hxxps://goo[.]su/5WBEji

Resubmissions

10-03-2024 06:47

240310-hkqc9aef53 9

10-03-2024 06:41

10-03-2024 06:40

10-03-2024 06:37

10-03-2024 06:31

Analysis

max time kernel
178s
max time network
219s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2024 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://goo.su/5WBEji

Score

9^/10

evasion ransomware spyware stealer themida trojan upx

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

1 пробел 2 ентер.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1 пробел 2 ентер.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1 пробел 2 ентер.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1 пробел 2 ентер.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1 пробел 2 ентер.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1 пробел 2 ентер.exe

Executes dropped EXE 58 IoCs

Processes:

ОСНОВА 1.exeVolumeid64.exeGetInput.execolorecho-vc10-x86_64.exebatbox.exebatbox.exe1 пробел 2 ентер.exebatbox.exebatbox.exedevice_cleanup.exeapex.exelgsvcl.exeextd.exeos_cleaner_two.exeextd.exeextd.exeextd.exeload.exeos_cleaner_one.exeos_cleaner_one.exepublic.exepublic.exestruct.exelgsvcl.exestruct.exelgsvcl.exevalorant_cleaner.exevalorant_cleaner.exeОСНОВА 2.exe

pid	process
3828	ОСНОВА 1.exe
2592	Volumeid64.exe
5024	GetInput.exe
2744	colorecho-vc10-x86_64.exe
4720	batbox.exe
2196	batbox.exe
4292	1 пробел 2 ентер.exe
1172	batbox.exe
1448	batbox.exe
3796	device_cleanup.exe
4248	apex.exe
2872	lgsvcl.exe
2112	extd.exe
2988	os_cleaner_two.exe
4100	extd.exe
2624	extd.exe
5116	extd.exe
1560	load.exe
4236	os_cleaner_one.exe
4752	os_cleaner_one.exe
4268	public.exe
2592	public.exe
4256	struct.exe
2748	lgsvcl.exe
3272	struct.exe
5072	lgsvcl.exe
4440	valorant_cleaner.exe
388	valorant_cleaner.exe
680	ОСНОВА 2.exe
3828	ОСНОВА 1.exe
2592	Volumeid64.exe
5024	GetInput.exe
2744	colorecho-vc10-x86_64.exe
4720	batbox.exe
2196	batbox.exe
4292	1 пробел 2 ентер.exe
1172	batbox.exe
1448	batbox.exe
3796	device_cleanup.exe
4248	apex.exe
2872	lgsvcl.exe
2112	extd.exe
2988	os_cleaner_two.exe
4100	extd.exe
2624	extd.exe
5116	extd.exe
1560	load.exe
4236	os_cleaner_one.exe
4752	os_cleaner_one.exe
4268	public.exe
2592	public.exe
4256	struct.exe
2748	lgsvcl.exe
3272	struct.exe
5072	lgsvcl.exe
4440	valorant_cleaner.exe
388	valorant_cleaner.exe
680	ОСНОВА 2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/4292-540-0x00007FF7F0690000-0x00007FF7F1032000-memory.dmp	themida
behavioral1/memory/4292-543-0x00007FF7F0690000-0x00007FF7F1032000-memory.dmp	themida
behavioral1/memory/4292-544-0x00007FF7F0690000-0x00007FF7F1032000-memory.dmp	themida
behavioral1/memory/4292-545-0x00007FF7F0690000-0x00007FF7F1032000-memory.dmp	themida
behavioral1/memory/4292-546-0x00007FF7F0690000-0x00007FF7F1032000-memory.dmp	themida
behavioral1/memory/4292-557-0x00007FF7F0690000-0x00007FF7F1032000-memory.dmp	themida
behavioral1/memory/4292-540-0x00007FF7F0690000-0x00007FF7F1032000-memory.dmp	themida
behavioral1/memory/4292-543-0x00007FF7F0690000-0x00007FF7F1032000-memory.dmp	themida
behavioral1/memory/4292-544-0x00007FF7F0690000-0x00007FF7F1032000-memory.dmp	themida
behavioral1/memory/4292-545-0x00007FF7F0690000-0x00007FF7F1032000-memory.dmp	themida
behavioral1/memory/4292-546-0x00007FF7F0690000-0x00007FF7F1032000-memory.dmp	themida
behavioral1/memory/4292-557-0x00007FF7F0690000-0x00007FF7F1032000-memory.dmp	themida

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2112-561-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2112-563-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/4100-580-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2624-585-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2624-586-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/5116-588-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/5116-589-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2020-638-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2020-639-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/4436-644-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/4436-645-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/4744-646-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/4744-647-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2112-561-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2112-563-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/4100-580-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2624-585-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2624-586-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/5116-588-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/5116-589-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2020-638-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2020-639-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/4436-644-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/4436-645-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/4744-646-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/4744-647-0x0000000140000000-0x00000001400D8000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

1 пробел 2 ентер.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1 пробел 2 ентер.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

1 пробел 2 ентер.exe

pid process

4292 1 пробел 2 ентер.exe
4292 1 пробел 2 ентер.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

4224 timeout.exe
2336 timeout.exe

pid	process
4292	1 пробел 2 ентер.exe
4292	1 пробел 2 ентер.exe

pid	process
4224	timeout.exe
2336	timeout.exe

Enumerates system info in registry 2 TTPs 17 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

os_cleaner_one.exeos_cleaner_one.exechrome.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	os_cleaner_one.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	os_cleaner_one.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	os_cleaner_one.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	os_cleaner_one.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	os_cleaner_one.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "14722ed4-37ed73dc-1"	os_cleaner_one.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	os_cleaner_one.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "be50927c-04fd4f88-4"	os_cleaner_one.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	os_cleaner_one.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	os_cleaner_one.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	os_cleaner_one.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	os_cleaner_one.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	os_cleaner_one.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	os_cleaner_one.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

3860 vssadmin.exe
3784 vssadmin.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

4312 taskkill.exe
2176 taskkill.exe
3064 taskkill.exe

pid	process
3860	vssadmin.exe
3784	vssadmin.exe

pid	process
4312	taskkill.exe
2176	taskkill.exe
3064	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

os_cleaner_one.exeos_cleaner_one.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 0b217e378e35adad	os_cleaner_one.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = a6080b79fc78a91a	os_cleaner_one.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133545268928851258"	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 3 IoCs
ransomware

Processes:

notepad.exenotepad.exeNOTEPAD.EXE

pid process

4320 notepad.exe
988 notepad.exe
3912 NOTEPAD.EXE
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2708 PING.EXE

pid	process
4320	notepad.exe
988	notepad.exe
3912	NOTEPAD.EXE

pid	process
2708	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

chrome.exepowershell.exeos_cleaner_one.exeos_cleaner_one.exe

pid	process
1020	chrome.exe
1020	chrome.exe
3728	powershell.exe
3728	powershell.exe
4236	os_cleaner_one.exe
4236	os_cleaner_one.exe
4752	os_cleaner_one.exe
4752	os_cleaner_one.exe
1020	chrome.exe
1020	chrome.exe
3728	powershell.exe
3728	powershell.exe
4236	os_cleaner_one.exe
4236	os_cleaner_one.exe
4752	os_cleaner_one.exe
4752	os_cleaner_one.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exe

pid process

3940 7zFM.exe
3940 7zFM.exe

pid	process
3940	7zFM.exe
3940	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

chrome.exe

pid	process
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exe

pid	process
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

ОСНОВА 1.exe1 пробел 2 ентер.exeOpenWith.exeapex.exeos_cleaner_two.exeextd.exeextd.exeextd.exeload.exeos_cleaner_one.exeos_cleaner_one.exestruct.exestruct.exeОСНОВА 2.exe

pid	process
3828	ОСНОВА 1.exe
4292	1 пробел 2 ентер.exe
664	OpenWith.exe
4248	apex.exe
2988	os_cleaner_two.exe
4100	extd.exe
2624	extd.exe
5116	extd.exe
1560	load.exe
4236	os_cleaner_one.exe
4752	os_cleaner_one.exe
4256	struct.exe
3272	struct.exe
680	ОСНОВА 2.exe
3828	ОСНОВА 1.exe
4292	1 пробел 2 ентер.exe
664	OpenWith.exe
4248	apex.exe
2988	os_cleaner_two.exe
4100	extd.exe
2624	extd.exe
5116	extd.exe
1560	load.exe
4236	os_cleaner_one.exe
4752	os_cleaner_one.exe
4256	struct.exe
3272	struct.exe
680	ОСНОВА 2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1020 wrote to memory of 4848	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4848	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 3104	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4856	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4856	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4100	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4100	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4100	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4100	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4100	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4100	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4100	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4100	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4100	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4100	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4100	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4100	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4100	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4100	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4100	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4100	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4100	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4100	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4100	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4100	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4100	1020	chrome.exe	chrome.exe
PID 1020 wrote to memory of 4100	1020	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://goo.su/5WBEji
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff62169758,0x7fff62169768,0x7fff62169778
2⤵
PID:4848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1892,i,17326530592518200353,17480857766484627883,131072 /prefetch:2
2⤵
PID:3104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1892,i,17326530592518200353,17480857766484627883,131072 /prefetch:8
2⤵
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2156 --field-trial-handle=1892,i,17326530592518200353,17480857766484627883,131072 /prefetch:8
2⤵
PID:4100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1892,i,17326530592518200353,17480857766484627883,131072 /prefetch:1
2⤵
PID:216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2872 --field-trial-handle=1892,i,17326530592518200353,17480857766484627883,131072 /prefetch:1
2⤵
PID:4964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=5096 --field-trial-handle=1892,i,17326530592518200353,17480857766484627883,131072 /prefetch:1
2⤵
PID:3912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 --field-trial-handle=1892,i,17326530592518200353,17480857766484627883,131072 /prefetch:8
2⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 --field-trial-handle=1892,i,17326530592518200353,17480857766484627883,131072 /prefetch:8
2⤵
PID:3512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5296 --field-trial-handle=1892,i,17326530592518200353,17480857766484627883,131072 /prefetch:1
2⤵
PID:2656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2860 --field-trial-handle=1892,i,17326530592518200353,17480857766484627883,131072 /prefetch:1
2⤵
PID:4460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2548 --field-trial-handle=1892,i,17326530592518200353,17480857766484627883,131072 /prefetch:8
2⤵
PID:456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2928 --field-trial-handle=1892,i,17326530592518200353,17480857766484627883,131072 /prefetch:1
2⤵
PID:4372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2884 --field-trial-handle=1892,i,17326530592518200353,17480857766484627883,131072 /prefetch:1
2⤵
PID:5004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2936 --field-trial-handle=1892,i,17326530592518200353,17480857766484627883,131072 /prefetch:1
2⤵
PID:4920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3140 --field-trial-handle=1892,i,17326530592518200353,17480857766484627883,131072 /prefetch:1
2⤵
PID:2312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6504 --field-trial-handle=1892,i,17326530592518200353,17480857766484627883,131072 /prefetch:8
2⤵
PID:4432

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\ZelenkaBannedBoys.rar"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6612 --field-trial-handle=1892,i,17326530592518200353,17480857766484627883,131072 /prefetch:8
2⤵
PID:1492

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4860

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3968

C:\Users\Admin\Desktop\ZelenkaBannedBoys\ОСНОВА 1.exe
"C:\Users\Admin\Desktop\ZelenkaBannedBoys\ОСНОВА 1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3828

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2486.tmp\2487.tmp\2488.bat "C:\Users\Admin\Desktop\ZelenkaBannedBoys\ОСНОВА 1.exe""
2⤵
PID:3268

C:\Windows\system32\mode.com
mode 80,20
3⤵
PID:4116

C:\Windows\system32\PING.EXE
ping localhost
3⤵
- Runs ping.exe
PID:2708

C:\Users\Admin\Desktop\ZelenkaBannedBoys\Volumeid64.exe
"C:\Users\Admin\Desktop\ZelenkaBannedBoys\Volumeid64.exe"
1⤵
- Executes dropped EXE
PID:2592

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\ZelenkaBannedBoys\hwid.ps1"
1⤵
- Opens file in notepad (likely ransom note)
PID:4320

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\ZelenkaBannedBoys\hwid.ps1"
1⤵
- Opens file in notepad (likely ransom note)
PID:988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\Desktop\ZelenkaBannedBoys\hwid.ps1'"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\ZelenkaBannedBoys\Getlen.bat"
1⤵
PID:2872

C:\Users\Admin\Desktop\ZelenkaBannedBoys\GetInput.exe
"C:\Users\Admin\Desktop\ZelenkaBannedBoys\GetInput.exe"
1⤵
- Executes dropped EXE
PID:5024

C:\Users\Admin\Desktop\ZelenkaBannedBoys\colorecho-vc10-x86_64.exe
"C:\Users\Admin\Desktop\ZelenkaBannedBoys\colorecho-vc10-x86_64.exe"
1⤵
- Executes dropped EXE
PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ZelenkaBannedBoys\Box.bat" "
1⤵
PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ZelenkaBannedBoys\Button.bat" "
1⤵
PID:5116

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ZelenkaBannedBoys\Button.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3912

C:\Users\Admin\Desktop\ZelenkaBannedBoys\batbox.exe
"C:\Users\Admin\Desktop\ZelenkaBannedBoys\batbox.exe"
1⤵
- Executes dropped EXE
PID:4720

C:\Users\Admin\Desktop\ZelenkaBannedBoys\batbox.exe
"C:\Users\Admin\Desktop\ZelenkaBannedBoys\batbox.exe"
1⤵
- Executes dropped EXE
PID:2196

C:\Users\Admin\Desktop\ZelenkaBannedBoys\1 пробел 2 ентер.exe
"C:\Users\Admin\Desktop\ZelenkaBannedBoys\1 пробел 2 ентер.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
2⤵
PID:4052

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
2⤵
PID:1180

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
3⤵
- Kills process with taskkill
PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
2⤵
PID:2628

C:\Windows\system32\taskkill.exe
taskkill /f /im Battle.net.exe
3⤵
- Kills process with taskkill
PID:3064

C:\Users\Admin\Desktop\ZelenkaBannedBoys\batbox.exe
"C:\Users\Admin\Desktop\ZelenkaBannedBoys\batbox.exe"
1⤵
- Executes dropped EXE
PID:1172

C:\Users\Admin\Desktop\ZelenkaBannedBoys\batbox.exe
"C:\Users\Admin\Desktop\ZelenkaBannedBoys\batbox.exe"
1⤵
- Executes dropped EXE
PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ZelenkaBannedBoys\Box.bat" "
1⤵
PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ZelenkaBannedBoys\Box.bat" "
1⤵
PID:2828

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:664

C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\device_cleanup.exe
"C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\device_cleanup.exe"
1⤵
- Executes dropped EXE
PID:3796

C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\apex.exe
"C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\apex.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4248

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DBC0.tmp\DBC1.tmp\DBC2.bat "C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\apex.exe""
2⤵
PID:4232

C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\lgsvcl.exe
"C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\lgsvcl.exe"
1⤵
- Executes dropped EXE
PID:2872

C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\extd.exe
"C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\extd.exe"
1⤵
- Executes dropped EXE
PID:2112

C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\os_cleaner_two.exe
"C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\os_cleaner_two.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2988

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EA08.tmp\EA09.tmp\EA0A.bat "C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\os_cleaner_two.exe""
2⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\EA08.tmp\EA09.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\EA08.tmp\EA09.tmp\extd.exe "/getconsoletitle" "" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4100

C:\Users\Admin\AppData\Local\Temp\EA08.tmp\EA09.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\EA08.tmp\EA09.tmp\extd.exe "/resizewindow" "C:\Users\Admin\Desktop\ZelenkaBannedBoys\?????? 2\os_cleaner_two.exe" "0" "0" "1129" "520" "" "" ""
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2624

C:\Users\Admin\AppData\Local\Temp\EA08.tmp\EA09.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\EA08.tmp\EA09.tmp\extd.exe "/center" "" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5116

C:\Users\Admin\AppData\Roaming\dump\load.exe
"load.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1560

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EBCD.tmp\EBCE.tmp\EBCF.bat C:\Users\Admin\AppData\Roaming\dump\load.exe"
4⤵
PID:4652

C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\os_cleaner_one.exe
"C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\os_cleaner_one.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
2⤵
PID:4572

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop winmgmt /Y
2⤵
PID:2280

C:\Windows\system32\net.exe
net stop winmgmt /Y
3⤵
PID:4516

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop winmgmt /Y
4⤵
PID:3288

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2356

C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\os_cleaner_one.exe
"C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\os_cleaner_one.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
2⤵
PID:840

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:3784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop winmgmt /Y
2⤵
PID:4104

C:\Windows\system32\net.exe
net stop winmgmt /Y
3⤵
PID:3352

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop winmgmt /Y
4⤵
PID:1832

C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\public.exe
"C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\public.exe"
1⤵
- Executes dropped EXE
PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Color 0a
2⤵
PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /q C:\Users\%username%\AppData\Local\VALORANT
2⤵
PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /q C:\Users\%username%\AppData\Local\Riot Games
2⤵
PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /q C:\ProgramData\Riot Games
2⤵
PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /q C:\Users\%username%\AppData\Local\Riot Games
2⤵
PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ExplorerHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Riot Game valorant.live
2⤵
PID:1360

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ExplorerHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Riot Game valorant.live
3⤵
PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\system(_xor_\CurrentControlSet\Services\vgk\Security /f
2⤵
PID:3212

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\system(_xor_\CurrentControlSet\Services\vgk\Security /f
3⤵
PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\system(_xor_\CurrentControlSet\Services\vgc\Security /f
2⤵
PID:2092

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\system(_xor_\CurrentControlSet\Services\vgc\Security /f
3⤵
PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Riot Vangard /f
2⤵
PID:3048

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Riot Vangard /f
3⤵
PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\VALORANT - Win64 - Shipping.ex /f
2⤵
PID:3220

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\VALORANT - Win64 - Shipping.ex /f
3⤵
PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
2⤵
PID:1708

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
3⤵
PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CLASSES_ROOT\riotclient /f
2⤵
PID:296

C:\Windows\system32\reg.exe
reg delete HKEY_CLASSES_ROOT\riotclient /f
3⤵
PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q C:\Users\%username%\AppData\Local\VALORANT
2⤵
PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q C:\Riot Games
2⤵
PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q C:\ProgramData\Riot Games
2⤵
PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q C:\ProgramData\Application Data\Riot Games
2⤵
PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q C:\Program Files\Riot Vangard
2⤵
PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q C:\Program Files\Riot Games
2⤵
PID:2624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q C:\Documents and Settings\All Users\Riot Games
2⤵
PID:4508

C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\public.exe
"C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\public.exe"
1⤵
- Executes dropped EXE
PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Color 0a
2⤵
PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /q C:\Users\%username%\AppData\Local\VALORANT
2⤵
PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /q C:\Users\%username%\AppData\Local\Riot Games
2⤵
PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /q C:\ProgramData\Riot Games
2⤵
PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /q C:\Users\%username%\AppData\Local\Riot Games
2⤵
PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ExplorerHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Riot Game valorant.live
2⤵
PID:3476

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ExplorerHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Riot Game valorant.live
3⤵
PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\system(_xor_\CurrentControlSet\Services\vgk\Security /f
2⤵
PID:3036

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\system(_xor_\CurrentControlSet\Services\vgk\Security /f
3⤵
PID:3180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\system(_xor_\CurrentControlSet\Services\vgc\Security /f
2⤵
PID:872

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\system(_xor_\CurrentControlSet\Services\vgc\Security /f
3⤵
PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Riot Vangard /f
2⤵
PID:1140

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Riot Vangard /f
3⤵
PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\VALORANT - Win64 - Shipping.ex /f
2⤵
PID:2424

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\VALORANT - Win64 - Shipping.ex /f
3⤵
PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
2⤵
PID:2512

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
3⤵
PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CLASSES_ROOT\riotclient /f
2⤵
PID:4404

C:\Windows\system32\reg.exe
reg delete HKEY_CLASSES_ROOT\riotclient /f
3⤵
PID:4904

C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\struct.exe
"C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\struct.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4256

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FB6D.tmp\FB6E.tmp\FB6F.bat "C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\struct.exe""
2⤵
PID:2860

C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\lgsvcl.exe
lgsvcl.exe -prv 25 -scv 4 -drvn edrv -map C:\Windows\Fonts\4138.sys
3⤵
- Executes dropped EXE
PID:2748

C:\Windows\system32\timeout.exe
timeout /t 10
3⤵
- Delays execution with timeout.exe
PID:2336

C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\struct.exe
"C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\struct.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3272

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FCD5.tmp\FCD6.tmp\FCD7.bat "C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\struct.exe""
2⤵
PID:3520

C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\lgsvcl.exe
lgsvcl.exe -prv 25 -scv 4 -drvn edrv -map C:\Windows\Fonts\4138.sys
3⤵
- Executes dropped EXE
PID:5072

C:\Windows\system32\timeout.exe
timeout /t 10
3⤵
- Delays execution with timeout.exe
PID:4224

C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\valorant_cleaner.exe
"C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\valorant_cleaner.exe"
1⤵
- Executes dropped EXE
PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /q C:\Users\%username%\AppData\Local\VALORANT
2⤵
PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /q C:\Users\%username%\AppData\Local\Riot Games
2⤵
PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /q C:\ProgramData\Riot Games
2⤵
PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /q C:\Users\%username%\AppData\Local\Riot Games
2⤵
PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ExplorerHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Riot Game valorant.live
2⤵
PID:1520

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ExplorerHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Riot Game valorant.live
3⤵
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\system(XorStr\CurrentControlSet\Services\vgk\Security /f
2⤵
PID:5016

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\system(XorStr\CurrentControlSet\Services\vgk\Security /f
3⤵
PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\system(XorStr\CurrentControlSet\Services\vgc\Security /f
2⤵
PID:4064

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\system(XorStr\CurrentControlSet\Services\vgc\Security /f
3⤵
PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Riot Vangard /f
2⤵
PID:1596

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Riot Vangard /f
3⤵
PID:292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\VALORANT - Win64 - Shipping.ex /f
2⤵
PID:300

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\VALORANT - Win64 - Shipping.ex /f
3⤵
PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
2⤵
PID:4796

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
3⤵
PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CLASSES_ROOT\riotclient /f
2⤵
PID:1884

C:\Windows\system32\reg.exe
reg delete HKEY_CLASSES_ROOT\riotclient /f
3⤵
PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q C:\Users\%username%\AppData\Local\VALORANT
2⤵
PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q C:\Riot Games
2⤵
PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q C:\ProgramData\Riot Games
2⤵
PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q C:\ProgramData\Application Data\Riot Games
2⤵
PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q C:\Program Files\Riot Vangard
2⤵
PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q C:\Program Files\Riot Games
2⤵
PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q C:\Documents and Settings\All Users\Riot Games
2⤵
PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Riot Games
2⤵
PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q C:\Users\%username%\Local Settings\Riot Games
2⤵
PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /q C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Riot Games\VALORANT.lnk
2⤵
PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Riot Games\VALORANT\live\Manifest_NonFSFiles_Win64.txt /f /q
2⤵
PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Riot Games\VALORANT\live\Engine\Binaries\ThirdParty\CEF3\Win64\icdtl.dat /f /q
2⤵
PID:3936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Riot Games\Riot Client\X\natives_blob.bin /f /q
2⤵
PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Riot Games\Riot Client\X\icdtl.dat /f /q
2⤵
PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Riot Games\Riot Client\X\Plgins\plgin - manifest.json /f /q
2⤵
PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /q C:\Windows\vgkbootstats.dat
2⤵
PID:4648

C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\valorant_cleaner.exe
"C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\valorant_cleaner.exe"
1⤵
- Executes dropped EXE
PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /q C:\Users\%username%\AppData\Local\VALORANT
2⤵
PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /q C:\Users\%username%\AppData\Local\Riot Games
2⤵
PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /q C:\ProgramData\Riot Games
2⤵
PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /q C:\Users\%username%\AppData\Local\Riot Games
2⤵
PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ExplorerHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Riot Game valorant.live
2⤵
PID:3100

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ExplorerHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Riot Game valorant.live
3⤵
PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\system(XorStr\CurrentControlSet\Services\vgk\Security /f
2⤵
PID:4768

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\system(XorStr\CurrentControlSet\Services\vgk\Security /f
3⤵
PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\system(XorStr\CurrentControlSet\Services\vgc\Security /f
2⤵
PID:468

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\system(XorStr\CurrentControlSet\Services\vgc\Security /f
3⤵
PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Riot Vangard /f
2⤵
PID:3444

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Riot Vangard /f
3⤵
PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\VALORANT - Win64 - Shipping.ex /f
2⤵
PID:768

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\VALORANT - Win64 - Shipping.ex /f
3⤵
PID:3804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
2⤵
PID:3656

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
3⤵
PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CLASSES_ROOT\riotclient /f
2⤵
PID:1040

C:\Windows\system32\reg.exe
reg delete HKEY_CLASSES_ROOT\riotclient /f
3⤵
PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q C:\Users\%username%\AppData\Local\VALORANT
2⤵
PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q C:\Riot Games
2⤵
PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q C:\ProgramData\Riot Games
2⤵
PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q C:\ProgramData\Application Data\Riot Games
2⤵
PID:860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q C:\Program Files\Riot Vangard
2⤵
PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q C:\Program Files\Riot Games
2⤵
PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q C:\Documents and Settings\All Users\Riot Games
2⤵
PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Riot Games
2⤵
PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q C:\Users\%username%\Local Settings\Riot Games
2⤵
PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /q C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Riot Games\VALORANT.lnk
2⤵
PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Riot Games\VALORANT\live\Manifest_NonFSFiles_Win64.txt /f /q
2⤵
PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Riot Games\VALORANT\live\Engine\Binaries\ThirdParty\CEF3\Win64\icdtl.dat /f /q
2⤵
PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Riot Games\Riot Client\X\natives_blob.bin /f /q
2⤵
PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Riot Games\Riot Client\X\icdtl.dat /f /q
2⤵
PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Riot Games\Riot Client\X\Plgins\plgin - manifest.json /f /q
2⤵
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /q C:\Windows\vgkbootstats.dat
2⤵
PID:288

C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\ОСНОВА 2.exe
"C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\ОСНОВА 2.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:680

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\541.tmp\542.tmp\543.bat "C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\ОСНОВА 2.exe""
2⤵
PID:652

C:\Users\Admin\AppData\Local\Temp\541.tmp\542.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\541.tmp\542.tmp\extd.exe "/getconsoletitle" "" "" "" "" "" "" "" ""
3⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\541.tmp\542.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\541.tmp\542.tmp\extd.exe "/resizewindow" "C:\Users\Admin\Desktop\ZelenkaBannedBoys\?????? 2\?????? 2.exe" "0" "0" "1129" "520" "" "" ""
3⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\541.tmp\542.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\541.tmp\542.tmp\extd.exe "/center" "" "" "" "" "" "" "" ""
3⤵
PID:4744

C:\Users\Admin\AppData\Roaming\dump\load.exe
"load.exe"
3⤵
PID:296

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\773.tmp\774.tmp\775.bat C:\Users\Admin\AppData\Roaming\dump\load.exe"
4⤵
PID:1120

C:\Users\Admin\AppData\Roaming\dump\tool.exe
tool.exe /SM "System manufacturer"
5⤵
PID:1488

C:\Users\Admin\AppData\Roaming\dump\tool.exe
tool.exe /SP "System Product Name"
5⤵
PID:2016

C:\Users\Admin\AppData\Roaming\dump\tool.exe
tool.exe /SV "System Version"
5⤵
PID:1836

C:\Users\Admin\AppData\Roaming\dump\tool.exe
tool.exe /SS "System Serial Number"
5⤵
PID:2092

C:\Users\Admin\AppData\Roaming\dump\tool.exe
tool.exe /SU "AUTO"
5⤵
PID:3860

C:\Users\Admin\AppData\Roaming\dump\tool.exe
tool.exe /SK "SKU"
5⤵
PID:2588

C:\Users\Admin\AppData\Roaming\dump\tool.exe
tool.exe /SF "To be filled by O.E.M."
5⤵
PID:2012

C:\Users\Admin\AppData\Roaming\dump\tool.exe
tool.exe /BS 253165089837
5⤵
PID:3488

C:\Users\Admin\AppData\Roaming\dump\tool.exe
tool.exe /BT "Default string"
5⤵
PID:3220

C:\Users\Admin\AppData\Roaming\dump\tool.exe
tool.exe /BLC "Default string"
5⤵
PID:1996

C:\Users\Admin\AppData\Roaming\dump\tool.exe
tool.exe /CM "Default string"
5⤵
PID:3248

C:\Users\Admin\AppData\Roaming\dump\tool.exe
tool.exe /CV "Default string"
5⤵
PID:468

C:\Users\Admin\AppData\Roaming\dump\tool.exe
tool.exe /CS "Default string"
5⤵
PID:2960

C:\Users\Admin\AppData\Roaming\dump\tool.exe
tool.exe /CA "Default string"
5⤵
PID:3968

C:\Users\Admin\AppData\Roaming\dump\tool.exe
tool.exe /CSK "Default string"
5⤵
PID:3036

C:\Users\Admin\AppData\Roaming\dump\tool.exe
tool.exe /PSN 104641315631410
5⤵
PID:1648

C:\Users\Admin\AppData\Roaming\dump\mac.exe
"mac.exe"
3⤵
PID:3620

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EE6.tmp\EE7.tmp\EE8.bat C:\Users\Admin\AppData\Roaming\dump\mac.exe"
4⤵
PID:3804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
5⤵
PID:768

C:\Windows\System32\Wbem\WMIC.exe
wmic nic where physicaladapter=true get deviceid
6⤵
PID:1140

C:\Windows\system32\findstr.exe
findstr [0-9]
6⤵
PID:1180

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
5⤵
PID:2868

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
5⤵
PID:400

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
5⤵
PID:1080

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 56783A26172B /f
5⤵
PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
5⤵
PID:2940

C:\Windows\System32\Wbem\WMIC.exe
wmic nic where physicaladapter=true get deviceid
6⤵
PID:1152

C:\Windows\system32\findstr.exe
findstr [0-9]
6⤵
PID:3924

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
5⤵
PID:3104

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
5⤵
PID:2020

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
5⤵
PID:2332

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
5⤵
PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
5⤵
PID:4928

C:\Windows\System32\Wbem\WMIC.exe
wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
6⤵
PID:5116

C:\Windows\system32\netsh.exe
netsh interface set interface name="Ethernet" disable
5⤵
PID:3848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:2732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
bc16ebe41a9fc2938c4060992a92b0af

SHA1
1719af3e339b187d984a76437eb80cae5dc50e6f

SHA256
5874dbe9583546eb24cfb2b237d58f97ef186cd72866dd224df82e62817744ae

SHA512
c78d4be86a3f35ae07375b37fd39f869d317a6ec6699d7673731e6f9b255d7bcbfacf58ca71c3f51baac1e2b2bbee7da58603efa5bd51a31162c481aab7a912c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
456B

MD5
c525209571ec9d139a27b1ae8d5aadf8

SHA1
3e8a49db58aa9e8a65ea9b67982da70ba42aa195

SHA256
188a30ac2fe6afd7c0f3b4958924f68241e30b418c6f180782962a1894b6da09

SHA512
0f13b1c7d0a2616706c3a76f77a6346607b04e3d526de6dee163f3b4a2275b92568d9b3533acfe6839f16fdbd65a5f616c3350ba6a905e908cb7855b2b171cf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
180edcc98e08bfa89846d14621bbffd3

SHA1
571ab2292540b90fa3556c43d807cdc95074f4da

SHA256
c67ba0655bbb1dc8075a1604c4ba86d09f965ce8313e5d79be6c5525bd44df47

SHA512
73740d56f6dda2eb2e31c8752789b5faf0cd45c962e3671210aa8e6096aa0f77f8c405aa660706dbb055dc606dcf23cf09a16ca285416ac6d160bdd2aaa888fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\001\t\Paths\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
9a0b695eaf36131a301fb29eee1077bc

SHA1
5a78547d4eb0e19c09bcb25214447a05806e0664

SHA256
d0f0fcd248c573a046c45f78bb41e76370d5a6f1666a8787aa43a7b2182e276c

SHA512
e56295ded7779bb5d72af7647db0be473042a7916f49963f637d2fc47ac5d43c7f86d33e6f4f872b0a12ccb9497d7b11b34ddb8da768599c1105bd42f3b7d153

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
10KB

MD5
52afde191a956e3d677ab143d3930c77

SHA1
4dac0c79dd0a911f4d0ffb7d5f4b1ff8ca5f8af0

SHA256
5a30eb5946f063c811a15531ec3edaf80cba598db8e86ad207abc907a9e0bc2a

SHA512
6a82bf26a91652621dd0f9ea75c8880313a55774946314390a78093e13cd1327d30c82f4b596bb245175b423787a5751b1c888c1be7761bd02010dcb17f3db5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
cdc4eca731d54b8d8dff0f9e036d36fa

SHA1
542839b507f77854b4d03150b2f283de6f6953c2

SHA256
391e75c1edc15548f36770f73187e039cb90acd2065b0523349b6c70ab888960

SHA512
1e9982b6c68425907f422126dec43539d6efc1126fdb1b739540f5a1cbd9137adb690ba92d9fed155dcf602d3ef08190863dbcd63abeb0977445d742a2aa7235

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
95ab2ce34c73c9a916b7b976a5a7c8de

SHA1
22a3950022bc28a20b998731012c927e7d35c13d

SHA256
751e667edcd09ac3f2d1e2c9c15a78dd50bce40dcc58614433febcd9e83ac6b6

SHA512
db95146652420955b3145765ab7b4c58d544ca2b48fc7e9f7226cd9ccb6cd5b6e7e317eaf432c138cf6c9583c2210c10660f0d03de2eda8ac9d1dd50325c4006

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
4bee0c237c09cbdc94bbb146cc6d387a

SHA1
0295d7cc4f1cb71bca4aeddc8be55a8075dd64c0

SHA256
54da9a730d17adfc8801d455b18b16cea8b063235ab26d230a1b1c438bd940a9

SHA512
e27d746df1f19818cc1089ca07644a8ae7ef2bd817850ad50ae446d03a9953dedb6be55056208977aa331c7280a27a709143ef19fbc0418e1439833d97816ab1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
b147af5bb6edd0925b0ed2b00245de31

SHA1
e583b39e48ff2803cec11d57559696816095c04e

SHA256
568894b4aca57cae950a0f6ed90ab47432523eab95771fe9d106419acc261bd3

SHA512
ad266516e6cb23ec0dfc717edb31e6fb38942313ca07373e0ca6581c28a155a39baa31de5d48720d4677eb44d9f1c7f8ef3527bb7781df310cc18cb2faa9ccc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
94e707fb6d1ac63946623cdcfbbefbce

SHA1
aa3a9103fd83d67ed543648cc845c9566e0b8735

SHA256
eaf802b5371e294195064714d4e0d2258c69d2ec8c50a42ffc4b2783909f880b

SHA512
581ac07b23b48c36150d03a4fff46e8c530b67ab27e999dda4921dae07e83ad0ecfddd3c9c2188b04acfdda8b5bcd5411d0733bac19bad5cad1a5073caab7191

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
4a2c78eaf31722746159667e0c77a6e8

SHA1
b62e7ea3accc59bed636b8d8da2ad46aa81086bf

SHA256
6ffaa2ba7e136e1aa85d0a5041e2c973ff423094170bfa02c6f0e00b03413302

SHA512
65100a17931704942b84969b362c35c24334817d1e9e1d6d792aa4629426996c887e142d8314ee54626789a92be7b9ee187e53defd995bcbf72475467a21de23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
6f067b27b58fa28f476f782273a759ed

SHA1
3a26a0f7f14c9e88832475df9bc4937b7c900e23

SHA256
f0e9b86929368c83ca37080411e842421cb64d8e747a4ec825108e1c99a103d8

SHA512
8724a8536f41ec7722a2328d5b9700ad9d38b67a31be8fad6a8297fa6e481fd7b25cd26fbeec3efc3c8ad83c0a91cff03efe807e3153a56505b38fb7e3f680a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
114KB

MD5
f4bac6156e36559879e041f087017c29

SHA1
3b981d803fb3f52f7916a80345815c37303250b0

SHA256
a2e3dcfdb9ffaf4ec14e2b8f3d21ea3df5464b4848d88bf0e98005a24144bb18

SHA512
843e8d1429d73c7091e11c78c366d6a2671bd93bf3c0b40fb618f4f9211859eea1d842f9b7cea780ba41e289fdc9c0a475e4c2b72dd6eb84aa8507d676a780c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
114KB

MD5
d737fb5fb226f4bffcdb29ef276da7e8

SHA1
dd7d7a0613a91b1ef3268f66be37a0f67a874fba

SHA256
3296526e3fa3c8f6898313ad907eda96dfc6f9b00bb3345465cb3e43ac5c910d

SHA512
0362bd6f44218973fc7bde60457f27467d1ad83c282a754de30fd88accc4eb9d1601f28bb6a9559ccacb20557da3e11f9bd2413b9a067276198a6ad566a8332f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
114KB

MD5
e7d489b5077a0c208e392a22498e0e34

SHA1
085ebbbabc88ad07002d22ac967c73280927253e

SHA256
00c115abe8e22a729dc80965dece68b54615a95d4ab4d61ee73ad2a21d3eb417

SHA512
bf0e5eff2a3f3b29a0d1ccd90a5e92b9991edbc2d1928b573c8e776d717ab85f4729100e35ad6d4437024a64351c45e24661899feb6b149408245dffb9ee91a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
117KB

MD5
b8898fdca3bd35a112dd6b53b1a8d89b

SHA1
abc4804a16e86b137a19f7f9711af2bdd26a4273

SHA256
17ac059322fc24afed40062cd1bfa8ca0340e918defea0948424c44edaa086f1

SHA512
2b6ca0dc0562e1122062d342bf556ff64d38128e357353fd0f85a962874fab0e191b64e7987f1ecd9593d78ea116419c2684dc4be7ecc8b14b9dca6095484400

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
110KB

MD5
06fe9dd66e1078af188fe5d127d39475

SHA1
1740d9efa9301283151d6cf1e85f16930cdc4525

SHA256
8a0b3a96522fb4833bf5346dce69f7dbba51f97dd0761bb517e6f4c087843439

SHA512
3801e176f684099924da4e377c719df54dd2112241b0018ea7854064ab060a014b5f83f64f24ad97ea2586d1bb7c811e990e669181f7e3f49f4192c8fb78f2a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe580c30.TMP
Filesize
104KB

MD5
ecdc72f18550adfac3b1a7aee8567aaf

SHA1
f2716d42231d8748bd69777a1b92a86787d41c5e

SHA256
31db2ac2e2c060e17c2e86cc63b8b72a6ad0f55d58544d286c52edb4d21d66f5

SHA512
2fbe68ab4dc2d32ab524e1f4f3c96c6d18f7a3dd22264bbedf46ccf94dd94164ca33ea2a43728c230f91e74e5411bb20346c830111c4d23153285ebb16ed1b86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2486.tmp\2487.tmp\2488.bat
Filesize
17KB

MD5
c5b9f5f77bee19857e4331300d080e3b

SHA1
50f5d39311cf12636d9ebe58aa4464578995f112

SHA256
a689ce9bdcdbc32ad39cbab6349453847a71a386cb4c4be4ffe2daff57fce52d

SHA512
ecb86677eb5bb0c0dc8b7c1d351cd7409772699393ebce902fcaa05442d46da112cfe8ca2215794ae2308c573d56fd51fd8920c488ff20c7b1c96cd7fced1dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DBC0.tmp\DBC1.tmp\DBC2.bat
Filesize
82KB

MD5
37b6ffb1b7da76ec3b126deb3b1b7d72

SHA1
0f2a2df7b897821323a050461d771498342291e0

SHA256
685da5ca97a506bae2b9be904b12fd9593e833aa9f32bc75a71c3cf2e4e87932

SHA512
e9f58969ccb5887f381a1d8814377bcbbd922e3ad7779ea27ab0ce3e44c5aa749c189fd7eed6ed846590f03df3bfd20b5d0b699573ac938543b8847785a20cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EA08.tmp\EA09.tmp\EA0A.bat
Filesize
674B

MD5
3734bcd165c05aa7c1859cd7d60caeba

SHA1
698ce6f6f90bd56692dd6d83634098b15bbcb48f

SHA256
9a2bb014711320d01312fce0b3e4edffe6f45bb2ce13321a66a3b8ed251dd576

SHA512
1a83037ad41c9add2b0586595eb402de89932c6119dcb5f4f6708db1335c46fbc09fb16608fc5a4661b7161d88be8fe97304f14b632d2e3dc7262902c13ac852

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBCD.tmp\EBCE.tmp\EBCF.bat
Filesize
545B

MD5
a8d805349e3718d67fb16fea2e860186

SHA1
394704bef9cf3580aae4ea83f7e698d38ccd5a53

SHA256
f5662df0ec4b20f0503ca6a1ffb0180f36e28127e00e565546360550585c76b6

SHA512
37546bd2430906c1bb7096f1d67ce0b9e71bd69e902a028f590df8637af9c57aa4b77a517f2670b8c8000177872251efb3782502b8cb8c5efe8cb2f89c6cba69

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1i5sarsz.vxe.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\dump\load.exe
Filesize
89KB

MD5
5700cabc6bf4e6aea2f3535fe34f14e2

SHA1
9b0bd296120b99060c88fb5f870f8da1e046d640

SHA256
18c0da701463f2f99e5b8c91d2aa6315b4538960fe883a6bfb519f623fc2696b

SHA512
8db7bcf3e6babbcd2d122d55b6eb17136392ce7951cfbec550b1e8ea2d08348ffdaea37666be0e9df3889867907180c3bfa95ffbe8a307a94b147cc397bead5b

Download Submit
C:\Users\Admin\AppData\Roaming\dump\tool.exe
Filesize
453KB

MD5
b696823b80d01a67c1e25355fdaa8bab

SHA1
932d2cd264daa771e93b094de870feb4ec0e1d93

SHA256
4ef86ce5877adc7f861b79da511ca2cbc7b454d6acc33e4a3ccbf21092fe6d94

SHA512
7eadf67c666152002a8d168e6beea36f3f7a7b2c57c313461dea1ba8cb0590fe0d6f6c2c0b4cd147e3ff2429fb99de8e84f3a036c8c7dbf5012d1346e4aff65f

Download Submit
C:\Users\Admin\Desktop\ZelenkaBannedBoys\1 пробел 2 ентер.exe
Filesize
3.6MB

MD5
f96eb2236970fb3ea97101b923af4228

SHA1
e0eed80f1054acbf5389a7b8860a4503dd3e184a

SHA256
46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172

SHA512
2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7

Download Submit
C:\Users\Admin\Desktop\ZelenkaBannedBoys\Box.bat
Filesize
5KB

MD5
a95505942d3ebcf724f080b49d4e981f

SHA1
ed7202c5dd386d050a2a24745399154218569f81

SHA256
64556d24498bcd280cd7cc248a98ed22c4db921495d825f141af1547c8fdd275

SHA512
21046716caec7a2b26516ae37f3295445d8c7f1b3502ebcaf41a84469bea1888f0139e813111f1585eff9b27403674e4c61ef4d4a62503f2c1dd820bde8a3476

Download Submit
C:\Users\Admin\Desktop\ZelenkaBannedBoys\Button.bat
Filesize
5KB

MD5
96fefe69f2facf74197a8af3004a6167

SHA1
80baf02b5d984dd8055ac3a6f42593ad98b78307

SHA256
38aa0c1ad69d96732c776cbd73275f5ccb881d42158158b32815dad869ef9876

SHA512
1aa6335a5cc340191613c52fa3e55625ed058abad8bd8d5ed1575bb9cd59b19e1fb3fcf3f5df199ea6f9b9d10bdee45e099c9247457b35ea65c7b1e403f0e888

Download Submit
C:\Users\Admin\Desktop\ZelenkaBannedBoys\GetInput.exe
Filesize
3KB

MD5
2ba62ae6f88b11d0e262af35d8db8ca9

SHA1
69d4ccb476cfebdf572134fead42a12750580e4b

SHA256
3f5c64717a0092ae214154a730e96e2e56921be2e3f1121a3e98b1ba84627665

SHA512
a984212245e401b68872623437a512898a00d71cca7d7b0aa6733663020cae92d50ce1ae3abafbd811542a77e72c8b6a5755492c07d6ddeb2642d908142c2ccb

Download Submit
C:\Users\Admin\Desktop\ZelenkaBannedBoys\Getlen.bat
Filesize
1KB

MD5
8c1812e76ba7bf09cb87384089a0ab7f

SHA1
d3edf2ba081073139960a955e812e6bb7f63817b

SHA256
83ce5342710a2f2e385a363402661e3426728dd6bcfe9d87e22f2fb858b07bde

SHA512
618abe11f65fe95cdc1f1834bf24ddbbea789c971788af7d2248b880e53d11a3c4302bd8e3c3c36b934f5f7d975d1b142fae8fd23c9ed6cfa118c97e01f6fd14

Download Submit
C:\Users\Admin\Desktop\ZelenkaBannedBoys\Volumeid64.exe
Filesize
165KB

MD5
81a45f1a91448313b76d2e6d5308aa7a

SHA1
0d615343d5de03da03bce52e11b233093b404083

SHA256
fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

SHA512
675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

Download Submit
C:\Users\Admin\Desktop\ZelenkaBannedBoys\batbox.exe
Filesize
1KB

MD5
cb4a44baa20ad26bf74615a7fc515a84

SHA1
2581868c3d560e2b200d4f21d83271430167b377

SHA256
9553bc17fa0fd08e026c1865812b3388e3d5495a5394bbf671e5a8f21c79989a

SHA512
d19e6d0ccd89e52efdd2363185564cf83fcf3a37b55659dd1fd8b6574cf45b6147989b2c7b1e8029ce8136aa7ff74900494c1a30bbb65b96d9880ab7f77b6140

Download Submit
C:\Users\Admin\Desktop\ZelenkaBannedBoys\colorecho-vc10-x86_64.exe
Filesize
129KB

MD5
e2f377052409beeebf852803734e007a

SHA1
4d5e977acc59912bd451edae77ad58d977ed086b

SHA256
76fe5f9cef2c3a5c4f765d4c45167f4cf26cc6d469031f0d195d96724e9d82a8

SHA512
d88d3319a32ec3a8475fae03c74b1a5d7d8e92f3f5ffa1bc3326779d7d39e0bd18928a511be1ac965fb1c2e2da1cf0935fea38bbf847f54033887c62b6c842d7

Download Submit
C:\Users\Admin\Desktop\ZelenkaBannedBoys\hwid.ps1
Filesize
3KB

MD5
05673d49cc5f31e3d4812b7cb7419641

SHA1
07b3b298b067439da6e6ae37e51bb1701c33165a

SHA256
c7c54526b07f457e58d423ab22d61a0efd78ad112be2ef0a1efe6c25013df185

SHA512
5f5f380a3cad0cf1aa95244d6b1fca4ccdd10c8c882e045405d5600f242b8ed3306f485a3396db9c362f345b79b03d2db79aad7a1d92f09167beea0acf524d32

Download Submit
C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\apex.exe
Filesize
172KB

MD5
499b9675eab3b839331a8052e91950cb

SHA1
5b29fc1a17ab48e70b1bd41e3424ffb7ede36bf3

SHA256
b6c2b8f461aa00c60dbf09081b379c3358fd31446f42c124fa39e2b1adf032fc

SHA512
e250603d50a4226a915e32570d105f514c4c6157ae23f13965e435f10214b367ed88f4f756f5abbf73f5637587c975696285eb2128e362d356c9f99dcce58484

Download Submit
C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\device_cleanup.exe
Filesize
47KB

MD5
8eae1aec5f34e4a8e04a60075bcfb0f8

SHA1
a9af1c4eb6fb61a17a813b3bc788fce10c920007

SHA256
5ad34a00b0e6d471e4e0684f9ac996aa82cf837735053de0da72c1137c18115d

SHA512
a7ff2c81eb0cd757885bf767a1dcaef6681180cdabe0d477c680bef77312c25f102964931e8d3708d85cbca92a02b00eb0e35203a25b0ce4a16712e455fc68ff

Download Submit
C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\extd.exe
Filesize
326KB

MD5
c14ce13ab09b4829f67a879d735a10a1

SHA1
537e1ce843f07ce629699ef5742c42ee2f06e9b6

SHA256
ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

SHA512
c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

Download Submit
C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\lgsvcl.exe
Filesize
282KB

MD5
9b19beb2fb368135e2d2a5e0c5832c19

SHA1
382851327c731266fc9cb365aeefdaf3c942a623

SHA256
c0f6d418b98e7b303ab224c5ac1b59487908ac15125c9e90eccaed2763100739

SHA512
990c529ee72527bbcbd05dbf51979847319fae1b5fbd7785f8d59b367a2af1d37ba584deab89e474c639a34359c538afddc4a099cf4241f53b3e4e311084ed9d

Download Submit
C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\os_cleaner_one.exe
Filesize
173KB

MD5
dd1a0ba7f9e2d6a6ae54b1056acb9713

SHA1
9cecf355ffecd1d2009b74868a8f83107a348850

SHA256
241661e64f90af848e5354bdab30f3c12792019862ec14eee70d8e137b3d60ab

SHA512
00703997baa8f0290d26ed1a866abd3098e9027735e9d687e0b1b5bbacf4e5caf9c61031c829dc4a5a1e8c4da01aa702f480515a96a9aa97a4e3179dc7f2527d

Download Submit
C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\os_cleaner_two.exe
Filesize
664KB

MD5
ba6e86262e9ef5b23ae47077df72201b

SHA1
1cbc871019d167e14709d131161ed64d4e594be7

SHA256
a76a9fe5dfec95306e48c3832e583854877a66f0a00e6fddb5d7607afdfcd0af

SHA512
298d9bdccc8efff74e7b5972f5dc3b5ce3bacbd96397ae5c85cce30c808fa313f61b11f893831239ad19bc6f883265026bc36304dd7e2bdf95557785347a61b3

Download Submit
C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\public.exe
Filesize
478KB

MD5
22d145906c9d8803e5ec599d1455fea6

SHA1
7e9ccf8434b96091b19361aa08723e58c9667040

SHA256
62a118c45f3a1eae519d91894e1facde18449bc53d42a4c8a750c3d5e68a1249

SHA512
a337dfa21a6c5268cb119619bd0c67bf5392e87e8037bb5151ed9ae3ce3db83df6add13b9662a0a87951e9b9d5dfab1f9e72d1f199a5c951af1a1ed9bb74bcf8

Download Submit
C:\Users\Admin\Desktop\ZelenkaBannedBoys\Мануал 2\struct.exe
Filesize
89KB

MD5
dde838c9ddf5c867939d249e7dff2dee

SHA1
208e48bba627f685a55e1a834e9a3e0ea97fad59

SHA256
8d622da94cf5ec0a877d4a51b88902872b167dd8d1132041a4aa308b6a5a93c9

SHA512
b46557ec25cbea4bd22d5269cdec7fec3ddbb4c85050278e9895c3d4d464e8ba231cd16badeec3e8f282110c54e9f689717d8af938f2c31d32222c0bcd055d63

Download Submit
C:\Users\Admin\Desktop\ZelenkaBannedBoys\ОСНОВА 1.exe
Filesize
160KB

MD5
cd6cddac2686df01814705f21e6da343

SHA1
f29ad4efdc160ffba5cb63e01349ec9b84123e30

SHA256
0f7f86530b7fa2e693a2a3a5bf69957e61c2f45d39418d077285a1ea6f4bb992

SHA512
a673d521f316d3e0fa87a99effa33c5dc4fde315e72b7f6cbb828a94ffe8ebeed4bf9ca6fe858b3c69327aa4ce05ae02b37e2a392abb7cc728c4bbe2ab9a6de4

Download Submit
C:\Users\Admin\Downloads\ZelenkaBannedBoys.rar
Filesize
7.5MB

MD5
058aa472434397ff5e009d7df8fa584f

SHA1
5916fb8a25898edc900d2a7ec0c4121acb17d9a3

SHA256
ff560ce25404e1ac515cee26d1a4bee1484fc40ac89f34cc5ac9b61b328051b4

SHA512
4b5ac0dda9bb8174e00bd99834acc858766ce73213e39c7911a6c07a9310ca7d5eba2c510a4576c6a95accc84037fdfb58433c4342d9b2d41b36370a1739422d

Download Submit
\??\pipe\crashpad_1020_BBRTHTBSABBPPYIS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1172-548-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1172-548-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1448-550-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1448-550-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2020-639-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2020-638-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2020-639-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2020-638-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2112-561-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2112-563-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2112-561-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2112-563-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2196-538-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2196-538-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2624-586-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2624-585-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2624-585-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2624-586-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3728-525-0x00007FFF51C30000-0x00007FFF526F1000-memory.dmp

Filesize
10.8MB

Download
memory/3728-522-0x000001E2210A0000-0x000001E2210B0000-memory.dmp

Filesize
64KB

Download
memory/3728-520-0x00007FFF51C30000-0x00007FFF526F1000-memory.dmp

Filesize
10.8MB

Download
memory/3728-511-0x000001E208F40000-0x000001E208F62000-memory.dmp

Filesize
136KB

Download
memory/3728-525-0x00007FFF51C30000-0x00007FFF526F1000-memory.dmp

Filesize
10.8MB

Download
memory/3728-521-0x000001E2210A0000-0x000001E2210B0000-memory.dmp

Filesize
64KB

Download
memory/3728-522-0x000001E2210A0000-0x000001E2210B0000-memory.dmp

Filesize
64KB

Download
memory/3728-521-0x000001E2210A0000-0x000001E2210B0000-memory.dmp

Filesize
64KB

Download
memory/3728-520-0x00007FFF51C30000-0x00007FFF526F1000-memory.dmp

Filesize
10.8MB

Download
memory/3728-511-0x000001E208F40000-0x000001E208F62000-memory.dmp

Filesize
136KB

Download
memory/4100-580-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4100-580-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4292-545-0x00007FF7F0690000-0x00007FF7F1032000-memory.dmp

Filesize
9.6MB

Download
memory/4292-540-0x00007FF7F0690000-0x00007FF7F1032000-memory.dmp

Filesize
9.6MB

Download
memory/4292-598-0x00007FFF70730000-0x00007FFF70925000-memory.dmp

Filesize
2.0MB

Download
memory/4292-542-0x00007FFF70730000-0x00007FFF70925000-memory.dmp

Filesize
2.0MB

Download
memory/4292-543-0x00007FF7F0690000-0x00007FF7F1032000-memory.dmp

Filesize
9.6MB

Download
memory/4292-598-0x00007FFF70730000-0x00007FFF70925000-memory.dmp

Filesize
2.0MB

Download
memory/4292-544-0x00007FF7F0690000-0x00007FF7F1032000-memory.dmp

Filesize
9.6MB

Download
memory/4292-545-0x00007FF7F0690000-0x00007FF7F1032000-memory.dmp

Filesize
9.6MB

Download
memory/4292-557-0x00007FF7F0690000-0x00007FF7F1032000-memory.dmp

Filesize
9.6MB

Download
memory/4292-540-0x00007FF7F0690000-0x00007FF7F1032000-memory.dmp

Filesize
9.6MB

Download
memory/4292-542-0x00007FFF70730000-0x00007FFF70925000-memory.dmp

Filesize
2.0MB

Download
memory/4292-543-0x00007FF7F0690000-0x00007FF7F1032000-memory.dmp

Filesize
9.6MB

Download
memory/4292-544-0x00007FF7F0690000-0x00007FF7F1032000-memory.dmp

Filesize
9.6MB

Download
memory/4292-546-0x00007FF7F0690000-0x00007FF7F1032000-memory.dmp

Filesize
9.6MB

Download
memory/4292-546-0x00007FF7F0690000-0x00007FF7F1032000-memory.dmp

Filesize
9.6MB

Download
memory/4292-557-0x00007FF7F0690000-0x00007FF7F1032000-memory.dmp

Filesize
9.6MB

Download
memory/4436-644-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4436-644-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4436-645-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4436-645-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4720-536-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4720-534-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4720-534-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4720-536-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4744-647-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4744-646-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4744-646-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4744-647-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/5116-588-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/5116-589-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/5116-588-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/5116-589-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download