Analysis
-
max time kernel
50s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
23-05-2021 12:02
Static task
static1
Behavioral task
behavioral1
Sample
B644F30DACDD7066907FD2807DB5FB0D.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
B644F30DACDD7066907FD2807DB5FB0D.exe
Resource
win10v20210410
Errors
General
-
Target
B644F30DACDD7066907FD2807DB5FB0D.exe
-
Size
42KB
-
MD5
b644f30dacdd7066907fd2807db5fb0d
-
SHA1
fdf07cd26db17172165cd928437dcc44921c038e
-
SHA256
8e4f30afa8d0ce48c46a39e2754d8f7adad90ae8ccaf0132b354be76076b20cc
-
SHA512
232a4219aacbc793df84691008b7b1ea1642a479048d0897c361a7fe7bfb597c14cdb31f4ef086e471f8c71d1a153269f8869fce5ddd8a7d68393ee3a027d73a
Malware Config
Signatures
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/6724-361-0x0000000000416372-mapping.dmp family_redline -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Blocklisted process makes network request 6 IoCs
Processes:
cmd.exeMsiExec.exeflow pid process 130 4684 cmd.exe 131 4684 cmd.exe 137 4684 cmd.exe 140 4684 cmd.exe 141 4684 cmd.exe 219 5784 MsiExec.exe -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
Processes:
4_177039.exe3316505.exeBalti.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 4_177039.exe File opened for modification C:\Windows\system32\drivers\etc\hosts 3316505.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Balti.exe -
Executes dropped EXE 50 IoCs
Processes:
diragame.exeirecCH4.exemd4_4igk.exesunlap.exeLzmwAqmV.exeLzmwAqmV.tmpBalti.exeirecord.exeirecord.tmpCakaewowiwa.exeQadoshewaeki.exei-record.exe001.exeinstaller.exeSetup3310.exeSetup3310.tmpConhost.exesetup.exeSetup.exehjjgaa.exeRunWW.exeBarSetpFile.exeguihuali-game.exeLabPicV3.execmd.exeVersium.exeLabPicV3.tmplylal220.tmpcmd.execmd.exejfiag3g_gg.exe4_177039.exe3316505.exe8979618.exe2654459.exe2488891.exeSetup.exeWindows Host.exeprolab.exeMicrosoftEdgeCP.exejfiag3g_gg.exeKofushuruxa.exeZHikybaekilae.exeirecord.exeirecord.tmpTyzhosoluru.exeJizhygineli.exe001.exeinstaller.exe001.exepid process 836 diragame.exe 1416 irecCH4.exe 2064 md4_4igk.exe 2456 sunlap.exe 2356 LzmwAqmV.exe 184 LzmwAqmV.tmp 1480 Balti.exe 4180 irecord.exe 4216 irecord.tmp 4240 Cakaewowiwa.exe 4304 Qadoshewaeki.exe 4420 i-record.exe 3732 001.exe 5112 installer.exe 5140 Setup3310.exe 5192 Setup3310.tmp 5672 Conhost.exe 6064 setup.exe 6088 Setup.exe 4652 hjjgaa.exe 5748 RunWW.exe 5856 BarSetpFile.exe 5708 guihuali-game.exe 5928 LabPicV3.exe 5992 cmd.exe 3408 Versium.exe 5504 LabPicV3.tmp 6136 lylal220.tmp 4684 cmd.exe 6048 cmd.exe 2272 jfiag3g_gg.exe 5288 4_177039.exe 5228 3316505.exe 5604 8979618.exe 6232 2654459.exe 6352 2488891.exe 6552 Setup.exe 6608 Windows Host.exe 6764 prolab.exe 6816 MicrosoftEdgeCP.exe 6836 jfiag3g_gg.exe 6864 Kofushuruxa.exe 6944 ZHikybaekilae.exe 7092 irecord.exe 7120 irecord.tmp 6260 Tyzhosoluru.exe 5324 Jizhygineli.exe 6512 001.exe 4892 installer.exe 7012 001.exe -
Modifies Windows Firewall 1 TTPs
-
Processes:
resource yara_rule behavioral2/memory/4652-329-0x0000000000EF0000-0x000000000154F000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Cakaewowiwa.exeKofushuruxa.exeTyzhosoluru.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation Cakaewowiwa.exe Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation Kofushuruxa.exe Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation Tyzhosoluru.exe -
Loads dropped DLL 45 IoCs
Processes:
LzmwAqmV.tmpi-record.exeinstaller.exeMsiExec.exeSetup3310.tmpMsiExec.exerUNdlL32.eXeLabPicV3.tmplylal220.tmpcmd.exeRunWW.exeMsiExec.exepid process 184 LzmwAqmV.tmp 4420 i-record.exe 4420 i-record.exe 4420 i-record.exe 4420 i-record.exe 4420 i-record.exe 4420 i-record.exe 4420 i-record.exe 4420 i-record.exe 4420 i-record.exe 5112 installer.exe 5112 installer.exe 5112 installer.exe 4644 MsiExec.exe 4644 MsiExec.exe 5192 Setup3310.tmp 5192 Setup3310.tmp 5784 MsiExec.exe 5920 rUNdlL32.eXe 5784 MsiExec.exe 5784 MsiExec.exe 5784 MsiExec.exe 5784 MsiExec.exe 5784 MsiExec.exe 5784 MsiExec.exe 5504 LabPicV3.tmp 6136 lylal220.tmp 4684 cmd.exe 4684 cmd.exe 5784 MsiExec.exe 5784 MsiExec.exe 5784 MsiExec.exe 5112 installer.exe 5784 MsiExec.exe 5784 MsiExec.exe 5748 RunWW.exe 5748 RunWW.exe 6484 MsiExec.exe 6484 MsiExec.exe 6484 MsiExec.exe 6484 MsiExec.exe 6484 MsiExec.exe 6484 MsiExec.exe 6484 MsiExec.exe 5784 MsiExec.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Balti.exe2654459.exe3316505.exe4_177039.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Taepenawugae.exe\"" Balti.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe" 2654459.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Adobe\\Bazhushaeleha.exe\"" 3316505.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\recording\\Dywixezhapy.exe\"" 4_177039.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
installer.exemsiexec.exedescription ioc process File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 131 ipinfo.io 132 ip-api.com 184 ip-api.com 274 ipinfo.io 276 ipinfo.io 429 api.2ip.ua 73 ipinfo.io 75 ipinfo.io 287 ipinfo.io 428 api.2ip.ua -
Drops file in System32 directory 8 IoCs
Processes:
svchost.exesvchost.exedescription ioc process File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #3 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #4 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #5 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #6 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #1 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedUpdater svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #2 svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
svchost.exeSetup.exedescription pid process target process PID 3216 set thread context of 6032 3216 svchost.exe svchost.exe PID 6552 set thread context of 6724 6552 Setup.exe AddInProcess32.exe -
Drops file in Program Files directory 64 IoCs
Processes:
irecord.tmpMicrosoftEdgeCP.exeSetup.exe4_177039.exeirecord.tmpmsiexec.exeBalti.exe3316505.exedescription ioc process File opened for modification C:\Program Files (x86)\recording\Bunifu_UI_v1.52.dll irecord.tmp File opened for modification C:\Program Files (x86)\Picture Lab\AForge.dll MicrosoftEdgeCP.exe File created C:\Program Files (x86)\Picture Lab\is-H9DO6.tmp MicrosoftEdgeCP.exe File created C:\Program Files (x86)\recording\is-E9JUM.tmp irecord.tmp File created C:\Program Files (x86)\recording\is-U3RVM.tmp irecord.tmp File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe Setup.exe File created C:\Program Files (x86)\Picture Lab\is-HRMAB.tmp MicrosoftEdgeCP.exe File created C:\Program Files (x86)\Picture Lab\is-5ATI4.tmp MicrosoftEdgeCP.exe File created C:\Program Files\Windows Multimedia Platform\XIWTZEIYTX\irecord.exe.config 4_177039.exe File opened for modification C:\Program Files (x86)\recording\avcodec-53.dll irecord.tmp File opened for modification C:\Program Files (x86)\recording\unins000.exe irecord.tmp File created C:\Program Files (x86)\recording\is-OMQS8.tmp irecord.tmp File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe Setup.exe File created C:\Program Files (x86)\recording\is-TPQJC.tmp irecord.tmp File created C:\Program Files (x86)\recording\Dywixezhapy.exe 4_177039.exe File created C:\Program Files (x86)\recording\Dywixezhapy.exe.config 4_177039.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe msiexec.exe File created C:\Program Files\Reference Assemblies\BZXPWUNVDP\irecord.exe.config Balti.exe File opened for modification C:\Program Files (x86)\recording\AForge.Video.dll irecord.tmp File opened for modification C:\Program Files (x86)\recording\swresample-0.dll irecord.tmp File created C:\Program Files (x86)\Windows Portable Devices\Taepenawugae.exe.config Balti.exe File opened for modification C:\Program Files (x86)\Picture Lab\Pictures Lab.exe MicrosoftEdgeCP.exe File created C:\Program Files\Windows Multimedia Platform\XIWTZEIYTX\irecord.exe 4_177039.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url msiexec.exe File opened for modification C:\Program Files (x86)\recording\avutil-51.dll irecord.tmp File created C:\Program Files (x86)\Windows Portable Devices\Taepenawugae.exe Balti.exe File created C:\Program Files (x86)\recording\is-B4H5T.tmp irecord.tmp File created C:\Program Files\Microsoft Office 15\BHIONCQILY\prolab.exe.config 3316505.exe File opened for modification C:\Program Files (x86)\Picture Lab\SourceLibrary.dll MicrosoftEdgeCP.exe File created C:\Program Files (x86)\Picture Lab\is-MCHMU.tmp MicrosoftEdgeCP.exe File opened for modification C:\Program Files (x86)\recording\swscale-2.dll irecord.tmp File opened for modification C:\Program Files (x86)\recording\unins000.exe irecord.tmp File opened for modification C:\Program Files (x86)\recording\avcodec-53.dll irecord.tmp File created C:\Program Files (x86)\Data Finder\Versium Research\Uninstall.ini Setup.exe File opened for modification C:\Program Files (x86)\Picture Lab\DockingToolbar.dll MicrosoftEdgeCP.exe File created C:\Program Files (x86)\Picture Lab\is-H794T.tmp MicrosoftEdgeCP.exe File opened for modification C:\Program Files (x86)\recording\swresample-0.dll irecord.tmp File opened for modification C:\Program Files (x86)\recording\AForge.Video.FFMPEG.dll irecord.tmp File created C:\Program Files (x86)\recording\is-NEG9O.tmp irecord.tmp File opened for modification C:\Program Files (x86)\recording\avformat-53.dll irecord.tmp File opened for modification C:\Program Files (x86)\recording\i-record.exe irecord.tmp File created C:\Program Files (x86)\recording\is-BTL0T.tmp irecord.tmp File created C:\Program Files (x86)\recording\is-MC61Q.tmp irecord.tmp File created C:\Program Files (x86)\recording\is-BTQ56.tmp irecord.tmp File opened for modification C:\Program Files (x86)\recording\unins000.dat irecord.tmp File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe Setup.exe File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe Setup.exe File opened for modification C:\Program Files (x86)\Picture Lab\SourceGrid2.dll MicrosoftEdgeCP.exe File created C:\Program Files (x86)\Picture Lab\is-2LFBB.tmp MicrosoftEdgeCP.exe File created C:\Program Files (x86)\Adobe\Bazhushaeleha.exe 3316505.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini msiexec.exe File opened for modification C:\Program Files (x86)\recording\postproc-52.dll irecord.tmp File opened for modification C:\Program Files (x86)\recording\swscale-2.dll irecord.tmp File created C:\Program Files (x86)\recording\is-5M6TU.tmp irecord.tmp File created C:\Program Files (x86)\recording\is-H7OUI.tmp irecord.tmp File created C:\Program Files (x86)\recording\is-444B8.tmp irecord.tmp File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe Setup.exe File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe Setup.exe File opened for modification C:\Program Files (x86)\recording\Bunifu_UI_v1.52.dll irecord.tmp File opened for modification C:\Program Files (x86)\recording\avutil-51.dll irecord.tmp File created C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk msiexec.exe File created C:\Program Files\Reference Assemblies\BZXPWUNVDP\irecord.exe Balti.exe File created C:\Program Files (x86)\Picture Lab\is-T7N3T.tmp MicrosoftEdgeCP.exe File opened for modification C:\Program Files (x86)\recording\i-record.exe irecord.tmp -
Drops file in Windows directory 33 IoCs
Processes:
msiexec.exeMicrosoftEdge.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI64F9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6E53.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI724C.tmp msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIA516.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAF8A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC095.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC86A.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Installer\MSIC54A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC77E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC917.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICB6A.tmp msiexec.exe File opened for modification C:\Windows\Installer\f746288.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI7710.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC654.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File created C:\Windows\Installer\f746288.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI6AE6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAA39.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC3A3.tmp msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File created C:\Windows\Installer\f74628b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI6C7D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7048.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA6FC.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIAFCA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAD95.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3648 836 WerFault.exe diragame.exe 432 2064 WerFault.exe md4_4igk.exe 6880 6352 WerFault.exe 2488891.exe 6976 4224 WerFault.exe 702564a0.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exeRunWW.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RunWW.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RunWW.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 7288 timeout.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 6020 taskkill.exe 6280 taskkill.exe -
Processes:
MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies data under HKEY_USERS 16 IoCs
Processes:
svchost.exemsiexec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" svchost.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdge.exerUNdlL32.eXeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exemsiexec.exesvchost.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 01000000bac57de394b5600f1c12ffa2b778fe0d9ad060d8e82448a00914d7b7af820b36c382baf47f9ef8345ef7cc46a7897ce95305911812730b27b578344b601b MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{TV2553ZI-PZ3Y-VP7M-68Y0-MJT9X67Z6U7M} rUNdlL32.eXe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b7767e0ccb4fd701 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EL1681II-FO1F-AN2G-81K3-DNI5R86H5R6K} rUNdlL32.eXe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{IY7880QH-GQ0R-SG6F-75Z5-PGQ2S76C3D6F} svchost.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "0s03o8t" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 301bd569d72dd701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 010000003872fabd1a2836a36a527cf16defed2878c43c874e4115dcd7d62cd545f232ee000caa94c17a589174fa013d6d4f5dcbafbc454500bd6e696de5 MicrosoftEdge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 9e6b760dcb4fd701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 010000005072e6e3d287c0e172137216e50cce43104cd816860a0f142f5b5ae23dc5d96a1973a7e779a50a1d4a5a6c6dac57b78e330b1506dbec2492c554c146c0f8da54947819ce21b495c454cea7928057393f9c370e8eb865428e0def MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionIn = "5" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{08CA7FDB-1A66-486A-90C2-E9B23EAF3307}" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager" msiexec.exe -
Processes:
Cakaewowiwa.exeinstaller.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Cakaewowiwa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Cakaewowiwa.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 7836 PING.EXE 8016 PING.EXE 5700 PING.EXE -
Script User-Agent 15 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 285 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 79 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 275 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 138 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 281 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 130 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 137 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 115 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 131 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 120 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 159 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 179 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 289 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 74 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 75 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exeWerFault.exeirecord.tmpQadoshewaeki.exepid process 3648 WerFault.exe 3648 WerFault.exe 3648 WerFault.exe 3648 WerFault.exe 3648 WerFault.exe 3648 WerFault.exe 3648 WerFault.exe 3648 WerFault.exe 3648 WerFault.exe 3648 WerFault.exe 3648 WerFault.exe 3648 WerFault.exe 3648 WerFault.exe 3648 WerFault.exe 3648 WerFault.exe 432 WerFault.exe 432 WerFault.exe 432 WerFault.exe 432 WerFault.exe 432 WerFault.exe 432 WerFault.exe 432 WerFault.exe 432 WerFault.exe 432 WerFault.exe 432 WerFault.exe 432 WerFault.exe 432 WerFault.exe 432 WerFault.exe 432 WerFault.exe 432 WerFault.exe 432 WerFault.exe 4216 irecord.tmp 4216 irecord.tmp 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe 4304 Qadoshewaeki.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
MicrosoftEdgeCP.exepid process 4524 MicrosoftEdgeCP.exe 4524 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
diragame.exeirecCH4.exemd4_4igk.exesunlap.exeWerFault.exeWerFault.exeBalti.exeCakaewowiwa.exeQadoshewaeki.exeMicrosoftEdge.exemsiexec.exeinstaller.exedescription pid process Token: SeDebugPrivilege 836 diragame.exe Token: SeDebugPrivilege 1416 irecCH4.exe Token: SeDebugPrivilege 2064 md4_4igk.exe Token: SeDebugPrivilege 2456 sunlap.exe Token: SeDebugPrivilege 3648 WerFault.exe Token: SeDebugPrivilege 432 WerFault.exe Token: SeDebugPrivilege 1480 Balti.exe Token: SeDebugPrivilege 4240 Cakaewowiwa.exe Token: SeDebugPrivilege 4304 Qadoshewaeki.exe Token: SeDebugPrivilege 4564 MicrosoftEdge.exe Token: SeDebugPrivilege 4564 MicrosoftEdge.exe Token: SeDebugPrivilege 4564 MicrosoftEdge.exe Token: SeDebugPrivilege 4564 MicrosoftEdge.exe Token: SeSecurityPrivilege 4948 msiexec.exe Token: SeCreateTokenPrivilege 5112 installer.exe Token: SeAssignPrimaryTokenPrivilege 5112 installer.exe Token: SeLockMemoryPrivilege 5112 installer.exe Token: SeIncreaseQuotaPrivilege 5112 installer.exe Token: SeMachineAccountPrivilege 5112 installer.exe Token: SeTcbPrivilege 5112 installer.exe Token: SeSecurityPrivilege 5112 installer.exe Token: SeTakeOwnershipPrivilege 5112 installer.exe Token: SeLoadDriverPrivilege 5112 installer.exe Token: SeSystemProfilePrivilege 5112 installer.exe Token: SeSystemtimePrivilege 5112 installer.exe Token: SeProfSingleProcessPrivilege 5112 installer.exe Token: SeIncBasePriorityPrivilege 5112 installer.exe Token: SeCreatePagefilePrivilege 5112 installer.exe Token: SeCreatePermanentPrivilege 5112 installer.exe Token: SeBackupPrivilege 5112 installer.exe Token: SeRestorePrivilege 5112 installer.exe Token: SeShutdownPrivilege 5112 installer.exe Token: SeDebugPrivilege 5112 installer.exe Token: SeAuditPrivilege 5112 installer.exe Token: SeSystemEnvironmentPrivilege 5112 installer.exe Token: SeChangeNotifyPrivilege 5112 installer.exe Token: SeRemoteShutdownPrivilege 5112 installer.exe Token: SeUndockPrivilege 5112 installer.exe Token: SeSyncAgentPrivilege 5112 installer.exe Token: SeEnableDelegationPrivilege 5112 installer.exe Token: SeManageVolumePrivilege 5112 installer.exe Token: SeImpersonatePrivilege 5112 installer.exe Token: SeCreateGlobalPrivilege 5112 installer.exe Token: SeCreateTokenPrivilege 5112 installer.exe Token: SeAssignPrimaryTokenPrivilege 5112 installer.exe Token: SeLockMemoryPrivilege 5112 installer.exe Token: SeIncreaseQuotaPrivilege 5112 installer.exe Token: SeMachineAccountPrivilege 5112 installer.exe Token: SeTcbPrivilege 5112 installer.exe Token: SeSecurityPrivilege 5112 installer.exe Token: SeTakeOwnershipPrivilege 5112 installer.exe Token: SeLoadDriverPrivilege 5112 installer.exe Token: SeSystemProfilePrivilege 5112 installer.exe Token: SeSystemtimePrivilege 5112 installer.exe Token: SeProfSingleProcessPrivilege 5112 installer.exe Token: SeIncBasePriorityPrivilege 5112 installer.exe Token: SeCreatePagefilePrivilege 5112 installer.exe Token: SeCreatePermanentPrivilege 5112 installer.exe Token: SeBackupPrivilege 5112 installer.exe Token: SeRestorePrivilege 5112 installer.exe Token: SeShutdownPrivilege 5112 installer.exe Token: SeDebugPrivilege 5112 installer.exe Token: SeAuditPrivilege 5112 installer.exe Token: SeSystemEnvironmentPrivilege 5112 installer.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
irecord.tmpinstaller.exeSetup3310.tmpcmd.exeMicrosoftEdgeCP.exeirecord.tmppid process 4216 irecord.tmp 5112 installer.exe 5192 Setup3310.tmp 4684 cmd.exe 6816 MicrosoftEdgeCP.exe 7120 irecord.tmp -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exepid process 4564 MicrosoftEdge.exe 4524 MicrosoftEdgeCP.exe 4524 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
B644F30DACDD7066907FD2807DB5FB0D.exeirecCH4.exeLzmwAqmV.exeLzmwAqmV.tmpBalti.exeirecord.exeirecord.tmpQadoshewaeki.exeMicrosoftEdgeCP.execmd.exemsiexec.execmd.exeSetup3310.exeinstaller.execmd.exeMicrosoftEdgeCP.exedescription pid process target process PID 3232 wrote to memory of 836 3232 B644F30DACDD7066907FD2807DB5FB0D.exe diragame.exe PID 3232 wrote to memory of 836 3232 B644F30DACDD7066907FD2807DB5FB0D.exe diragame.exe PID 3232 wrote to memory of 1416 3232 B644F30DACDD7066907FD2807DB5FB0D.exe irecCH4.exe PID 3232 wrote to memory of 1416 3232 B644F30DACDD7066907FD2807DB5FB0D.exe irecCH4.exe PID 3232 wrote to memory of 2064 3232 B644F30DACDD7066907FD2807DB5FB0D.exe md4_4igk.exe PID 3232 wrote to memory of 2064 3232 B644F30DACDD7066907FD2807DB5FB0D.exe md4_4igk.exe PID 3232 wrote to memory of 2456 3232 B644F30DACDD7066907FD2807DB5FB0D.exe sunlap.exe PID 3232 wrote to memory of 2456 3232 B644F30DACDD7066907FD2807DB5FB0D.exe sunlap.exe PID 1416 wrote to memory of 2356 1416 irecCH4.exe LzmwAqmV.exe PID 1416 wrote to memory of 2356 1416 irecCH4.exe LzmwAqmV.exe PID 1416 wrote to memory of 2356 1416 irecCH4.exe LzmwAqmV.exe PID 2356 wrote to memory of 184 2356 LzmwAqmV.exe LzmwAqmV.tmp PID 2356 wrote to memory of 184 2356 LzmwAqmV.exe LzmwAqmV.tmp PID 2356 wrote to memory of 184 2356 LzmwAqmV.exe LzmwAqmV.tmp PID 184 wrote to memory of 1480 184 LzmwAqmV.tmp Balti.exe PID 184 wrote to memory of 1480 184 LzmwAqmV.tmp Balti.exe PID 1480 wrote to memory of 4180 1480 Balti.exe irecord.exe PID 1480 wrote to memory of 4180 1480 Balti.exe irecord.exe PID 1480 wrote to memory of 4180 1480 Balti.exe irecord.exe PID 4180 wrote to memory of 4216 4180 irecord.exe irecord.tmp PID 4180 wrote to memory of 4216 4180 irecord.exe irecord.tmp PID 4180 wrote to memory of 4216 4180 irecord.exe irecord.tmp PID 1480 wrote to memory of 4240 1480 Balti.exe Cakaewowiwa.exe PID 1480 wrote to memory of 4240 1480 Balti.exe Cakaewowiwa.exe PID 1480 wrote to memory of 4304 1480 Balti.exe Qadoshewaeki.exe PID 1480 wrote to memory of 4304 1480 Balti.exe Qadoshewaeki.exe PID 4216 wrote to memory of 4420 4216 irecord.tmp i-record.exe PID 4216 wrote to memory of 4420 4216 irecord.tmp i-record.exe PID 4216 wrote to memory of 4420 4216 irecord.tmp i-record.exe PID 4304 wrote to memory of 4228 4304 Qadoshewaeki.exe MicrosoftEdgeCP.exe PID 4304 wrote to memory of 4228 4304 Qadoshewaeki.exe MicrosoftEdgeCP.exe PID 4228 wrote to memory of 3732 4228 MicrosoftEdgeCP.exe 001.exe PID 4228 wrote to memory of 3732 4228 MicrosoftEdgeCP.exe 001.exe PID 4228 wrote to memory of 3732 4228 MicrosoftEdgeCP.exe 001.exe PID 4304 wrote to memory of 4788 4304 Qadoshewaeki.exe cmd.exe PID 4304 wrote to memory of 4788 4304 Qadoshewaeki.exe cmd.exe PID 4304 wrote to memory of 5016 4304 Qadoshewaeki.exe cmd.exe PID 4304 wrote to memory of 5016 4304 Qadoshewaeki.exe cmd.exe PID 5016 wrote to memory of 5112 5016 cmd.exe installer.exe PID 5016 wrote to memory of 5112 5016 cmd.exe installer.exe PID 5016 wrote to memory of 5112 5016 cmd.exe installer.exe PID 4304 wrote to memory of 2140 4304 Qadoshewaeki.exe cmd.exe PID 4304 wrote to memory of 2140 4304 Qadoshewaeki.exe cmd.exe PID 4304 wrote to memory of 4016 4304 Qadoshewaeki.exe cmd.exe PID 4304 wrote to memory of 4016 4304 Qadoshewaeki.exe cmd.exe PID 4948 wrote to memory of 4644 4948 msiexec.exe MsiExec.exe PID 4948 wrote to memory of 4644 4948 msiexec.exe MsiExec.exe PID 4948 wrote to memory of 4644 4948 msiexec.exe MsiExec.exe PID 4016 wrote to memory of 5140 4016 cmd.exe Setup3310.exe PID 4016 wrote to memory of 5140 4016 cmd.exe Setup3310.exe PID 4016 wrote to memory of 5140 4016 cmd.exe Setup3310.exe PID 5140 wrote to memory of 5192 5140 Setup3310.exe Setup3310.tmp PID 5140 wrote to memory of 5192 5140 Setup3310.exe Setup3310.tmp PID 5140 wrote to memory of 5192 5140 Setup3310.exe Setup3310.tmp PID 5112 wrote to memory of 5496 5112 installer.exe msiexec.exe PID 5112 wrote to memory of 5496 5112 installer.exe msiexec.exe PID 5112 wrote to memory of 5496 5112 installer.exe msiexec.exe PID 4304 wrote to memory of 5568 4304 Qadoshewaeki.exe cmd.exe PID 4304 wrote to memory of 5568 4304 Qadoshewaeki.exe cmd.exe PID 5568 wrote to memory of 5672 5568 cmd.exe Conhost.exe PID 5568 wrote to memory of 5672 5568 cmd.exe Conhost.exe PID 5568 wrote to memory of 5672 5568 cmd.exe Conhost.exe PID 4524 wrote to memory of 4352 4524 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 4524 wrote to memory of 4352 4524 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
PID:1060
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1864
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵PID:2372
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2424
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵PID:2700
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2788
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2712
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1452
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1356
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1212
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\B644F30DACDD7066907FD2807DB5FB0D.exe"C:\Users\Admin\AppData\Local\Temp\B644F30DACDD7066907FD2807DB5FB0D.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\diragame.exe"C:\Users\Admin\AppData\Local\Temp\diragame.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:836 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 836 -s 15683⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\irecCH4.exe"C:\Users\Admin\AppData\Local\Temp\irecCH4.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\is-FJ9K7.tmp\LzmwAqmV.tmp"C:\Users\Admin\AppData\Local\Temp\is-FJ9K7.tmp\LzmwAqmV.tmp" /SL5="$701D2,140559,56832,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Users\Admin\AppData\Local\Temp\is-QMM72.tmp\Balti.exe"C:\Users\Admin\AppData\Local\Temp\is-QMM72.tmp\Balti.exe" /S /UID=irecordch45⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Program Files\Reference Assemblies\BZXPWUNVDP\irecord.exe"C:\Program Files\Reference Assemblies\BZXPWUNVDP\irecord.exe" /VERYSILENT6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Users\Admin\AppData\Local\Temp\is-TQDOV.tmp\irecord.tmp"C:\Users\Admin\AppData\Local\Temp\is-TQDOV.tmp\irecord.tmp" /SL5="$30122,6139911,56832,C:\Program Files\Reference Assemblies\BZXPWUNVDP\irecord.exe" /VERYSILENT7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Program Files (x86)\recording\i-record.exe"C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\45-126da-723-2e4ba-879f4fe3ac809\Cakaewowiwa.exe"C:\Users\Admin\AppData\Local\Temp\45-126da-723-2e4ba-879f4fe3ac809\Cakaewowiwa.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:4240 -
C:\Users\Admin\AppData\Local\Temp\20-28353-8a1-9169c-4e8bb104f406d\Qadoshewaeki.exe"C:\Users\Admin\AppData\Local\Temp\20-28353-8a1-9169c-4e8bb104f406d\Qadoshewaeki.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lghas4t0.0f5\001.exe & exit7⤵PID:4228
-
C:\Users\Admin\AppData\Local\Temp\lghas4t0.0f5\001.exeC:\Users\Admin\AppData\Local\Temp\lghas4t0.0f5\001.exe8⤵
- Executes dropped EXE
PID:3732 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ecnl3jgr.avu\GcleanerEU.exe /eufive & exit7⤵PID:4788
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mbq55ldq.mxl\installer.exe /qn CAMPAIGN="654" & exit7⤵
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\mbq55ldq.mxl\installer.exeC:\Users\Admin\AppData\Local\Temp\mbq55ldq.mxl\installer.exe /qn CAMPAIGN="654"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\mbq55ldq.mxl\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\mbq55ldq.mxl\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1621511872 /qn CAMPAIGN=""654"" " CAMPAIGN="654"9⤵PID:5496
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\42hpkrqt.ssr\hbggg.exe & exit7⤵PID:2140
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\34bev34n.cyq\Setup3310.exe /Verysilent /subid=623 & exit7⤵
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\34bev34n.cyq\Setup3310.exeC:\Users\Admin\AppData\Local\Temp\34bev34n.cyq\Setup3310.exe /Verysilent /subid=6238⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5140 -
C:\Users\Admin\AppData\Local\Temp\is-BDNM4.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-BDNM4.tmp\Setup3310.tmp" /SL5="$10380,138429,56832,C:\Users\Admin\AppData\Local\Temp\34bev34n.cyq\Setup3310.exe" /Verysilent /subid=6239⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5192 -
C:\Users\Admin\AppData\Local\Temp\is-6J8D0.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-6J8D0.tmp\Setup.exe" /Verysilent10⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:6088 -
C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"11⤵
- Executes dropped EXE
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
- Executes dropped EXE
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
- Executes dropped EXE
PID:6836 -
C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:5748 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit12⤵PID:6848
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im RunWW.exe /f13⤵
- Kills process with taskkill
PID:6280 -
C:\Windows\SysWOW64\timeout.exetimeout /t 613⤵
- Delays execution with timeout.exe
PID:7288 -
C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"11⤵
- Executes dropped EXE
PID:5856 -
C:\Users\Admin\AppData\Roaming\8979618.exe"C:\Users\Admin\AppData\Roaming\8979618.exe"12⤵
- Executes dropped EXE
PID:5604 -
C:\Users\Admin\AppData\Roaming\2654459.exe"C:\Users\Admin\AppData\Roaming\2654459.exe"12⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6232 -
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"13⤵
- Executes dropped EXE
PID:6608 -
C:\Users\Admin\AppData\Roaming\2488891.exe"C:\Users\Admin\AppData\Roaming\2488891.exe"12⤵
- Executes dropped EXE
PID:6352 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 212413⤵
- Program crash
PID:6880 -
C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"11⤵
- Executes dropped EXE
PID:5928 -
C:\Users\Admin\AppData\Local\Temp\is-FRL0H.tmp\LabPicV3.tmp"C:\Users\Admin\AppData\Local\Temp\is-FRL0H.tmp\LabPicV3.tmp" /SL5="$2047E,506127,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5504 -
C:\Users\Admin\AppData\Local\Temp\is-9F6V4.tmp\3316505.exe"C:\Users\Admin\AppData\Local\Temp\is-9F6V4.tmp\3316505.exe" /S /UID=lab21413⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:5228 -
C:\Program Files\Microsoft Office 15\BHIONCQILY\prolab.exe"C:\Program Files\Microsoft Office 15\BHIONCQILY\prolab.exe" /VERYSILENT14⤵
- Executes dropped EXE
PID:6764 -
C:\Users\Admin\AppData\Local\Temp\is-1A1ET.tmp\prolab.tmp"C:\Users\Admin\AppData\Local\Temp\is-1A1ET.tmp\prolab.tmp" /SL5="$30444,575243,216576,C:\Program Files\Microsoft Office 15\BHIONCQILY\prolab.exe" /VERYSILENT15⤵PID:6816
-
C:\Users\Admin\AppData\Local\Temp\f8-46b87-bd7-736bf-199331dee127a\Kofushuruxa.exe"C:\Users\Admin\AppData\Local\Temp\f8-46b87-bd7-736bf-199331dee127a\Kofushuruxa.exe"14⤵
- Executes dropped EXE
- Checks computer location settings
PID:6864 -
C:\Users\Admin\AppData\Local\Temp\16-3f5b7-f56-05fb7-6a3b2e17b135b\ZHikybaekilae.exe"C:\Users\Admin\AppData\Local\Temp\16-3f5b7-f56-05fb7-6a3b2e17b135b\ZHikybaekilae.exe"14⤵
- Executes dropped EXE
PID:6944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\m2tc4rmx.xlo\001.exe & exit15⤵PID:6100
-
C:\Users\Admin\AppData\Local\Temp\m2tc4rmx.xlo\001.exeC:\Users\Admin\AppData\Local\Temp\m2tc4rmx.xlo\001.exe16⤵
- Executes dropped EXE
PID:6512 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\meu0i3dt.k11\GcleanerEU.exe /eufive & exit15⤵PID:6172
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wdtma300.vze\installer.exe /qn CAMPAIGN="654" & exit15⤵PID:6872
-
C:\Users\Admin\AppData\Local\Temp\wdtma300.vze\installer.exeC:\Users\Admin\AppData\Local\Temp\wdtma300.vze\installer.exe /qn CAMPAIGN="654"16⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x5zp1oeu.qic\hbggg.exe & exit15⤵PID:5372
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hapxflkh.kas\Setup3310.exe /Verysilent /subid=623 & exit15⤵PID:7392
-
C:\Users\Admin\AppData\Local\Temp\hapxflkh.kas\Setup3310.exeC:\Users\Admin\AppData\Local\Temp\hapxflkh.kas\Setup3310.exe /Verysilent /subid=62316⤵PID:7544
-
C:\Users\Admin\AppData\Local\Temp\is-ARG49.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-ARG49.tmp\Setup3310.tmp" /SL5="$405F4,138429,56832,C:\Users\Admin\AppData\Local\Temp\hapxflkh.kas\Setup3310.exe" /Verysilent /subid=62317⤵PID:7596
-
C:\Users\Admin\AppData\Local\Temp\is-450IM.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-450IM.tmp\Setup.exe" /Verysilent18⤵PID:4596
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hllr2mmp.grp\google-game.exe & exit15⤵PID:7840
-
C:\Users\Admin\AppData\Local\Temp\hllr2mmp.grp\google-game.exeC:\Users\Admin\AppData\Local\Temp\hllr2mmp.grp\google-game.exe16⤵PID:7900
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",getname17⤵PID:8008
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g2ml1pzo.msc\setup.exe & exit15⤵PID:5364
-
C:\Users\Admin\AppData\Local\Temp\g2ml1pzo.msc\setup.exeC:\Users\Admin\AppData\Local\Temp\g2ml1pzo.msc\setup.exe16⤵PID:6936
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\g2ml1pzo.msc\setup.exe"17⤵PID:7788
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 300018⤵
- Runs ping.exe
PID:7836 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mgb41bk1.l0e\GcleanerWW.exe /mixone & exit15⤵PID:7948
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a1fcm0bo.jwe\005.exe & exit15⤵PID:7980
-
C:\Users\Admin\AppData\Local\Temp\a1fcm0bo.jwe\005.exeC:\Users\Admin\AppData\Local\Temp\a1fcm0bo.jwe\005.exe16⤵PID:6904
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\owagr5oa.paw\toolspab1.exe & exit15⤵PID:6620
-
C:\Users\Admin\AppData\Local\Temp\owagr5oa.paw\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\owagr5oa.paw\toolspab1.exe16⤵PID:7428
-
C:\Users\Admin\AppData\Local\Temp\owagr5oa.paw\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\owagr5oa.paw\toolspab1.exe17⤵PID:5932
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fgh403ph.oue\702564a0.exe & exit15⤵PID:5628
-
C:\Users\Admin\AppData\Local\Temp\fgh403ph.oue\702564a0.exeC:\Users\Admin\AppData\Local\Temp\fgh403ph.oue\702564a0.exe16⤵PID:4224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 48017⤵
- Program crash
PID:6976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b50lo5m3.3ra\installer.exe /qn CAMPAIGN="654" & exit15⤵PID:6712
-
C:\Users\Admin\AppData\Local\Temp\b50lo5m3.3ra\installer.exeC:\Users\Admin\AppData\Local\Temp\b50lo5m3.3ra\installer.exe /qn CAMPAIGN="654"16⤵PID:1256
-
C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"11⤵PID:5992
-
C:\Users\Admin\AppData\Local\Temp\is-AOL7A.tmp\lylal220.tmp"C:\Users\Admin\AppData\Local\Temp\is-AOL7A.tmp\lylal220.tmp" /SL5="$20476,237286,153600,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6136 -
C:\Users\Admin\AppData\Local\Temp\is-157L4.tmp\4_177039.exe"C:\Users\Admin\AppData\Local\Temp\is-157L4.tmp\4_177039.exe" /S /UID=lylal22013⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:5288 -
C:\Program Files\Windows Multimedia Platform\XIWTZEIYTX\irecord.exe"C:\Program Files\Windows Multimedia Platform\XIWTZEIYTX\irecord.exe" /VERYSILENT14⤵
- Executes dropped EXE
PID:7092 -
C:\Users\Admin\AppData\Local\Temp\is-B2020.tmp\irecord.tmp"C:\Users\Admin\AppData\Local\Temp\is-B2020.tmp\irecord.tmp" /SL5="$40418,6139911,56832,C:\Program Files\Windows Multimedia Platform\XIWTZEIYTX\irecord.exe" /VERYSILENT15⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:7120 -
C:\Users\Admin\AppData\Local\Temp\5f-63628-27d-e8693-66b897947d7b4\Tyzhosoluru.exe"C:\Users\Admin\AppData\Local\Temp\5f-63628-27d-e8693-66b897947d7b4\Tyzhosoluru.exe"14⤵
- Executes dropped EXE
- Checks computer location settings
PID:6260 -
C:\Users\Admin\AppData\Local\Temp\ce-70f67-5f7-47b81-8ac415e36a3ca\Jizhygineli.exe"C:\Users\Admin\AppData\Local\Temp\ce-70f67-5f7-47b81-8ac415e36a3ca\Jizhygineli.exe"14⤵
- Executes dropped EXE
PID:5324 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3oylzxfw.jff\001.exe & exit15⤵
- Executes dropped EXE
PID:5992 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV116⤵
- Executes dropped EXE
PID:5672 -
C:\Users\Admin\AppData\Local\Temp\3oylzxfw.jff\001.exeC:\Users\Admin\AppData\Local\Temp\3oylzxfw.jff\001.exe16⤵
- Executes dropped EXE
PID:7012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wusbmpls.zkx\GcleanerEU.exe /eufive & exit15⤵PID:6824
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f3vnvwze.acj\installer.exe /qn CAMPAIGN="654" & exit15⤵PID:4508
-
C:\Users\Admin\AppData\Local\Temp\f3vnvwze.acj\installer.exeC:\Users\Admin\AppData\Local\Temp\f3vnvwze.acj\installer.exe /qn CAMPAIGN="654"16⤵PID:4540
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ycrrq4co.5gn\hbggg.exe & exit15⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:4684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\w5phbeiq.p4m\Setup3310.exe /Verysilent /subid=623 & exit15⤵PID:7568
-
C:\Users\Admin\AppData\Local\Temp\w5phbeiq.p4m\Setup3310.exeC:\Users\Admin\AppData\Local\Temp\w5phbeiq.p4m\Setup3310.exe /Verysilent /subid=62316⤵PID:7672
-
C:\Users\Admin\AppData\Local\Temp\is-OK1NT.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-OK1NT.tmp\Setup3310.tmp" /SL5="$20622,138429,56832,C:\Users\Admin\AppData\Local\Temp\w5phbeiq.p4m\Setup3310.exe" /Verysilent /subid=62317⤵PID:7696
-
C:\Users\Admin\AppData\Local\Temp\is-JLA6M.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-JLA6M.tmp\Setup.exe" /Verysilent18⤵PID:7260
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sus0mvy4.sdf\google-game.exe & exit15⤵PID:6592
-
C:\Users\Admin\AppData\Local\Temp\sus0mvy4.sdf\google-game.exeC:\Users\Admin\AppData\Local\Temp\sus0mvy4.sdf\google-game.exe16⤵PID:6976
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",getname17⤵PID:6416
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yu3ns3ts.psl\setup.exe & exit15⤵PID:6292
-
C:\Users\Admin\AppData\Local\Temp\yu3ns3ts.psl\setup.exeC:\Users\Admin\AppData\Local\Temp\yu3ns3ts.psl\setup.exe16⤵PID:6220
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\yu3ns3ts.psl\setup.exe"17⤵PID:7844
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 300018⤵
- Runs ping.exe
PID:8016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3nik5nu3.1iz\GcleanerWW.exe /mixone & exit15⤵PID:7580
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ipocku3v.dsq\005.exe & exit15⤵PID:7740
-
C:\Users\Admin\AppData\Local\Temp\ipocku3v.dsq\005.exeC:\Users\Admin\AppData\Local\Temp\ipocku3v.dsq\005.exe16⤵PID:8032
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pgy0dkb5.fcu\toolspab1.exe & exit15⤵PID:6148
-
C:\Users\Admin\AppData\Local\Temp\pgy0dkb5.fcu\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\pgy0dkb5.fcu\toolspab1.exe16⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\pgy0dkb5.fcu\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\pgy0dkb5.fcu\toolspab1.exe17⤵PID:5488
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uqrhdsre.32j\702564a0.exe & exit15⤵PID:5724
-
C:\Users\Admin\AppData\Local\Temp\uqrhdsre.32j\702564a0.exeC:\Users\Admin\AppData\Local\Temp\uqrhdsre.32j\702564a0.exe16⤵PID:6716
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\c0qd3k0b.tsx\installer.exe /qn CAMPAIGN="654" & exit15⤵PID:6900
-
C:\Users\Admin\AppData\Local\Temp\c0qd3k0b.tsx\installer.exeC:\Users\Admin\AppData\Local\Temp\c0qd3k0b.tsx\installer.exe /qn CAMPAIGN="654"16⤵PID:7808
-
C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe"C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe" /Verysilent11⤵
- Executes dropped EXE
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\is-8DHMO.tmp\Versium.tmp"C:\Users\Admin\AppData\Local\Temp\is-8DHMO.tmp\Versium.tmp" /SL5="$2042A,138429,56832,C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe" /Verysilent12⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\is-VHNSO.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-VHNSO.tmp\Setup.exe" /Verysilent13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6552 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe14⤵PID:6724
-
C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"11⤵
- Executes dropped EXE
PID:5708 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\theahpo4.nz2\google-game.exe & exit7⤵
- Suspicious use of WriteProcessMemory
PID:5568 -
C:\Users\Admin\AppData\Local\Temp\theahpo4.nz2\google-game.exeC:\Users\Admin\AppData\Local\Temp\theahpo4.nz2\google-game.exe8⤵PID:5672
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",getname9⤵
- Loads dropped DLL
- Modifies registry class
PID:5920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tkfhyutb.xnw\setup.exe & exit7⤵PID:5824
-
C:\Users\Admin\AppData\Local\Temp\tkfhyutb.xnw\setup.exeC:\Users\Admin\AppData\Local\Temp\tkfhyutb.xnw\setup.exe8⤵
- Executes dropped EXE
PID:6064 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\tkfhyutb.xnw\setup.exe"9⤵
- Executes dropped EXE
PID:6048 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 300010⤵
- Runs ping.exe
PID:5700 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\e4xu2sek.vim\GcleanerWW.exe /mixone & exit7⤵PID:4484
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ejrpfelu.gqv\005.exe & exit7⤵PID:5208
-
C:\Users\Admin\AppData\Local\Temp\ejrpfelu.gqv\005.exeC:\Users\Admin\AppData\Local\Temp\ejrpfelu.gqv\005.exe8⤵PID:6048
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5u2hknfy.njr\toolspab1.exe & exit7⤵PID:8052
-
C:\Users\Admin\AppData\Local\Temp\5u2hknfy.njr\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\5u2hknfy.njr\toolspab1.exe8⤵PID:7916
-
C:\Users\Admin\AppData\Local\Temp\5u2hknfy.njr\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\5u2hknfy.njr\toolspab1.exe9⤵PID:5344
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yfinpdlc.u3r\702564a0.exe & exit7⤵PID:5144
-
C:\Users\Admin\AppData\Local\Temp\yfinpdlc.u3r\702564a0.exeC:\Users\Admin\AppData\Local\Temp\yfinpdlc.u3r\702564a0.exe8⤵PID:6616
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\p5ocrlwi.j3w\installer.exe /qn CAMPAIGN="654" & exit7⤵PID:7724
-
C:\Users\Admin\AppData\Local\Temp\p5ocrlwi.j3w\installer.exeC:\Users\Admin\AppData\Local\Temp\p5ocrlwi.j3w\installer.exe /qn CAMPAIGN="654"8⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\md4_4igk.exe"C:\Users\Admin\AppData\Local\Temp\md4_4igk.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2064 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2064 -s 13123⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432 -
C:\Users\Admin\AppData\Local\Temp\sunlap.exe"C:\Users\Admin\AppData\Local\Temp\sunlap.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:364
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
PID:3216 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:6032
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4564
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:4772
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4524
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 259D51DE82EC958FA4E89134C202698E C2⤵
- Loads dropped DLL
PID:4644 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E70300F78832A05B5783E8965261B5402⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5784 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
PID:6020 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6D6740DA7A2A5D0A4121AF1ECB7300CF E Global\MSI00002⤵
- Loads dropped DLL
PID:6484
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4352
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:5008
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:6816
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4228
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:7352
-
C:\Users\Admin\AppData\Local\Temp\9FDB.exeC:\Users\Admin\AppData\Local\Temp\9FDB.exe1⤵PID:7424
-
C:\Users\Admin\AppData\Local\Temp\A9AF.exeC:\Users\Admin\AppData\Local\Temp\A9AF.exe1⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\C249.exeC:\Users\Admin\AppData\Local\Temp\C249.exe1⤵PID:3828
-
C:\Users\Admin\AppData\Local\Temp\C249.exeC:\Users\Admin\AppData\Local\Temp\C249.exe2⤵PID:7588
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\bc5db6bb-9086-4fd4-94fd-0b6850a89c52" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:7756
-
C:\Users\Admin\AppData\Local\Temp\D46B.exeC:\Users\Admin\AppData\Local\Temp\D46B.exe1⤵PID:7872
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qfgxula\2⤵PID:5560
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\tkgnedhl.exe" C:\Windows\SysWOW64\qfgxula\2⤵PID:7140
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create qfgxula binPath= "C:\Windows\SysWOW64\qfgxula\tkgnedhl.exe /d\"C:\Users\Admin\AppData\Local\Temp\D46B.exe\"" type= own start= auto DisplayName= "wifi support"2⤵PID:7448
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description qfgxula "wifi internet conection"2⤵PID:5056
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start qfgxula2⤵PID:6220
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵PID:6384
-
C:\Users\Admin\AppData\Local\Temp\DA57.exeC:\Users\Admin\AppData\Local\Temp\DA57.exe1⤵PID:7528
-
C:\Users\Admin\AppData\Local\Temp\E0D1.exeC:\Users\Admin\AppData\Local\Temp\E0D1.exe1⤵PID:188
-
C:\Users\Admin\AppData\Local\Temp\EB41.exeC:\Users\Admin\AppData\Local\Temp\EB41.exe1⤵PID:7188
-
C:\Users\Admin\AppData\Local\Temp\F6EB.exeC:\Users\Admin\AppData\Local\Temp\F6EB.exe1⤵PID:220
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:7792
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3424
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1424
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:5332
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2240
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:6272
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:6188
-
C:\Windows\SysWOW64\qfgxula\tkgnedhl.exeC:\Windows\SysWOW64\qfgxula\tkgnedhl.exe /d"C:\Users\Admin\AppData\Local\Temp\D46B.exe"1⤵PID:7532
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1268
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:6724
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1New Service
1Registry Run Keys / Startup Folder
1Defense Evasion
File and Directory Permissions Modification
1Install Root Certificate
1Modify Registry
3Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5f60669a79e4c4285325284ab662a0c0
SHA15b83f8f2799394df3751799605e9292b21b78504
SHA2563f6aa370d70259dc55241950d669d2bf3dc7b57a0c45c6a2f8dec0d8c8cc35b0
SHA5126ec9fe576daa4fde11a39a929dd23ab44297521c4d23352af1a78716cc3ec7927aa6949d5f7af638148e58e5b6d1d16043ad1a7b0dabb8103acc07d0d4c8a42f
-
MD5
65f639a2eda8db2a1ea40b5ddb5a2ed4
SHA13f32853740928c5e88b15fdc86c95a2ebd8aeb37
SHA256e4e41c0c1c85e2aeaff1bea914880d2cb01b153a1a9ceddccaf05f8b5362210d
SHA512980b6a5511716073d5eeb8b5437c6f23bda300402c64d05d2a54da614e3ef1412743ec5bb4100e54699d7a74f8c437560cb9faa67824cbbabdf1f9399945e21b
-
MD5
11340a55f155a904596bf3a13788a93a
SHA192a2f79717f71696ebde3c400aa52804eda5984e
SHA256b26b2df18537b3df6706aa9e743d1a1e511a6fd21f7f7815f15ef96bb09a85e9
SHA5122dc2bb8b0b4a38ddee62d85fdf7c551b0b77f5b9c7791cf82a00eea847f86006df5139874381dd6db739bb77ec008be9f32185ec71ca8be603f7fe515662c78b
-
MD5
78128217a6151041fc8f7f29960bdd2a
SHA1a6fe2fa059334871181f60b626352e8325cbdda8
SHA256678ca4d9f4d4ad1703006026afe3df5490664c05bb958b991c028ce9314757f7
SHA5125f534a8b186797046526cfb29f95e89e90c555cf54cc8e99a801dfe9327433c9c0fd2cb63a335ade606075c9fab5173c1ad805242ceb04bc1fd78f37da166d84
-
MD5
40c46046d54ca5ab730488654e1947e7
SHA1a68b88d09ff5a61f21ebd8080d26370e0678c5ec
SHA256eeee76ff88c5a78b359c8d9af9c4d00937b60f711b6a223d07417be67124f8ff
SHA5124863303480b13f146c73da8fe56c4abebcf55055ec56cd46dd541273b5fbd59300a14999dd12e106f3e0591d3a4c1e8d845fa642d6e41ffef2ecf07597d05b19
-
MD5
40c46046d54ca5ab730488654e1947e7
SHA1a68b88d09ff5a61f21ebd8080d26370e0678c5ec
SHA256eeee76ff88c5a78b359c8d9af9c4d00937b60f711b6a223d07417be67124f8ff
SHA5124863303480b13f146c73da8fe56c4abebcf55055ec56cd46dd541273b5fbd59300a14999dd12e106f3e0591d3a4c1e8d845fa642d6e41ffef2ecf07597d05b19
-
MD5
871947926c323ad2f2148248d9a46837
SHA10a70fe7442e14ecfadd2932c2fb46b8ddc04ba7a
SHA256f3d7125a0e0f61c215f80b1d25e66c83cd20ed3166790348a53e0b7faf52550e
SHA51258d9687495c839914d3aa6ae16677f43a0fa9a415dbd8336b0fcacd0c741724867b27d62a640c09828b902c69ac8f5d71c64cdadf87199e7637681a5b87da3b7
-
MD5
564dca64680d608517721cdbe324b1d6
SHA1f2683fa13772fc85c3ea4cffa3d896373a603ad3
SHA256f9550ace57ce5b19add143e507179dc601a832b054963d1c3b5c003f1a8149cc
SHA5121d80e9de29320201c988e8b11036c423d83620e99bcadec5142eb14b6513e49d9b41904e92154139e327cd5cc6f058b4bb467ee4fbb342794296e0dfe774dc75
-
MD5
6580a339df599fa8e009cccd08443c45
SHA1d20527ca7b9ef9833dabe500980528c204e24838
SHA2566fadd81f3cbc295ee85e553a900159840805c45ceb73a841ed03c1404a61827d
SHA512a8bce887d14a0978dbb2059705e128f864db1e117a4a4cec584a2aa3eafbe715e39bbfe91dc19bdebfac750944940b9308d9416054452333ad08d1aadb669960
-
MD5
6580a339df599fa8e009cccd08443c45
SHA1d20527ca7b9ef9833dabe500980528c204e24838
SHA2566fadd81f3cbc295ee85e553a900159840805c45ceb73a841ed03c1404a61827d
SHA512a8bce887d14a0978dbb2059705e128f864db1e117a4a4cec584a2aa3eafbe715e39bbfe91dc19bdebfac750944940b9308d9416054452333ad08d1aadb669960
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD58fc9c79b809b6adca5efb796b5bcc1ed
SHA19504b295e8e777245eed9dd3f5fb39b6019b9082
SHA2561349faca35a7ecc2db5524b4c0452d53756d0a28024b85420b68f7a11c2a7245
SHA512985f418b46ff9b7dd9d38658a7b80b8e79aac1f2cc8c98a026b38aa1001fab50a8c9836ce05fa819f4cc67823b803cefc5bd7cf635debe45b440398cb212e4b1
-
MD5
97384261b8bbf966df16e5ad509922db
SHA12fc42d37fee2c81d767e09fb298b70c748940f86
SHA2569c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c
SHA512b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21
-
MD5
ae4a8c201b070ee94488bb8862ed4ec5
SHA1ce45eac5d66c15885e1bccf846b09ea71a79cbc0
SHA2568d5acffbaadbb5698a52baa31f2b4a073a3178366bc96b9b625142ef0201fd94
SHA51295bc24dd22dd788c3ae0e1b4989cbc57560b051db193fb88daf554400098de2d588b5e113dff8ccdd0427ea1305cb082d62276f88bd41ab01416f6b0bf7d406d
-
MD5
ae4a8c201b070ee94488bb8862ed4ec5
SHA1ce45eac5d66c15885e1bccf846b09ea71a79cbc0
SHA2568d5acffbaadbb5698a52baa31f2b4a073a3178366bc96b9b625142ef0201fd94
SHA51295bc24dd22dd788c3ae0e1b4989cbc57560b051db193fb88daf554400098de2d588b5e113dff8ccdd0427ea1305cb082d62276f88bd41ab01416f6b0bf7d406d
-
MD5
98d2687aec923f98c37f7cda8de0eb19
SHA1f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA2568a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA51295c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590
-
MD5
7268e57a354c49482b14d239632cfd73
SHA18d42017b64c9d4060c56f5916bd70c6f42515d13
SHA256a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d
SHA512e0cab9d4b5b39a5202790dd5ca634e9e15dae583fa7071186f787183e9bcf01c5264265660572d9de226108a308136e8a9d8340569826abc4d9fe1644223c297
-
MD5
7268e57a354c49482b14d239632cfd73
SHA18d42017b64c9d4060c56f5916bd70c6f42515d13
SHA256a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d
SHA512e0cab9d4b5b39a5202790dd5ca634e9e15dae583fa7071186f787183e9bcf01c5264265660572d9de226108a308136e8a9d8340569826abc4d9fe1644223c297
-
MD5
1ee5c04dd606b79decb8add6c7d616f1
SHA1d7389e311d68b18a0baa95e0be02e1f7c9a78d01
SHA256916e8f63b5dd9cc477af1eb24f892d8ecdc5b2a28493e58dec4a837c25034fa2
SHA512eb38457f9958c766060358fb1944a6afb96f84f329758df5d8a55a7ecb8a3545f7c82e5264ef374bd48c1f686528d3a05ccf28f2fc0bfc6525c573c566fb27e0
-
MD5
cf23a2e9f68d53f1da259c1797e56841
SHA11a069c8bb82e0e83c682c8850c97587906a5f6a6
SHA256e1c2113df7a950d15d5dbb99df8570393965c0a03b570986ad289d876b80c4dc
SHA51228446ec0b2a7649c0ade7a1653c6d86c8f3b90f4ee153fa1e9cf898cca7463f615b50f9e992738c9a8d6646b60f74f914ff146c8b536cd63cba40709e81ce0dc
-
MD5
cf23a2e9f68d53f1da259c1797e56841
SHA11a069c8bb82e0e83c682c8850c97587906a5f6a6
SHA256e1c2113df7a950d15d5dbb99df8570393965c0a03b570986ad289d876b80c4dc
SHA51228446ec0b2a7649c0ade7a1653c6d86c8f3b90f4ee153fa1e9cf898cca7463f615b50f9e992738c9a8d6646b60f74f914ff146c8b536cd63cba40709e81ce0dc
-
MD5
98d2687aec923f98c37f7cda8de0eb19
SHA1f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA2568a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA51295c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590
-
MD5
f5b16ec10d44128c12fe05300fc61d82
SHA101bd6eb2d38665507466134b58de8c520b6964f0
SHA2565c4368c9897a67b2627e6952b0f07f1a1ddb17b6a01005a2d856e68da208c245
SHA512561bb14e543d2231c915f92311eeef56c78d7fdb5c2bfb60e7192f84be5a6b38ebbb5bfd21992f050e6049f5b5b55400ebe871ef0158f2ff0daf55df085ba73c
-
MD5
f5b16ec10d44128c12fe05300fc61d82
SHA101bd6eb2d38665507466134b58de8c520b6964f0
SHA2565c4368c9897a67b2627e6952b0f07f1a1ddb17b6a01005a2d856e68da208c245
SHA512561bb14e543d2231c915f92311eeef56c78d7fdb5c2bfb60e7192f84be5a6b38ebbb5bfd21992f050e6049f5b5b55400ebe871ef0158f2ff0daf55df085ba73c
-
MD5
0981d5c068a9c33f4e8110f81ffbb92e
SHA1badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA51259cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8
-
MD5
43d68e8389e7df33189d1c1a05a19ac8
SHA1caf9cc610985e5cfdbae0c057233a6194ecbfed4
SHA25685dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae
SHA51258a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e
-
MD5
f744aab9bd220ca53beb9117883caf95
SHA19313d8fff5694a04ca7c6e24c0e01ecb9da085ff
SHA256d671e82ac6f29d378060a3ab0955b8aa7888c9ba8b9dc8ba5891f374a9728e68
SHA512846d41cbeb3508aafaf3bf0a167e895d4e7d1e6c9a20ce1ed74b0c349e6a9a24174da23ad73f145699b4e48d823ea533f8d5d545ba8b5c0b30f12a40341a1134
-
MD5
f744aab9bd220ca53beb9117883caf95
SHA19313d8fff5694a04ca7c6e24c0e01ecb9da085ff
SHA256d671e82ac6f29d378060a3ab0955b8aa7888c9ba8b9dc8ba5891f374a9728e68
SHA512846d41cbeb3508aafaf3bf0a167e895d4e7d1e6c9a20ce1ed74b0c349e6a9a24174da23ad73f145699b4e48d823ea533f8d5d545ba8b5c0b30f12a40341a1134
-
MD5
4f4adcbf8c6f66dcfc8a3282ac2bf10a
SHA1c35a9fc52bb556c79f8fa540df587a2bf465b940
SHA2566b3c238ebcf1f3c07cf0e556faa82c6b8fe96840ff4b6b7e9962a2d855843a0b
SHA5120d15d65c1a988dfc8cc58f515a9bb56cbaf1ff5cb0a5554700bc9af20a26c0470a83c8eb46e16175154a6bcaad7e280bbfd837a768f9f094da770b7bd3849f88
-
MD5
19ecac97212f4bcf9d9b15435505425f
SHA1c145be8ebc1f9256ffc4d9b05271a5e008f24d4e
SHA256b0a8a09a83bb94149d5a69f1e6a08c0edf95eabf5836fd9df2f998ad482eed69
SHA512f06d6e66e075c01d11489e0fc8e2ab06982e758a153b71a659515aa263e657cbd7cd43ea2a19ea33c3e7ee6004d812f2fdbedbb5c9697211d5ce06041ecd706c
-
MD5
19ecac97212f4bcf9d9b15435505425f
SHA1c145be8ebc1f9256ffc4d9b05271a5e008f24d4e
SHA256b0a8a09a83bb94149d5a69f1e6a08c0edf95eabf5836fd9df2f998ad482eed69
SHA512f06d6e66e075c01d11489e0fc8e2ab06982e758a153b71a659515aa263e657cbd7cd43ea2a19ea33c3e7ee6004d812f2fdbedbb5c9697211d5ce06041ecd706c
-
MD5
ffcf263a020aa7794015af0edee5df0b
SHA1bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA2561d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA51249f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a
-
MD5
ffcf263a020aa7794015af0edee5df0b
SHA1bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA2561d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA51249f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a
-
MD5
69f5aec2d9b893263cf530be32792a9c
SHA1828cf801a053cb8648f52c0a6024916dae0495ac
SHA256822a19b0e6cc24a9db6749af9c834fe632060321fa0285b81f8a134d801b17ed
SHA512f93b500f4c67cd2c62d24ad9fe1b194bf7c8e2f8886f23d389cf49385eaa4c232218c3a1baa6de2b17c244ed7eb663236739315de636f56d850d8512a83fe2ea
-
MD5
69f5aec2d9b893263cf530be32792a9c
SHA1828cf801a053cb8648f52c0a6024916dae0495ac
SHA256822a19b0e6cc24a9db6749af9c834fe632060321fa0285b81f8a134d801b17ed
SHA512f93b500f4c67cd2c62d24ad9fe1b194bf7c8e2f8886f23d389cf49385eaa4c232218c3a1baa6de2b17c244ed7eb663236739315de636f56d850d8512a83fe2ea
-
MD5
ffcf263a020aa7794015af0edee5df0b
SHA1bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA2561d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA51249f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a
-
MD5
ffcf263a020aa7794015af0edee5df0b
SHA1bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA2561d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA51249f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a
-
MD5
fa8dd39e54418c81ef4c7f624012557c
SHA1c3cb938cc4086c36920a4cb3aea860aed3f7e9da
SHA2560b045c0b6f8f3e975e9291655b3d46cc7c1d39ceb86a9add84d188c4139d51f7
SHA51266d9291236ab6802ff5677711db130d2f09e0a76796c845527a8ad6dedcbf90c3c6200c8f05a4ae113b0bff597521fda571baafaa33a985c45190735baf11601
-
MD5
fa8dd39e54418c81ef4c7f624012557c
SHA1c3cb938cc4086c36920a4cb3aea860aed3f7e9da
SHA2560b045c0b6f8f3e975e9291655b3d46cc7c1d39ceb86a9add84d188c4139d51f7
SHA51266d9291236ab6802ff5677711db130d2f09e0a76796c845527a8ad6dedcbf90c3c6200c8f05a4ae113b0bff597521fda571baafaa33a985c45190735baf11601
-
MD5
c313ddb7df24003d25bf62c5a218b215
SHA120a3404b7e17b530885fa0be130e784f827986ee
SHA256e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1
SHA512542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff
-
MD5
c313ddb7df24003d25bf62c5a218b215
SHA120a3404b7e17b530885fa0be130e784f827986ee
SHA256e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1
SHA512542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff
-
MD5
8162ff7f546c670bbff5f7ff1034fd4d
SHA145e918a0b8cef98e619834eedb8a76fbb0c4b7aa
SHA2566152f613e8c65631e6aa637d82582e02e32b782a5214c9ced999befad843a7f0
SHA512b2a7c96ac122c9b5c2c6979f74822e1c98d9bf1651da349707fe828a0792c43a4a4f6d8b0e69da0d1afde4030c3a2a51c59e9718f3794f32e2cc5e34c402199b
-
MD5
8162ff7f546c670bbff5f7ff1034fd4d
SHA145e918a0b8cef98e619834eedb8a76fbb0c4b7aa
SHA2566152f613e8c65631e6aa637d82582e02e32b782a5214c9ced999befad843a7f0
SHA512b2a7c96ac122c9b5c2c6979f74822e1c98d9bf1651da349707fe828a0792c43a4a4f6d8b0e69da0d1afde4030c3a2a51c59e9718f3794f32e2cc5e34c402199b
-
MD5
90a61fa7e5717351e665b69492d10462
SHA1a3c8cc478ca9089ea942ea68460c5ae340578063
SHA25676415e823dd4a23d3abd07269af9e70e37b46b5caeb1fe2be28d7a183e5d75fb
SHA51240292e6dc79c0692846f0193d8cdcdeecb17e7eba7739ea1dd3247e51af9202135bf13263c3f1205db48e137324620a6ce2e9ce8b3e0bac3de337e843948248d
-
MD5
90a61fa7e5717351e665b69492d10462
SHA1a3c8cc478ca9089ea942ea68460c5ae340578063
SHA25676415e823dd4a23d3abd07269af9e70e37b46b5caeb1fe2be28d7a183e5d75fb
SHA51240292e6dc79c0692846f0193d8cdcdeecb17e7eba7739ea1dd3247e51af9202135bf13263c3f1205db48e137324620a6ce2e9ce8b3e0bac3de337e843948248d
-
MD5
de3714db2f4212819f5f820985e35a62
SHA16195b0d6617abf55c8e4bb2e9dc9a43b3282b3b6
SHA25629466dc20b2da2ea9f975250f5790b35b4210ad139affe43210207fa51092232
SHA5128a90265f579b9f1a8f4fb926f2939dfbf60ca785c35e89f0663c4b7f8dc8309990faed98716c8915d36131a8879219afa7437c719f5ee7230f9f293a3202e2ca
-
MD5
de3714db2f4212819f5f820985e35a62
SHA16195b0d6617abf55c8e4bb2e9dc9a43b3282b3b6
SHA25629466dc20b2da2ea9f975250f5790b35b4210ad139affe43210207fa51092232
SHA5128a90265f579b9f1a8f4fb926f2939dfbf60ca785c35e89f0663c4b7f8dc8309990faed98716c8915d36131a8879219afa7437c719f5ee7230f9f293a3202e2ca
-
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi
MD598e537669f4ce0062f230a14bcfcaf35
SHA1a19344f6a5e59c71f51e86119f5fa52030a92810
SHA2566f515aac05311f411968ee6e48d287a1eb452e404ffeff75ee0530dcf3243735
SHA5121ebc254289610be65882a6ceb1beebbf2be83006117f0a6ccbddd19ab7dc807978232a13ad5fa39b6f06f694d4f7c75760b773d70b87c0badef1da89bb7af3ac
-
MD5
5f60669a79e4c4285325284ab662a0c0
SHA15b83f8f2799394df3751799605e9292b21b78504
SHA2563f6aa370d70259dc55241950d669d2bf3dc7b57a0c45c6a2f8dec0d8c8cc35b0
SHA5126ec9fe576daa4fde11a39a929dd23ab44297521c4d23352af1a78716cc3ec7927aa6949d5f7af638148e58e5b6d1d16043ad1a7b0dabb8103acc07d0d4c8a42f
-
MD5
5f60669a79e4c4285325284ab662a0c0
SHA15b83f8f2799394df3751799605e9292b21b78504
SHA2563f6aa370d70259dc55241950d669d2bf3dc7b57a0c45c6a2f8dec0d8c8cc35b0
SHA5126ec9fe576daa4fde11a39a929dd23ab44297521c4d23352af1a78716cc3ec7927aa6949d5f7af638148e58e5b6d1d16043ad1a7b0dabb8103acc07d0d4c8a42f
-
MD5
5f60669a79e4c4285325284ab662a0c0
SHA15b83f8f2799394df3751799605e9292b21b78504
SHA2563f6aa370d70259dc55241950d669d2bf3dc7b57a0c45c6a2f8dec0d8c8cc35b0
SHA5126ec9fe576daa4fde11a39a929dd23ab44297521c4d23352af1a78716cc3ec7927aa6949d5f7af638148e58e5b6d1d16043ad1a7b0dabb8103acc07d0d4c8a42f
-
MD5
65f639a2eda8db2a1ea40b5ddb5a2ed4
SHA13f32853740928c5e88b15fdc86c95a2ebd8aeb37
SHA256e4e41c0c1c85e2aeaff1bea914880d2cb01b153a1a9ceddccaf05f8b5362210d
SHA512980b6a5511716073d5eeb8b5437c6f23bda300402c64d05d2a54da614e3ef1412743ec5bb4100e54699d7a74f8c437560cb9faa67824cbbabdf1f9399945e21b
-
MD5
65f639a2eda8db2a1ea40b5ddb5a2ed4
SHA13f32853740928c5e88b15fdc86c95a2ebd8aeb37
SHA256e4e41c0c1c85e2aeaff1bea914880d2cb01b153a1a9ceddccaf05f8b5362210d
SHA512980b6a5511716073d5eeb8b5437c6f23bda300402c64d05d2a54da614e3ef1412743ec5bb4100e54699d7a74f8c437560cb9faa67824cbbabdf1f9399945e21b
-
MD5
11340a55f155a904596bf3a13788a93a
SHA192a2f79717f71696ebde3c400aa52804eda5984e
SHA256b26b2df18537b3df6706aa9e743d1a1e511a6fd21f7f7815f15ef96bb09a85e9
SHA5122dc2bb8b0b4a38ddee62d85fdf7c551b0b77f5b9c7791cf82a00eea847f86006df5139874381dd6db739bb77ec008be9f32185ec71ca8be603f7fe515662c78b
-
MD5
78128217a6151041fc8f7f29960bdd2a
SHA1a6fe2fa059334871181f60b626352e8325cbdda8
SHA256678ca4d9f4d4ad1703006026afe3df5490664c05bb958b991c028ce9314757f7
SHA5125f534a8b186797046526cfb29f95e89e90c555cf54cc8e99a801dfe9327433c9c0fd2cb63a335ade606075c9fab5173c1ad805242ceb04bc1fd78f37da166d84
-
MD5
564dca64680d608517721cdbe324b1d6
SHA1f2683fa13772fc85c3ea4cffa3d896373a603ad3
SHA256f9550ace57ce5b19add143e507179dc601a832b054963d1c3b5c003f1a8149cc
SHA5121d80e9de29320201c988e8b11036c423d83620e99bcadec5142eb14b6513e49d9b41904e92154139e327cd5cc6f058b4bb467ee4fbb342794296e0dfe774dc75
-
MD5
564dca64680d608517721cdbe324b1d6
SHA1f2683fa13772fc85c3ea4cffa3d896373a603ad3
SHA256f9550ace57ce5b19add143e507179dc601a832b054963d1c3b5c003f1a8149cc
SHA5121d80e9de29320201c988e8b11036c423d83620e99bcadec5142eb14b6513e49d9b41904e92154139e327cd5cc6f058b4bb467ee4fbb342794296e0dfe774dc75
-
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2
SHA14a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d
SHA25673af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837
SHA5123f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56
-
MD5
0981d5c068a9c33f4e8110f81ffbb92e
SHA1badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA51259cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8
-
MD5
43d68e8389e7df33189d1c1a05a19ac8
SHA1caf9cc610985e5cfdbae0c057233a6194ecbfed4
SHA25685dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae
SHA51258a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e
-
MD5
d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
MD5
d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
MD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
MD5
2ca6d4ed5dd15fb7934c87e857f5ebfc
SHA1383a55cc0ab890f41b71ca67e070ac7c903adeb6
SHA25639412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc
SHA512ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4
-
MD5
2ca6d4ed5dd15fb7934c87e857f5ebfc
SHA1383a55cc0ab890f41b71ca67e070ac7c903adeb6
SHA25639412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc
SHA512ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4