program Files (x86)\kuwo\kuwomusic\9.0.5.0_P2T1\bin\KwMusic.exe"C:\Program Files (x86)\kuwo\kuwomusic\9.0.5.0_P2T1\bin\KwMusic.exe" "C:\Users\Admin\Desktop\DenyCompress.wav"1⤵
-
\??\c:\windows\syswow64\svchost.exec:\windows\syswow64\svchost.exe -k netsvcs -s WpSvc1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Roaming\Heinote\hnote.exeC:\Users\Admin\AppData\Roaming\Heinote\hnote.exe -fix1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\hnote.exe"C:\Users\Admin\AppData\Roaming\Heinote\hnote.exe" -fix2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\update.exeC:\Users\Admin\AppData\Roaming\Heinote\update.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 21200 -s 7202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 21200 -s 6882⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\Heinote\hnote.exe"C:\Users\Admin\AppData\Roaming\Heinote\hnote.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\Report.exe"C:\Users\Admin\AppData\Roaming\Heinote\Report.exe"2⤵
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 18988 -s 4483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 18988 -s 3843⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 21192 -s 4483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 21192 -s 4683⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 21176 -s 4483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 21176 -s 4683⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 21000 -s 4523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 21000 -s 4443⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe"C:\Users\Admin\AppData\Roaming\Heinote\skinbox.exe" -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\upgrade.exe"C:\Users\Admin\AppData\Roaming\Heinote\upgrade.exe" -param=2HQ9sxfXzleBicXpT3jVJdvTT+s=2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=J0Z6kgD1zknZAicYsqHVd8fzx6Ss2F5TuzzqeMSgKA6YPU6Xt6zXO0MrAQ45ya2aNIjfr2zLkCy2uObLyM0jXJ5b2Jdy2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVpwoBoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe"C:\Users\Admin\AppData\Roaming\Heinote\readmode.exe" -param=eDLeEO7WpbvmB2m0F4X+sXBg0VxBpcbdDN+BHvdMU+SlooOFbdptBzYiF1YCrj0JiBCL829mAx7u+pEishBKDXYA2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=UyHMS8M5Tqo1P7by74nKxImB66tWWqsPLcByb/6jqW76ozONW75q9ToNpmuLtbgnjx1EM1+znraeK1YgQbDh2⤵
-
C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe"C:\Users\Admin\AppData\Roaming\Heinote\feedback.exe" -param=OXVRw+SMTwb/opEpTejFGM43N8gtRLQEoYzVvBsLoeOoTOlh6R5ZEEjGY2Pw7SFHY4mOVvkDvQ3dVjtmjVQ=2⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Program Files (x86)\BirdWallpaper\Utils\BirdPreview.exe"C:\Program Files (x86)\BirdWallpaper\Utils\BirdPreview.exe"1⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" -- "http://down.360safe.com/setupbeta.exe"2⤵
- Checks computer location settings
-
C:\Program Files (x86)\2345Soft\2345Explorer\crashpad_helper.exe"C:\Program Files (x86)\2345Soft\2345Explorer\crashpad_helper.exe" --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\2345Explorer\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\2345Explorer\User Data" --url=https://dump.2345.com/upload.php --annotation=plat=Win32 --annotation=prod=2345Explorer --annotation=ver=10.17.0.21258 --initial-client-data=0xa0,0x94,0x98,0x90,0x9c,0x1f8,0x60cc14a8,0x60cc14b8,0x60dc14c4,0x60cc14c43⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=gpu-process --field-trial-handle=1220,17134880264831425199,17224501830063453178,131072 --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=94EC76A5B7F50F80CFE5F055F80794FD --mojo-platform-channel-handle=1240 --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=renderer --field-trial-handle=1220,17134880264831425199,17224501830063453178,131072 --service-pipe-token=1FEC9601F73879BBEF5196817E9B19A7 --lang=zh-CN --disable-client-side-phishing-detection --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=1FEC9601F73879BBEF5196817E9B19A7 --renderer-client-id=4 --mojo-platform-channel-handle=2548 /prefetch:13⤵
- Checks computer location settings
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=renderer --field-trial-handle=1220,17134880264831425199,17224501830063453178,131072 --service-pipe-token=7D3BD274B4178F5E1477215F6F6FC608 --lang=zh-CN --extension-process --disable-client-side-phishing-detection --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=7D3BD274B4178F5E1477215F6F6FC608 --renderer-client-id=3 --mojo-platform-channel-handle=2960 /prefetch:13⤵
- Checks computer location settings
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=renderer --field-trial-handle=1220,17134880264831425199,17224501830063453178,131072 --disable-gpu-compositing --service-pipe-token=7FF5FC7DE926C5C29EF57EC49B0995F7 --lang=zh-CN --disable-client-side-phishing-detection --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=7FF5FC7DE926C5C29EF57EC49B0995F7 --renderer-client-id=5 --mojo-platform-channel-handle=4880 /prefetch:13⤵
- Checks computer location settings
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --not_main --force-visible-status-icon-on-win10-2345 --status-icon-id=43⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\crashpad_helper.exe"C:\Program Files (x86)\2345Soft\2345Explorer\crashpad_helper.exe" --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\2345Explorer\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\2345Explorer\User Data" --url=https://dump.2345.com/upload.php --annotation=plat=Win32 --annotation=prod=2345Explorer --annotation=ver=10.17.0.21258 --initial-client-data=0x20c,0x210,0x214,0x218,0x208,0x21c,0x60cc14a8,0x60cc14b8,0x60dc14c4,0x60cc14c44⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=gpu-process --field-trial-handle=1224,3835372440843546408,17410442372999265907,131072 --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=6956538663F3684EBE2C0379C7F2437C --mojo-platform-channel-handle=1244 --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 23024 -s 12924⤵
- Program crash
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=gpu-process --field-trial-handle=1220,17134880264831425199,17224501830063453178,131072 --disable-gpu-sandbox --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=FBA8223A531FF6B0981DDD3BCA027FA7 --mojo-platform-channel-handle=4900 /prefetch:23⤵
-
C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Soft\2345Explorer\2345Explorer.exe" --type=utility --no-sandbox --lang --upgrade /prefetch:83⤵
-
C:\2345Downloads\setupbeta.exe"C:\2345Downloads\setupbeta.exe"3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: LoadsDriver
-
C:\Users\Admin\AppData\Local\Temp\{3BBE2E3E-66E3-4b7a-B77A-283739D9DAAE}.tmp\AgreementViewer.exe"C:\Users\Admin\AppData\Local\Temp\{3BBE2E3E-66E3-4b7a-B77A-283739D9DAAE}.tmp\AgreementViewer.exe" /Content="C:\Users\Admin\AppData\Local\Temp\{3BBE2E3E-66E3-4b7a-B77A-283739D9DAAE}.tmp\licence.rtf" /Title="360安全卫士安装许可使用协议"4⤵
-
C:\Users\Admin\AppData\Local\Temp\{A3277847-44EF-4d65-8737-1BA83E71C43C}.tmp\WscReg.exe"C:\Users\Admin\AppData\Local\Temp\{A3277847-44EF-4d65-8737-1BA83E71C43C}.tmp\WscReg.exe" /regas:1_14⤵
- Modifies security service
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\360Safe\Utils\shell360ext64.dll"4⤵
- Modifies system executable filetype association
- Modifies registry class
-
C:\Windows\System32\bcdedit.exe"C:\Windows\Sysnative\bcdedit.exe" /set flightsigning on4⤵
- Modifies boot configuration data using bcdedit
-
C:\Program Files (x86)\360\360Safe\Utils\360seclogon\360SecLogonHelper.exe"C:\Program Files (x86)\360\360Safe\Utils\360seclogon\360SecLogonHelper.exe"4⤵
- Writes to the Master Boot Record (MBR)
-
C:\Windows\System32\bcdedit.exe"C:\Windows\Sysnative\bcdedit.exe" /set {bootmgr} flightsigning on4⤵
- Modifies boot configuration data using bcdedit
-
C:\Program Files (x86)\360\360Safe\safemon\PopWndTracker.exe"C:\Program Files (x86)\360\360Safe\safemon\PopWndTracker.exe" /query4⤵
-
C:\Program Files (x86)\360\360Safe\softmgr\EaInstHelper.exe"C:\Program Files (x86)\360\360Safe\softmgr\EaInstHelper.exe" /Install4⤵
-
C:\Program Files (x86)\360\360Safe\softmgr\EaInstHelper64.exe"C:\Program Files (x86)\360\360Safe\softmgr\EaInstHelper64.exe" /Install4⤵
-
C:\Program Files (x86)\360\360Safe\deepscan\zhudongfangyu.exe"C:\Program Files (x86)\360\360Safe\deepscan\zhudongfangyu.exe" /Install4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\360Safe\safemon\safemon64.dll"4⤵
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\360\360Safe\safemon\safemon64.dll"5⤵
-
C:\Program Files (x86)\360\360Safe\Utils\PowerSaver.exe"C:\Program Files (x86)\360\360Safe\Utils\PowerSaver.exe" /flightsigning4⤵
- Modifies system certificate store
-
C:\Program Files (x86)\360\360Safe\Utils\PowerSaver.exe"C:\Program Files (x86)\360\360Safe\Utils\PowerSaver.exe" /HImmu4⤵
-
C:\Program Files (x86)\360\360Safe\360Safe.exe"C:\Program Files (x86)\360\360Safe\360Safe.exe" /setup_or_firstrun4⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
-
C:\Program Files (x86)\360\360Safe\360leakfixer.exe"C:\Program Files (x86)\360\360Safe\360leakfixer.exe" /safeinit /pid=215805⤵
- Writes to the Master Boot Record (MBR)
-
C:\Program Files (x86)\360\360Safe\utils\360UHelper.exe"C:\Program Files (x86)\360\360Safe\utils\360UHelper.exe" \from=safe \page=download \url=http://static.360.cn/qucexp/safe/SafeTabTip13.cab \param=-d C:\Program Files (x86)\360\360Safe\Config\newui\themes\default\advisetip\ -t=35001 -s=10000 -n=4605225⤵
-
C:\Program Files (x86)\360\360Safe\LiveUpdate360.exe"C:\Program Files (x86)\360\360Safe\LiveUpdate360.exe" /s6⤵
-
C:\Program Files (x86)\360\360Safe\safemon\360tray.exe"C:\Program Files (x86)\360\360Safe\safemon\360tray.exe" /TrayInstall /clean /showtrayicon4⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Enumerates connected drives
- Maps connected drives based on registry
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: LoadsDriver
-
C:\Program Files (x86)\360\360Safe\SoftMgr\SML\SoftMgrLite.exe"C:\Program Files (x86)\360\360Safe\SoftMgr\SML\SoftMgrLite.exe"5⤵
- Writes to the Master Boot Record (MBR)
-
C:\Program Files (x86)\360\360Safe\SoftMgr\SML\SMLProxy64.exe"C:\Program Files (x86)\360\360Safe\SoftMgr\SML\SMLProxy64.exe" /64BitLauncher=Install6⤵
-
C:\Program Files (x86)\360\360Safe\Utils\360IA.exe"C:\Program Files (x86)\360\360Safe\Utils\360IA.exe" /src=probe /dpi=965⤵
-
C:\Program Files (x86)\360\360Safe\SoftMgr\AdvUtils.exe"C:\Program Files (x86)\360\360Safe\SoftMgr\AdvUtils.exe" /IsUniDpi /hWnd=5916305⤵
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\360\360Safe\safemon\safemon64.dll"5⤵
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\360\360Safe\safemon\safemon64.dll"6⤵
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\360\360Safe\safemon\safemon.dll"5⤵
-
C:\Program Files (x86)\360\360Safe\SoftMgr\SoftupNotify.exe"C:\Program Files (x86)\360\360Safe\SoftMgr\SoftupNotify.exe" /install4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\360Safe\SoftMgr\SoftMgrExt64.dll"5⤵
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\360\360Safe\SoftMgr\SoftMgrExt64.dll"6⤵
- Modifies system executable filetype association
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\360Safe\SoftMgr\SMWebProxy.dll"5⤵
-
C:\Program Files (x86)\360\360Safe\deepscan\zhudongfangyu.exe"C:\Program Files (x86)\360\360Safe\deepscan\zhudongfangyu.exe" /Start4⤵
-
C:\Program Files (x86)\360\360Safe\deepscan\zhudongfangyu.exe"C:\Program Files (x86)\360\360Safe\deepscan\zhudongfangyu.exe"1⤵
- Modifies data under HKEY_USERS
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3a70855 /state1:0x41c64e6d1⤵
-
\??\c:\windows\syswow64\svchost.exec:\windows\syswow64\svchost.exe -k netsvcs -s DesktopSvc1⤵
-
\??\c:\windows\syswow64\svchost.exec:\windows\syswow64\svchost.exe -k netsvcs -s HpSvc1⤵
-
\??\c:\windows\syswow64\svchost.exec:\windows\syswow64\svchost.exe -k netsvcs -s SpSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
3Change Default File Association
1Registry Run Keys / Startup Folder
4Bootkit
1Defense Evasion
Modify Registry
10Virtualization/Sandbox Evasion
2Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\cache2\entries\06FC6B818235493BBBEC2B9CE6991189E8621F0CFilesize
213KB
MD5fb531dc6dd30a13cc0b1af9c02243277
SHA1b3d65d2b81f57c8e513100263bb65da952597ea7
SHA2565e3339acede47ab600c97ac9d080d370092f2bdf1ea0e258c27791d6b93d1c6b
SHA5124befa1e6c77a839e92e689e8411b72131019639c847575de2576d27806d2410eb5785434cda5f9a4b2857ea822858c00be96c5183bf0d1e8d551ff411519c2f5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\cache2\entries\075194AE83D023F67C9C5C20DB6543A9D0E02049Filesize
220KB
MD527a153569cd66cecffe89d370c8d2c11
SHA141628558e892648eebf33e01896568534c15d95c
SHA256bebcee94cea7d49e79c7253a3497b3850c529fb127bb8e6dc2a1defb1ae95ea2
SHA512b871419b1db301dd936ed919be4bcf913e148cbb708550a0e2c1d788ba202cc916edab62aad21588bfe9dbbc71ff7bcb3b2dd052e2a6e4f954d0bf109dcbfab6
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\cache2\entries\0BAB0C836149B5E6E79B55F5F5EA347931BCA4CBFilesize
1KB
MD5177c24f848eb56e16d5dc42c784855b1
SHA1ffc8ccbd374bb644aa4a4a77a9d45268b922e836
SHA25669d5272db7084279c3028ced1cd327e54d0027df213f89a83d89abd8dd0124d2
SHA512b59461d8962e3f13f279b07d1f3c9fb7c25d27db02b75bebff36319a9b7af0cc18b7bcc9a3c82b587b3f79483dbdf07a85a2fffb1d0cb51c4a2e304f9f5d00bd
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\cache2\entries\1274EFFCFBD5A0ACB13DC21229761071B763BD22Filesize
1KB
MD542cd544b31b2922a08c1859886c1fdd7
SHA18e51eb795de0ff9d23585c678921eded2a499afe
SHA256be5d29d0689cc16eb2df4efd47ac0b58a7a9335d347f319db32eafdbebdc5665
SHA51248ca65811bbf2f190c5a74d9a6f774cef2451b3c280be3880bf0b57f8dedf5082eb2df92991fe933bbc766a2a8c91b3ddea9df0c89a4c0cec30fdb1e1ae3de63
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\cache2\entries\1C8CBD7AB6D54530CDE7FD60DBF2F63F9E388D6DFilesize
18KB
MD5f67b593332b0bbca95486d075ff08604
SHA1c2a2db77dec87d0aec18faccae3b03a8cba5002f
SHA25684028a9f44ce94e9d50db568c282bba9f11f5d6896a5a11c318b22ff34bfdb7e
SHA51200ed2b293c3e63f8a2126dd2ef6cd37d7ae0f8d01c3d54400fb15a7682bbe4d3ccbb35115dbc1498526b9c724f9d7f5c2cb87887a439f6289d006802f4c78feb
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\cache2\entries\21A994537757BA58EF0DDE687AD3C6D63886BBC6Filesize
1KB
MD52f00cbb96cc0fd4c05512b6ed096e09b
SHA1d6b8d7daaa280efa10ea9b51a63f1d588134c50a
SHA25620a303c52841df0d1208d4accd29f51adc93057e87255209d51dadb0b92a5cdc
SHA512726987fc5a8b4f899018b9ad5a1a4472be78154a7a8592a7bbcd3696fe2375c987dd3161d46df5fdf8a45c77d74876b55ed009956e65d6c7c441b00e5d38a92e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\cache2\entries\235D7C112869138E88EB456F003689E9F0373C02Filesize
220KB
MD53def776d0626dff406a6b452ea92e39a
SHA1aacb008120867b98de26c7dcb84a9a2aafbc38b3
SHA256cc4fd70d2a2547150a5b9501e5818482e948309b61183d06828341a450e9a07b
SHA5121ab04e2ef5e6b7218ec82edce6453f4e99da3c1ed3466ecf8429ef58f9c6d03c6d262a8afec0521b49d5d354afed67eeeeebc91516128e439f38e1b609b93a07
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\cache2\entries\2E0C4058E084A83FFD5E59DF25634B4708213893Filesize
20KB
MD5a161aabfd788bd74636cf2f59e110d54
SHA16954eaa68516d8085185a5efd3566cb66a51c4ef
SHA256e3b6d97df2562362c01cc0747829bc61d50f47b9049158aa714c203a54f00dda
SHA51239325499d7968ad19f3c92e18e7479e4c8f81f2233ac8d5a5a348883ae6700865c0d5c293af744b1e47363dc3c18da9eb57f3621310839d8bd56094fd3203336
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\cache2\entries\32F6B70E2739A32EEF02D95FCFFB1EF3ABFD4A76Filesize
213KB
MD5ee83b9052785608680ac8276772728c3
SHA11f30478f28736741f56740dc3b3b74fec521f9ee
SHA2561a8ba3d645a198b50e0fa2a9269edbac63d7932c06a7bd7e52bbdb19c34e04d3
SHA512aad6885167d2d9f1d7ef80d454c8f60b183b1a134a907d8043572551f95d251a0cf5c063353cf45d81e00811e3de2e27c46a11e1f19f04124de5897a0e6108fb
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\cache2\entries\37D4C2538200DB67979ED3940910BD2EC8688418Filesize
157KB
MD5738769ab18a525bf1516fc064e9aa482
SHA112610e84c6c4c0e708badef6c06e79b3105b2164
SHA2567a535ae2bbd1246bd3b997328095a42cbf5d0590932809d6566f3ef04259aef5
SHA512a8716b78eb022095bb76376746b78f996fcd76cb3a1a7a38d5a2b888c93b7a8a772994d4b0ffb87952c707e680e110f316f08c2bc3bf2efc72db638c8ff4bb89
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\cache2\entries\4903E7ABE348ED39D98D1C844FB81A906D5ECA16Filesize
9KB
MD5599afbcb8491a466db3a9873858bccce
SHA18e34c505530df58431968ccfbebdba453c7234d4
SHA256c5137ee33c87f5877da9aaf91c10acec6db043a4fd28b92a6b6b728f8618e65e
SHA5124f9c28e7b00731bf30c0a226ded6f5a489f4cd2c30142bdc163721b6a1642c43385545a1970dc97d0c896e742a0586cd7110eed0cfbfe02bb0499efcc36fe09a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\cache2\entries\5025E5DF3C89B7D612FD31437F7003CDAC32F565Filesize
775B
MD5053029844fbebf18a7a766f2df7378a6
SHA15bb608ab83d71e0fbd2fe6ec56471e585f159c0f
SHA256e87d738d2b8569da7331236da186cb63342a579a10c679725c5bcd855923cad2
SHA51252f6d55839748da6f4d0c5a98166465a98c3c0aacc7ef2a5e5235557faa2d3ecaf495be2072da70d9415976aa67692507bcf3429997257d4702fb126c976b78d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\cache2\entries\53C5A63DD10FCCCBBB92D7F43CAB295FE10FD0AFFilesize
1KB
MD532ee56706a4a82f54f460a9095bf89bd
SHA1cca15435f7a5f0c4db3ae73da8800a31fef25648
SHA256d64257e5e02da3eaf5e2831c8bb00d4230760c7813dc0b85778f3cea0ac6a4f0
SHA512b9b56857a468752462dc9c044c399cd705e8d10faee33b7fba109f06c09fcd048041d59b0c31152421f511d97c64115208fdb30581bb54432d6f38486f270b7f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\cache2\entries\5F144EFB84CD71651AB02773B712DD9389942D9CFilesize
19KB
MD535450281f5ddb244a166230f1acf6476
SHA1896fbf2024a8b01f01a25fcaca7470b9d35812ef
SHA25601cb0b3397ced95e854b03b4c8fb761b2713176d8b7ce568b5c2deb24791abc2
SHA512cb2b4f5fa8139fa0574eb8faf79c8c16e935b0cab280b96cf3dfb3b80b725c636a25d564706ed8b33d3371315f5b967d59ddf9b397b88f5dc1fd1d3523bffa6d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\cache2\entries\655E8A0863E307C99EFB92CE6918EB2455425FCBFilesize
2KB
MD555ba1ef0f8c5303a4c662ab21204a3de
SHA1d152fdd548cfb14787cef99d9c77c3cd8da1c18a
SHA2562463d6405fac5c250f45a53ca6cbea8e7c7f8c74cec50a21740415c6dc232446
SHA512ee4b8ce76af17edea30f573763a8ef98d2fd5644306f269c33bc027e1fe94e37ec48e08b0980fa1293338f962afa10cf023c910ec92132ec134829d2df9120a7
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\cache2\entries\69B4554E0E599C38DD06AEE5AF8B85B5E4E43BB9Filesize
8KB
MD5eb12790a49de8d3eba7d38d8356ea72e
SHA1f7a689138396925ca1eaca0fe74bb9670efb0d08
SHA256f4e97bd938c58f253022d865a4bf3da0010cae8cc53fdc36a403980f457a6cd9
SHA512cc6c4e1b6af086860922856378b7dc6c0488eacd2995b4d6425b6646f371a2a31f7969d7fb0d022fa675f07bb63dee061bd644c396320353384f1e45f6476148
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\cache2\entries\6D4934FE31BFAF4563C9C133D9CEB4B986FB5CA0Filesize
9KB
MD51e818b4001fdd4add914c48f5debf77f
SHA1cfb6681fe1148561b96a61181177a0425b490de7
SHA2563bf22b3bd8e9055b62abfcecdd13ebe7429227b4b744afa6ff94f24e1945aa39
SHA51201a6de9a5c7e7fef18fc3ca3533ddc3b81ab2135a0dea620fa1a48f92b915241bd294ff94b452afb046a97978a34c734acfd1fe9f8ebefbbf8a06970464e8b56
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\cache2\entries\6D621CE7EDB23030A35AD4DBDF4E1BA373D4FEA0Filesize
716B
MD583af07b9dff205a556fbb1298afea574
SHA19a641d94a7b796f1282f12a7a1b9fba39eb243e0
SHA25651b108055ceeeed5277901cac201768afa9727bea9b1d457902f552fc74af62e
SHA512b31df91649a44a9601ee12c6b0ddb65c7d0572fb92761edcfb7ebce6555209c2a39ef15801efad5ba5425d254977064fd313a5ca0428c108929817899048c571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\cache2\entries\780510E062825FABB8C95BE4566EC7650B63949CFilesize
1002B
MD52ac6ea579666246453eeb9310e113a10
SHA17ee203ed0b658ca34ea05e59ff0c16a9b043f37b
SHA2564e5eb79c879f2de46742df898c2a52f22508d0e3ebcc4b0431b58073ecaaacce
SHA512f9199bbebb687c6d4631c67c2e442a5091942abed788f473e2aaf30e6f3080233ccfeee204ffb3ff0eb55c896aa3effeac9282c870db150ac5a4e74aea1a843c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\cache2\entries\8507E971A5AE9DB2C48EC2CF56A84EC4C40BAC50Filesize
14KB
MD5cc326977700d2607cbf54713f7ba0bf3
SHA1bc24fc71d0c2bdd2ff0a652b94cf8a002dbf7161
SHA256b3773133506a2c6ef16060f31d7fd9397cdb398a46719c99854cd3d9db9df412
SHA51256e2d1084490fb2d8bf2fae826bc9ec0143606868321565c70dfde97e4ad83a3b87480f51ac32469b70abbb60ff8f7e3671fc7bba08f902e5ae7b19cda2aa1f3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\cache2\entries\ED07F042F4253F704BFC7070ADB92A3EDC4588A0Filesize
9KB
MD5505981b96f7992e51c5561b6c67e4bf1
SHA1542036413ab8adc59d210ebec116f2e03b735914
SHA2565bb6658350f08b0df197a1f30b10dff3c63ccbde2803b8d1af44f7766037785d
SHA5126de341bc0235629d416f2146e4b8150945ca823ad746e9b20cd065a7a8abfd8c51c56699e3f5bee081e11582b9cb63abb1928d1cb81b057011a80511637caebb
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\safebrowsing\ads-track-digest256.vlpsetFilesize
51KB
MD56c3605de4e50f585c2dad2819d138112
SHA14c647f39e09f9a3f16c982febbcca061ffa42652
SHA2561983aa1c36d96d197aa522d6347f0ab6a62234294964f1d5889600c2ca6605d0
SHA512b619f4fa7138b90ea92064fa9e614e978b014257a59a71738d2fd2382988d395c1d9d7aa362e90abe5acf82dbe786f860bdeff65684db16ab5b42ebd5f47fc44
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\safebrowsing\allow-flashallow-digest256.vlpsetFilesize
69B
MD5de0d88480c24350c59e1e9a3583de0d1
SHA14e3c279344cb37deb5e893ab24770982de135789
SHA25601ba9f0b913e04ed10bd7166796483dd4f72005f249d6ee68b12117be4b5d3c7
SHA512f627c69598baa9bc60b036cea03fdadc8b4cc424ef8cdf93614275a336de05a60961f5e77553226c99c29ec2932272ae994327a4da77d75d2464f6722cb700aa
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\safebrowsing\analytics-track-digest256.vlpsetFilesize
9KB
MD52b077f437067b52d00d4280df1b248a5
SHA119c10d8bdf159b9e53db9855d1d97a658d92c994
SHA256a8cb2ff713acaba0b4612c5bfece51a5e5d436a739c0455a3731d1ef8e0eae12
SHA512ba03b93b68e5cc0de34f890d7d112a1df0a17dcb451bd9c0761e087260fe9b3cb2afda9efb0b9d075cb722b77a859ca0b27c570a6db62a08b2fa9d30a04d00d5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\safebrowsing\base-cryptomining-track-digest256.vlpsetFilesize
2KB
MD5f45cb33dfea35013b6d5951f464a7841
SHA121c9d73636871aafe063797059078fe2373d1233
SHA256498ab828f2dff25b45deed474bebdbcfadac63a1cbba2e393162ab54bbc9f2e1
SHA51288ff2955d709d53fe248b88beb3f6bc31a485c17c80c5ddb8ea91abf46b0a43bcaf7f357ea4ac09dfb1d7988f8b7b1034ded15c2861d9de01719c131cf72a27c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\safebrowsing\base-fingerprinting-track-digest256.vlpsetFilesize
2KB
MD5cb73b8baffcd07ff5d1df58f8477370b
SHA13bdda94d12aea19a659c3b4035d0e613e18ca202
SHA2561e063a0cbc2d947925265cabbbb0da6721b7e05361b1171316fca37e906226fa
SHA512f5004c43ba0b5b48fae0c45c5f61c2a608a4ca3c61362cf27c51da7335597f9862f6c5a04e137bba16e92f3523e1009b5ca2542f52d478f56b946cebf2140712
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\safebrowsing\block-flash-digest256.vlpsetFilesize
6KB
MD5130b9ac2beec5ada274561105d81ae36
SHA185a4785b34bb151da41bc0dfed380cceb7a29983
SHA2567d99fec08182a5b95d18d1569edaa2c60c2aafbd15a56d8882f22f3b395e6460
SHA512cbf32630bfe48fe6dd0e815f2e9752ca75c066bdfb5f12941f3278883b0530f1736b2d179801afc7ab4680be6ca9976c6e2e3705147d95503ef32cf730194631
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\safebrowsing\block-flashsubdoc-digest256.vlpsetFilesize
71KB
MD540165280ff1345b5241ec2a9d1da2af0
SHA1c49f9172a6bba2dc4e91fa97defd161d9e87773e
SHA256f80bdd5341d8b1ee946e344e258ef2d35c3c0bb6b13eb7b3e6a77467dfa8b97f
SHA512b5ec96e5f786de54976de804491aaf01bd79dd48d81ec81e1a9d32157881b0e7690d3608ee18e60e4381291a1c179999f40e0b98f9483519084da268b4904c8e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\safebrowsing\content-track-digest256.vlpsetFilesize
15KB
MD59f355ca06a2c5eed2b13ab75dd4ca3d3
SHA116a014268d85c8b1cd476da2cfcf7aef79d5218c
SHA256039695d5ea6e79797e1b2acb4aa95bcbbe3f4c53970abf28c68aef2b13f1a95e
SHA512ace6b46c28c25ce5d87162566a882cf99b4a2512ac5fd9f0168ff9936d316af8652e775ebce8b1fc8b95d33844425da3a4832348115ead078d7b78a0b369b78f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\safebrowsing\except-flash-digest256.vlpsetFilesize
101B
MD5c2994d388f8780c87d35c352d9582985
SHA1b4e9ecdf3ecce53f072b7ce9e695ffcc17ea9f76
SHA2567ed09f7d2bd632f70077a4ae4f2bd2f3fb654b03cd72652f51678b0c7d027f25
SHA51260edd83f6e0ff782ab251579e0f3c113d3d5fff7ba7f3a8900cd4fd6bc7271921445e94b53073129db9529f0210750615318348307db650fd11ffaedaeb7bd15
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\safebrowsing\except-flashallow-digest256.vlpsetFilesize
69B
MD57194b6bff691a056852a51e2e06ce8fe
SHA10adb901d9e202ee31ce6a8131ff15e5ecca834f7
SHA256cbe2dc6abfe25bead60f4dfaf419fc0f441ff8a8dd4a2febf5553be1cbd90c49
SHA512b0d8240050a25b2ab754e8f260361298d0017e3a938e965a34b6db072380cb6167c4fa5e0c2293b46b1135207ce9242ce1441b77af8b07a3212a49000e8bbd36
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\safebrowsing\except-flashsubdoc-digest256.vlpsetFilesize
133B
MD50c0d67875bd75a0227c02dd8529ba01a
SHA12b12efb5e31bdac680b6283e2585eeea096fe73c
SHA256614be0169ec36e67223eb9645a98da66dbfde5dfbb89bb064f428aaeabdd9d97
SHA5128fb01246c4b7b4a2cf0379f931e0cd3ea5a32781078efdc4c4a5ac3bc496697957f6d15a0b6daaf562e48bd1b1ffbafe0583c59962689b030c4c5543cf8e2ce5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\safebrowsing\google-trackwhite-digest256.vlpsetFilesize
1.4MB
MD5e54e5b84194eee15e64d2a03f1136bb7
SHA1308413c74a49af1a575bc6f64fea33f9ad2f220d
SHA25607707b589be3dba3bb0bdac67760a2b180ea3531e9d7976b73e4c1d8df9dbb1e
SHA512f3bae1816db808c69871bd1a059236bf57982e90da5706adcc3359a200f1ec2c529be516be629fbdb5e7da8c3ea80000815d99c8c2c347440cacd9237bddd3b7
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\safebrowsing\mozstd-trackwhite-digest256.vlpsetFilesize
293KB
MD5dbd7544bf04db52719348298521f4ed4
SHA1ab838a83ae023aadba87bcae62093e874393a0e6
SHA256f87c0e78f812bf39363b1974ed20175e907cd6114173db31e1c7243f4d515dfd
SHA5120ef0ba0a594bb019133a133b9edb73901e804c845a66d427686f32a48c9d1ba665623d3fcd10018c2415202fd3f722aa23420598ce892444b4574c108ce4d6e4
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\safebrowsing\social-track-digest256.vlpsetFilesize
2KB
MD5399e146c7c24fb3a69525f748f6742ab
SHA15a19c6f96244a65ec44af582956a9085407768a0
SHA25611bddd57f215cf440ef5e41385a618123658be38b03097b547a9ac5220db425e
SHA5123d280f40d78b0ef1b76fb8210f1d59edc5412208058d7f9448e14ff11c4e717505735c161979e2f84c4ccbcf4c4fa13ff3e8200b27ee2bb96e8d1180fca62e5e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\safebrowsing\social-tracking-protection-facebook-digest256.vlpsetFilesize
485B
MD5c6e5d0e5cc6cabbb446b625d9a14f3ef
SHA12d46657ed7ddb6f4c295b90aea7c477f2560d4f4
SHA256de974099351ab8e3b4945d3fae34a2d8bf43407921800719256cf29139f516e7
SHA5126e30e2adc27654d3052fbdaa8c4bf6d2ea41687bea67cc80c412c0d07a6174211e633a1aace5629444ba9ab0289af9f56651b5ab9061bcbb820b04debe175098
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\safebrowsing\social-tracking-protection-linkedin-digest256.vlpsetFilesize
165B
MD5e28d310df430e7b6d95d9c912fa94e2f
SHA16c54ae3b421f47b73260751c44584d4b1effbb16
SHA2560f6bd075711185f73238b0cd030f84a6fa9ddc17d341a669aadd07b806a86626
SHA5121dc3c42fd79042eb9d17746a6f5c3e46d3bcbf36bda2143b380a02519771c39870cef4e8031e29191505c125c52a73e20c8167e1c26c3458fd9b7c89f231f0ce
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\safebrowsing\social-tracking-protection-twitter-digest256.vlpsetFilesize
261B
MD5dafe2c58eba7740af1a2bad64cef0f54
SHA1f10d56c4c9d035744f46ed60690d7eab35952c27
SHA25616093715575f4b5990d69d92459156f5843134a22135ff93185fbf109d64423d
SHA5125e6e65b2e357e6dabb163496135b0269f4e6f19f230e2f5f51f17c18b3462280f83e48d621747aeb88eca016906acc9d6c05664b3f5d20ac6d90ba0aca41ba4c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\startupCache\scriptCache-child.binFilesize
665KB
MD5e37bdb056937afe9788b22593545af91
SHA1e4457f3c6e21247f868e2186524f5cc22512810a
SHA2562ea03c2023a59bd3381ed405839390b338d23226fbc9fd76c5da106e45a30cda
SHA512a0f007b98655e9cb0cea1190ae0d24abf61649e1155afec9c602ced6b3beea843f12377390a81f4cdf448edd5f39858b5bc9589f37d10cff5f17a42d48ed538b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\startupCache\scriptCache.binFilesize
6.7MB
MD5f44163eac2dbd32078ec8aa42c543907
SHA1f40385e1b25141a0ef3f23f2edd3c43b07bedb3d
SHA256f5c661f4146b474d2940f645425cfccea47964a55b82302ffcfbbf10fdd63d0f
SHA512becdb9db853e4a0e0f3bc8e96204f9c5846c010141ec450122fd31ff1c7115762cac25f750da98c81b3158ca7c1b363ea39f9b1a73531fdca223d7a74a309795
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\startupCache\startupCache.8.littleFilesize
1.6MB
MD564cad1a3c3e69544759aa6a0a3804cda
SHA13dda8a235cd15e6226765689ee409622b4734c3c
SHA256688f2d1b8dae96a12c201c78a1fa347945506e365608e7f481d373660e6f9322
SHA51230dad0962a77b0da6d290bdd0c227e5d14f0416a9c2ec93ff60227d8647269b2ed8dcb6ee89de031d9569f82428f78af15daf6e03ab48f0bd8d129b88f0ced73
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\startupCache\urlCache.binFilesize
1KB
MD5c1c8b7f2df03ebe0a29cd1b520c63606
SHA1eac91fdff61640408b7dd6f0ae3ccf61c13fe794
SHA25626278cd0634599bba79331db97bf3afb47a6eafa721544a29c9e423b59183322
SHA5122cd0fffe1dab670dec7605a3691d6ea855ad23dd9709162b79a0158343c41ce0a1e6ac74648c8627d52a43ddc1e8cb05cbd50340bb5c59a6f8bc437cb93062a2
-
C:\Users\Admin\AppData\Local\Temp\amigo_ldir_5008_13786\amigo_setup.exeFilesize
402KB
MD57924f6ab2fe0ec11701067c1618c89d4
SHA181de81907832dea9a290e0eaef759279e30a7d0f
SHA25617d5755415288240395da7c596e34470cf3bb597e01e9c7d23d2d5ea85cce244
SHA5125f40048071fcbc625ef60582c373d4c65189ca59feabdcb7fd61ac766d6d2d69663f7f01905876d4d2240751c86d2d0ca6d725f9a82b080e8afeac969c104b74
-
C:\Users\Admin\AppData\Local\Temp\amigo_ldir_5008_13786\amigo_setup.exeFilesize
402KB
MD57924f6ab2fe0ec11701067c1618c89d4
SHA181de81907832dea9a290e0eaef759279e30a7d0f
SHA25617d5755415288240395da7c596e34470cf3bb597e01e9c7d23d2d5ea85cce244
SHA5125f40048071fcbc625ef60582c373d4c65189ca59feabdcb7fd61ac766d6d2d69663f7f01905876d4d2240751c86d2d0ca6d725f9a82b080e8afeac969c104b74
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\UK1T0M~1.DEF\cert9.dbFilesize
224KB
MD52f0dd997a30477f66627ca62a4bd1fa0
SHA1169f5886899c479e12188ce83ade292b3c8a488a
SHA2562418ee69b58cde96eaa6b3d28701298a1e5891183ea28fa4645cc9581b7965bb
SHA512260f214a570ab2fb6553f3f6d0feff7e97bc97134a3405f9b261602ae6f4fafe3d1984d3ad69cf7446a8814b9df6273bef69934ef47173fed26a4288d260df72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\SiteSecurityServiceState.txtFilesize
568B
MD563ef4c5948022a7eba6b41c2a53f554d
SHA1db3a84e2b7ee08f74aae6b4f4816eca204f3bb2d
SHA256d50ccb4885f6262af0d321952e152685602e32bc23c57fcf5efcd164b670ba8e
SHA5125b6b59dbccb241b7c5c6a905695973a8ca98f3644e11841cf49428f874b379c4b61686d951b204828e11875f2bfbd92477360739ab12269ed8f7457bec080b6f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\addonStartup.json.lz4Filesize
1KB
MD5bc4bd0071af0574fe57b6756f0b26071
SHA1dfc6af6b87b58391f67679a24c28495503f9e75d
SHA2562f0cb964330decccb1375985d126d6cd2fec171e344cdd6e21026fa9459d8ad3
SHA5129cd3f9140a3beca18114253556281c48e0a2401d8e7bb01b518a0615caf6a1f4a8cece627c00caaf9cb3f7cf3a57a224ec5233682b5b3f8e933619b85488551d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\cookies.sqliteFilesize
512KB
MD5448c3c71d3e19ee36830d0b4488d5bcb
SHA1852b28bc6eb5882795b212cfe1e8b311321dfd1f
SHA256f84de25aeef599e29278900773c71a16026ca2f863cf541d5608c99584583147
SHA512ab9931299c2b6e82eaf77ce27ca70aa32bdcdfe602a09402e873450b86c11a49e43606b308fff7983d21d6ce597f421c27eb14a1532f529f883e15a7bdeb6ee2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\favicons.sqliteFilesize
5.0MB
MD58859662540bef79adee4f32dfc979ba3
SHA1ad7c2271baf5a5e15f04d05fae82d899367125d5
SHA256ca3c230f2573a776082d1ba5972029d769bd17037f1f6e81f92434505670f2d0
SHA5121019327088bc96104c15c915eb4ba87e7f65104666f92a4e3f59161c8c98bc08f98dc9e52e0a14196b51495cf580ef3f636ac341225a94dc5e5fd0073e6201e4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\permissions.sqliteFilesize
96KB
MD588fd9f5480da1a1b7ba33d38f8acaf88
SHA10aa02fd91606c84a38981ee536164859bedf3ef3
SHA25646c8fc9d9ecf049ebdb5db860d5b63f81f5035deeb6e0441ec5b8bc52d5e1248
SHA512d42305fc26a289e32cd3aa93d6bbb2b5d4c2d3b7d0575e607ffb3f56b9972cb0cac4b3e0de0f1942b653c027e6028a4c9619ddd9bbc5cbc0718f7642fb0bdfd6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\places.sqliteFilesize
5.0MB
MD5c5faf57dbab5a87e56f20bea8525691e
SHA1fddad78436b5bae90d73972c23b860c8dd4bfb17
SHA2565048f75a618c45bbafc0f1674c310927cd9e58a6b0fb62eaa405cc7914dd143e
SHA512058fad13fd8726355a915699572d45b76b15da85dfedf91b6531e73132c0372c1a0dfa46322279d8edc09c4159797c4a19b167ba227fa183ced99eca073c304c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\prefs.jsFilesize
6KB
MD52625927693ae0aac402405afb84f2253
SHA1fddedaa8b545425afb319791cb1c4dde9229267a
SHA256bfe4967701a660758c35139f45ae47df28e314ca75077a8bc046951f10ce981c
SHA512100ce17ee5d4362c6e8574bd40547bc6141763c428bb7b62d5193e0c6ef6fcf895d010b1b48ab46fb5f60c9332ab320fcedfdd26868e95594e2484afcffc2678
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\protections.sqliteFilesize
64KB
MD56c050eb6d13675bfeab8bc7f09fd274a
SHA14d14b0ef1884a6b5c0b6860da3ebb8a83b398df7
SHA256b6e55a1dfda381c4356952acb8aebc56c09191e4013ecc4980a847feb511f76e
SHA512b52f418e3247d42cd7274163d1968630657d66380bd243ba8ca5077853949c75aed7a5af8a9425765aa0da501f42d713420f8434a42a3c391cac999144df5e0f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\search.json.mozlz4Filesize
2KB
MD5943e7dcd75583e6b0e5971815ed79384
SHA1935af00a1b5a24e7cf22451f2071e98f4832522e
SHA256de8ed33623f36e268baeed3e44f97ba97b0a4aa541124663b35be8d6c34b1f26
SHA512419dbf1a6dbad43447170f072c55108f140d8006d4f2406f902c0ded76873c740cb257aa66acc61133a8fbe604dd62292bda620ecc1cb0efbc4ce1ca306e241b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\sessionCheckpoints.jsonFilesize
288B
MD5948a7403e323297c6bb8a5c791b42866
SHA188a555717e8a4a33eccfb7d47a2a4aa31038f9c0
SHA2562fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
SHA51217e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\sessionstore.jsonlz4Filesize
3KB
MD5df9d57a1d6be14bb7ecfb5dd11686b27
SHA12349743e47c87052baefdef9babadaf5a272d169
SHA256fdc5f2d1b0bfa7143d66a188836a0e84e3aad4f1ce55ca6f701b9fa4d9c865ba
SHA512c42d602f5bb1321cf5acf787b95ce5382abf489bdee0b64716039293a8767fa1d979c4557fa21794cd0f66728b488a685ae47dcdfac5d08afeb933eee5fdc760
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqliteFilesize
48KB
MD52649b0b46e8ba3f0c98a4ab8fc1d40ff
SHA1408c085ff88ecd61b57b6b2728ae02bbbc6b5012
SHA2569e1f84f72685ec2514a06f55744d98f30e6ef5a42a89a4e85da92b66420cffec
SHA512bde98c3277b4db34f28220614c7df00c3591b5ad129d9c0f89f27ce7b1381cc14495fc3270be31beb7cc793ba854485e54e173ab54e755ecc7d1523649a4fba3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteFilesize
3.1MB
MD5212b190937bb48b4ea287abc80463ff0
SHA1f6b159e108cfdc2c0189cc5123931cbffc2a3a37
SHA256f490674cd3fa46f5f6dfec314c094d3a64ebdc63befdcbe8944bf3087324449e
SHA5127429572764ecc1cf1dc08903a56f781b4c7b57f3d7ea151e1abbb2555ae80ba4906b09e1c01bfa0b269022e9b4d26fd36bcc903cea6469070f3a8ebaa916e441
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\webappsstore.sqliteFilesize
96KB
MD577112fbc43fa28cc600b2cb4b144bec3
SHA1afce0049a43b707dc54dcac3f110bf90c12b115d
SHA256d0ccf798e94dbe3a5c8b77f624994922fc24d1e95e5476f0b5fb9e03d5677276
SHA51296620b97a8a41c315f1dfc3e472c716e2d68b6f9aa51853b8ab56ab3a4f3310191f961f962730ffce393a1d9aee0f6b0706d314dc88e74c6c890514577b8420b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk1t0mn4.default-release\xulstore.jsonFilesize
141B
MD51995825c748914809df775643764920f
SHA155c55d77bb712d2d831996344f0a1b3e0b7ff98a
SHA25687835b1bd7d0934f997ef51c977349809551d47e32c3c9224899359ae0fce776
SHA512c311970610d836550a07feb47bd0774fd728130d0660cbada2d2d68f2fcfbe84e85404d7f5b8ab0f71a6c947561dcffa95df2782a712f4dcb7230ea8ba01c34c
-
C:\Users\Admin\Downloads\amigo_setup.exeFilesize
402KB
MD57924f6ab2fe0ec11701067c1618c89d4
SHA181de81907832dea9a290e0eaef759279e30a7d0f
SHA25617d5755415288240395da7c596e34470cf3bb597e01e9c7d23d2d5ea85cce244
SHA5125f40048071fcbc625ef60582c373d4c65189ca59feabdcb7fd61ac766d6d2d69663f7f01905876d4d2240751c86d2d0ca6d725f9a82b080e8afeac969c104b74
-
C:\Users\Admin\Downloads\amigo_setup.exeFilesize
402KB
MD57924f6ab2fe0ec11701067c1618c89d4
SHA181de81907832dea9a290e0eaef759279e30a7d0f
SHA25617d5755415288240395da7c596e34470cf3bb597e01e9c7d23d2d5ea85cce244
SHA5125f40048071fcbc625ef60582c373d4c65189ca59feabdcb7fd61ac766d6d2d69663f7f01905876d4d2240751c86d2d0ca6d725f9a82b080e8afeac969c104b74
-
memory/760-202-0x0000000002890000-0x0000000002990000-memory.dmpFilesize
1024KB
-
memory/760-196-0x0000000002850000-0x00000000029F6000-memory.dmpFilesize
1.6MB
-
memory/760-203-0x0000000002851000-0x000000000291A000-memory.dmpFilesize
804KB
-
memory/760-200-0x0000000002850000-0x00000000029F6000-memory.dmpFilesize
1.6MB
-
memory/760-201-0x0000000002850000-0x00000000029F6000-memory.dmpFilesize
1.6MB
-
memory/760-198-0x000000000291A000-0x00000000029F5000-memory.dmpFilesize
876KB
-
memory/760-186-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/760-187-0x00000000024A0000-0x000000000258B000-memory.dmpFilesize
940KB
-
memory/760-193-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/760-194-0x00000000022C0000-0x00000000023A5000-memory.dmpFilesize
916KB
-
memory/760-195-0x00000000023B0000-0x0000000002494000-memory.dmpFilesize
912KB
-
memory/760-197-0x0000000002690000-0x0000000002840000-memory.dmpFilesize
1.7MB
-
memory/784-281-0x0000000000400000-0x0000000000CCE000-memory.dmpFilesize
8.8MB
-
memory/784-283-0x0000000000400000-0x0000000000CCE000-memory.dmpFilesize
8.8MB
-
memory/784-280-0x0000000000000000-mapping.dmp
-
memory/820-286-0x0000000000400000-0x0000000000CCE000-memory.dmpFilesize
8.8MB
-
memory/820-284-0x0000000000400000-0x0000000000CCE000-memory.dmpFilesize
8.8MB
-
memory/1128-184-0x0000000000B20000-0x0000000000E40000-memory.dmpFilesize
3.1MB
-
memory/1128-183-0x000000000041D0B0-mapping.dmp
-
memory/1364-262-0x000000000294A000-0x0000000002A25000-memory.dmpFilesize
876KB
-
memory/1364-269-0x0000000002881000-0x000000000294A000-memory.dmpFilesize
804KB
-
memory/1364-253-0x0000000000000000-mapping.dmp
-
memory/1364-254-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1364-261-0x0000000002880000-0x0000000002A26000-memory.dmpFilesize
1.6MB
-
memory/1364-264-0x0000000002880000-0x0000000002A26000-memory.dmpFilesize
1.6MB
-
memory/1364-265-0x0000000002880000-0x0000000002A26000-memory.dmpFilesize
1.6MB
-
memory/1364-266-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1364-267-0x00000000026C0000-0x0000000002870000-memory.dmpFilesize
1.7MB
-
memory/1364-255-0x00000000024D0000-0x00000000025BB000-memory.dmpFilesize
940KB
-
memory/1364-268-0x00000000028C0000-0x00000000029C0000-memory.dmpFilesize
1024KB
-
memory/1936-306-0x0000000000000000-mapping.dmp
-
memory/2168-182-0x0000000000B60000-0x0000000000E80000-memory.dmpFilesize
3.1MB
-
memory/2168-181-0x000000000041D0B0-mapping.dmp
-
memory/2308-185-0x0000000000AD0000-0x0000000000B10000-memory.dmpFilesize
256KB
-
memory/2316-279-0x0000000000000000-mapping.dmp
-
memory/2484-270-0x0000000000400000-0x0000000000F89000-memory.dmpFilesize
11.5MB
-
memory/2484-272-0x0000000000400000-0x0000000000F89000-memory.dmpFilesize
11.5MB
-
memory/2484-273-0x0000000000400000-0x0000000000F89000-memory.dmpFilesize
11.5MB
-
memory/2992-219-0x00000000028F0000-0x00000000029F0000-memory.dmpFilesize
1024KB
-
memory/2992-220-0x00000000028B1000-0x000000000297A000-memory.dmpFilesize
804KB
-
memory/2992-205-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2992-204-0x0000000000000000-mapping.dmp
-
memory/2992-206-0x0000000002500000-0x00000000025EB000-memory.dmpFilesize
940KB
-
memory/2992-218-0x00000000026F0000-0x00000000028A0000-memory.dmpFilesize
1.7MB
-
memory/2992-217-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2992-216-0x00000000028B0000-0x0000000002A56000-memory.dmpFilesize
1.6MB
-
memory/2992-215-0x00000000028B0000-0x0000000002A56000-memory.dmpFilesize
1.6MB
-
memory/2992-213-0x000000000297A000-0x0000000002A55000-memory.dmpFilesize
876KB
-
memory/2992-212-0x00000000028B0000-0x0000000002A56000-memory.dmpFilesize
1.6MB
-
memory/3908-278-0x0000000000000000-mapping.dmp
-
memory/4296-236-0x0000000002760000-0x0000000002910000-memory.dmpFilesize
1.7MB
-
memory/4296-235-0x0000000002760000-0x0000000002910000-memory.dmpFilesize
1.7MB
-
memory/4296-234-0x0000000002840000-0x00000000029E6000-memory.dmpFilesize
1.6MB
-
memory/4296-233-0x0000000002840000-0x00000000029E6000-memory.dmpFilesize
1.6MB
-
memory/4296-232-0x0000000002840000-0x00000000029E6000-memory.dmpFilesize
1.6MB
-
memory/4296-231-0x000000000290A000-0x00000000029E5000-memory.dmpFilesize
876KB
-
memory/4296-229-0x00000000021B0000-0x0000000002288000-memory.dmpFilesize
864KB
-
memory/4296-228-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4296-222-0x0000000002570000-0x000000000265B000-memory.dmpFilesize
940KB
-
memory/4296-221-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4772-120-0x0000000000000000-mapping.dmp
-
memory/4776-251-0x0000000002930000-0x0000000002A30000-memory.dmpFilesize
1024KB
-
memory/4776-239-0x0000000002540000-0x000000000262B000-memory.dmpFilesize
940KB
-
memory/4776-252-0x00000000028F1000-0x00000000029BA000-memory.dmpFilesize
804KB
-
memory/4776-238-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4776-250-0x0000000002730000-0x00000000028E0000-memory.dmpFilesize
1.7MB
-
memory/4776-249-0x00000000028F0000-0x0000000002A96000-memory.dmpFilesize
1.6MB
-
memory/4776-248-0x00000000028F0000-0x0000000002A96000-memory.dmpFilesize
1.6MB
-
memory/4776-246-0x00000000029BA000-0x0000000002A95000-memory.dmpFilesize
876KB
-
memory/4776-245-0x00000000028F0000-0x0000000002A96000-memory.dmpFilesize
1.6MB
-
memory/4776-237-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5000-276-0x0000000000000000-mapping.dmp
-
memory/5044-277-0x0000000000000000-mapping.dmp
-
memory/5072-350-0x0000000000000000-mapping.dmp
-
memory/5184-287-0x0000000000000000-mapping.dmp
-
memory/5376-288-0x0000000000300000-0x0000000000308000-memory.dmpFilesize
32KB
-
memory/5524-312-0x0000000000000000-mapping.dmp
-
memory/5676-335-0x0000000000000000-mapping.dmp
-
memory/5864-289-0x0000000000000000-mapping.dmp
-
memory/5876-309-0x0000000000000000-mapping.dmp
-
memory/5928-290-0x0000000000000000-mapping.dmp
-
memory/5932-311-0x0000000000000000-mapping.dmp
-
memory/6148-302-0x00000000674E0000-0x00000000684D9000-memory.dmpFilesize
16.0MB
-
memory/6148-295-0x00000000674E0000-0x00000000684D9000-memory.dmpFilesize
16.0MB
-
memory/6148-291-0x0000000000000000-mapping.dmp
-
memory/6168-297-0x0000000000000000-mapping.dmp
-
memory/6228-293-0x0000000000000000-mapping.dmp
-
memory/6320-298-0x0000000000000000-mapping.dmp
-
memory/6324-294-0x0000000000000000-mapping.dmp
-
memory/6440-337-0x0000000000000000-mapping.dmp
-
memory/6680-303-0x0000000000000000-mapping.dmp
-
memory/6828-310-0x0000000000000000-mapping.dmp
-
memory/6828-314-0x0000000000000000-mapping.dmp
-
memory/6960-358-0x0000000000000000-mapping.dmp
-
memory/6960-359-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/6988-305-0x0000000000000000-mapping.dmp
-
memory/7092-296-0x0000000000000000-mapping.dmp
-
memory/7316-333-0x0000000000000000-mapping.dmp
-
memory/7376-331-0x0000000000000000-mapping.dmp
-
memory/7380-340-0x0000000000000000-mapping.dmp
-
memory/7396-317-0x0000000000000000-mapping.dmp
-
memory/7452-315-0x0000000000000000-mapping.dmp
-
memory/7496-330-0x0000000000000000-mapping.dmp
-
memory/7552-332-0x0000000000000000-mapping.dmp
-
memory/7600-334-0x0000000000000000-mapping.dmp
-
memory/7624-336-0x0000000000000000-mapping.dmp
-
memory/8092-339-0x0000000000000000-mapping.dmp
-
memory/8096-316-0x0000000000000000-mapping.dmp
-
memory/8112-338-0x0000000000000000-mapping.dmp
-
memory/8248-362-0x0000000000000000-mapping.dmp
-
memory/8564-360-0x0000000000000000-mapping.dmp
-
memory/8604-363-0x0000000000000000-mapping.dmp
-
memory/8656-364-0x0000000000000000-mapping.dmp
-
memory/9244-351-0x0000000000000000-mapping.dmp
-
memory/9560-352-0x0000000000000000-mapping.dmp
-
memory/9572-357-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/9912-361-0x0000000000000000-mapping.dmp
-
memory/10040-353-0x0000000000000000-mapping.dmp
-
memory/10260-366-0x0000000000000000-mapping.dmp
-
memory/10320-365-0x0000000000000000-mapping.dmp
-
memory/10404-390-0x0000000000000000-mapping.dmp
-
memory/11688-371-0x0000000000000000-mapping.dmp
-
memory/11804-377-0x0000000000000000-mapping.dmp
-
memory/11844-378-0x0000000000000000-mapping.dmp
-
memory/12060-380-0x0000000000000000-mapping.dmp
-
memory/12248-381-0x0000000000000000-mapping.dmp
-
memory/12424-395-0x0000000000000000-mapping.dmp
-
memory/12748-401-0x0000000000000000-mapping.dmp
-
memory/12860-404-0x0000000000000000-mapping.dmp
-
memory/12944-409-0x0000000000000000-mapping.dmp
-
memory/12976-415-0x0000000000000000-mapping.dmp
-
memory/13512-494-0x0000000000B40000-0x0000000000B58000-memory.dmpFilesize
96KB
-
memory/13512-495-0x0000000009C00000-0x0000000009C38000-memory.dmpFilesize
224KB
-
memory/14680-503-0x0000000005A30000-0x0000000005A8A000-memory.dmpFilesize
360KB
-
memory/14680-510-0x00000000060A0000-0x00000000060A8000-memory.dmpFilesize
32KB
-
memory/14680-500-0x0000000004D90000-0x0000000004DBE000-memory.dmpFilesize
184KB
-
memory/14680-501-0x0000000002330000-0x000000000233A000-memory.dmpFilesize
40KB
-
memory/14680-502-0x0000000002340000-0x000000000234C000-memory.dmpFilesize
48KB
-
memory/14680-498-0x00000000000B0000-0x000000000014E000-memory.dmpFilesize
632KB
-
memory/14680-504-0x00000000059F0000-0x0000000005A02000-memory.dmpFilesize
72KB
-
memory/14680-506-0x0000000005EB0000-0x0000000005ECC000-memory.dmpFilesize
112KB
-
memory/14680-507-0x0000000005EA0000-0x0000000005EAE000-memory.dmpFilesize
56KB
-
memory/14680-508-0x00000000060F0000-0x0000000006156000-memory.dmpFilesize
408KB
-
memory/14680-505-0x0000000005A10000-0x0000000005A28000-memory.dmpFilesize
96KB
-
memory/14680-509-0x0000000006080000-0x000000000608A000-memory.dmpFilesize
40KB
-
memory/14680-511-0x00000000060B0000-0x00000000060C4000-memory.dmpFilesize
80KB
-
memory/14680-499-0x0000000000A10000-0x0000000000A1A000-memory.dmpFilesize
40KB
-
memory/14680-512-0x00000000060E0000-0x00000000060E8000-memory.dmpFilesize
32KB
-
memory/14680-513-0x00000000069E0000-0x00000000069E8000-memory.dmpFilesize
32KB
-
memory/14680-514-0x0000000006C90000-0x0000000006CA2000-memory.dmpFilesize
72KB
-
memory/14680-515-0x0000000005AB0000-0x0000000005ACC000-memory.dmpFilesize
112KB
-
memory/14680-516-0x00000000072C0000-0x00000000078C2000-memory.dmpFilesize
6.0MB
-
memory/14680-517-0x0000000005B10000-0x0000000005B4E000-memory.dmpFilesize
248KB
-
memory/14680-518-0x0000000005AE0000-0x0000000005AE8000-memory.dmpFilesize
32KB
-
memory/14680-519-0x0000000005AF0000-0x0000000005AF8000-memory.dmpFilesize
32KB
-
memory/14680-520-0x000000000B980000-0x000000000BE7E000-memory.dmpFilesize
5.0MB
-
memory/14680-521-0x000000000A7D0000-0x000000000A862000-memory.dmpFilesize
584KB
-
memory/14680-522-0x000000000D600000-0x000000000D63E000-memory.dmpFilesize
248KB
-
memory/14680-523-0x000000000D350000-0x000000000D378000-memory.dmpFilesize
160KB
-
memory/14680-524-0x000000000D380000-0x000000000D3AA000-memory.dmpFilesize
168KB
-
memory/14680-525-0x000000000D3B0000-0x000000000D3C8000-memory.dmpFilesize
96KB